Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Disallow LAN to access configuration of modem using Mikrotik

Locked
 
mltobing
just joined
Topic Author
Posts: 11
Joined: Thu Dec 15, 2016 9:19 am

Disallow LAN to access configuration of modem using Mikrotik

Thu Dec 15, 2016 10:38 am

Hello,

I just learning mikrotik recently. I have internet connection from ISP Provider through a modem,
then this modem connect to mikrotik, and from mikrotik connect to AP

example:
modem 192.168.30.1 ( and public ip 30.30.30.30 ), just example because public ip dynamic
mikrotik 192.168.88.1
LAN 192.168.88.2 - 192.168.88.254 ( DHCP from mikrotik )

I can change setting/config for modem using http://192.168.30.1 or https://30.30.30.30. The problem is I can't change superuser credential for this modem

Is it possible to block access from LAN to http://192.168.30.1 or https://30.30.30.30 ? If possible please tell me


Thanks, and sorry for my english
Top
 
Revelation
Member
Member
Posts: 336
Joined: Fri Dec 25, 2015 5:59 am

Re: Disallow LAN to access configuration of modem using Mikrotik

Thu Dec 15, 2016 3:14 pm

A simple firewall rule denying traffic to the destination IP will suffice.
Top
 
mltobing
just joined
Topic Author
Posts: 11
Joined: Thu Dec 15, 2016 9:19 am

Re: Disallow LAN to access configuration of modem using Mikrotik

Thu Dec 15, 2016 3:57 pm

According to http://forum.mikrotik.com/viewtopic.php?t=31994

I have tried
Code: Select all
/ip firewall filter add chain=input src-address=192.168.30.1 action=drop
But same result, that ip address still accesible through LAN
Top
 
TroyQ
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Thu Oct 20, 2016 10:02 pm

Re: Disallow LAN to access configuration of modem using Mikrotik

Thu Dec 15, 2016 4:07 pm

make two changes to your rule

/ip firewall filter add chain=forward dst-address=192.168.30.1 action=drop
Top
 
mltobing
just joined
Topic Author
Posts: 11
Joined: Thu Dec 15, 2016 9:19 am

Re: Disallow LAN to access configuration of modem using Mikrotik

Fri Dec 16, 2016 12:28 am

Thanks all,

Finally I got this work.

Like TroyQ said chain=forward, placed on the top of all forward-accept rule (my mistake, placed on the bottom).

And for public ip. I am using this scipt named "public_ip"
Code: Select all
{
/tool fetch url="http://myip.dnsomatic.com/" mode=http dst-path=mypublicip.txt
local ip [file get mypublicip.txt contents ]
put $ip
/ip firewall address-list remove [/ip firewall address-list find list="MY-PUBLIC-IP"]
:delay 5
/ip firewall address-list add list=MY-PUBLIC-IP address=$ip
}
Add one more rule same like private ip, but this time using src address list = "MY-PUBLIC-IP".
Then running with scheduler every 10 minutes to check public ip if changed
on Event
Code: Select all
 /system script run public_ip
Top
Locked

Who is online

Users browsing this forum: silverbios, Xman1 and 66 guests
  4. RouterOS
  5. Beginner Basics