Hi, I have been thinking about hardening options and like to share my idea with you:

The default IP address of all routerOS is 192.168.88.1, so if options in /ip service were set to address 192.168.88.0/24, all users have changed this to your network, but not let in 0.0.0.0/0.
In my point of view, 0.0.0.0/0 is a big problem.

Of course, nothing prevents the user from changing this to 0.0.0.0/0, but that would be at the user's risk.

With this, new vulnerabilities could be contained or minimized.

This is a simple action that any user or administrator can to do, but Mikrotik can add this as the default setting.

Are there, problems? Yes!
If the user changes the network address to 192.168.0.1 or any other that not 192.168.88.X the access in Layer 3 will be closed and only accessible in Layer 2 with mac-telnet, winbox with mac...

Another option would be set the address to networks of RFC1918, so any access on private networks would be granted.


What do you think about this?

It's a little dangerous. Not in my personal opinion, but there's a reason why MikroTik's default firewall only blocks access from WAN and allows it from everywhere else, instead of allowing access only from LAN and blocking from everywhere else. The chance that users will lock themselves out is higher with the latter, and same goes for your proposal. It may not be big deal for you or me, there's still MAC access, but those users likely to lock them out might not even know about that.