MikroTik

I have router Mikrotik hAP lite (RB941-2nD).
I want to make winbox/web interface accessible only from ether2/3/4 interfaces. I saw some other routers(TP-Link) that have this option as simple checkbox. What should i do to make it work with Microtik?

Set firewall rules which accept Winbox/Webfig just from particular interface and drop from others.
These rules depend on your current configration. Do you have ETH interfaces "masterd" or do you use bridge?

Well, i didn't edit default configuration, so i have ether2-master, and bridge. Also i don't really understand how to perform mentioned firewall setup, so i will be grateful if you can help me:)

Hi test this but create interface list from interface menu before add rule.

Note that presenting this info to an absolute beginner will probably just lock him out of his router.
Before doing things like this, you have to understand how firewall rules work, how a bridge works,
probably remove the bridge, etc.

Yeah... i have only general understanding how firewall works, and unfortunately no idea what is bridge:D.

"create interface list from interface menu"

What exactly i should do?) I have interface menu, but what is interface list?
What exactly is doing the code you have written? I saw similar(almost) topic ,viewtopic.php?t=85852, and there is comment

Drop port 80 in input chain inbound interface wifi

Does your code do the same thing? Or i should not drop port 80 in input chain?

Well, you should understand that MikroTik routers do not have (many) "simple action by checkbox" settings.
There is a quickset screen where you can select between some generic modes of operation, and that you
should not touch after initial setup. All other setup has to be done at the level where you want to make
the change, and you have to understand what you are doing.

I understand that) It simply looks like a security feature to me that should be accessible for casual user, because somebody simply can get lucky with wifi password.

MikroTik routers are not for casual users...

I am talking about one particular feature, not router.

Mikrotik are not simple routers STEP-STEP, they are complete system for network router/security and you need to know very WELL about TCP/IP and about RouterOS.

Is you want a CLICK CLICK router, Mikrotik is not for you!!!!

I think we are slightly moving away from my question. I was asking for help because i don't know how to make certain thing happen.

It is not so easy. You will have a bridge configuration now which means that the input from wifi and ethernet
is combined BEFORE the firewall rules are applied. So, you cannot solve this in the way that amt indicated,
to do that you first need to separate the two networks (remove the bridge and use a separate IP range
for ethernet and wifi). This will be fine when you use only the wifi in daily use and want to use ether2-4
only in the rare case that you want to manage the box, using a computer you plug in at that time.
When this is not the way you are using it, you will be introducing another IP network and routing, and it may
cause additional trouble like "not being able to find your printer or NAS".
Alternatively, it would be possible to use "bridge filters" but that results in additional overhead and it also
is a more advanced topic.

So a short answer: it is not as easy as you think, and there is not that "click here to do it" functionality you
find in other routers. The easiest is to set a secure password on the admin account (you did set a password,
didn't you??) and forget this requirement of "only on ethernet". Of course you would not want the admin
interface to be available on internet, but by default it isn't (because all input from ether1 is blocked).

A few bridge filter rules will do the trick here - and it's easy enough to implement.

First, find the name of your LAN bridge (it's probably the only bridge on your system) - the easiest way to guarantee you have the right interface is to look in IP Addresses menu - Let's say that your LAN uses the IP address range 192.168.88.X - whichever interface has the IP address 192.168.88.1/24 applied to it - that's your LAN bridge.

Okay, knowing this, let's make sure we also have the correct name of your wifi interface - it's almost 100% guaranteed to be wlan1 - but just look in your bridge menu:
bridge > ports

Note the wlan interface(s) which show up as ports attached to the bridge you identified in step 1 above.

Now we just create a bridge firewall rule that blocks winbox and another that blocks http on your bridge:

For this example, I'm going to assume that your bridge is called "bridge-local", that your wifi interface is "wlan1" and that your LAN interface is 192.168.88.1

Go into the bridge configuration in Winbox, select the filters tab, and click the blue + icon to create a new rule.

In the new Bridge Filter Rule window, set the following:
General Tab:
- Chain = input
- open the "Interfaces" expansion (black triangle)
- Set In-Interface to "wlan1" (or whatever interface you identified)
- open the Bridges expansion (black triangle)
- Set "In Bridge" to bridge-local
- Open the "MAC Protocol" expansion
- Set "MAC Protocol-Num:" to 800 (ip)
- Open the IP expansion
- set Protocol to 6 (tcp)
- set Dst. Port: to 8291
Advanced Tab:
- Open the "Packet Type" expansion
- Set Packet Type: to host
Action Tab:
- Set action to "drop"
Click OK to add the rule

This will block Winbox (which uses TCP port 8291)
Do the exact same steps except change the port to 80 for blocking WWW access to the router
If you enabled HTTPs (secure web - you almost certainly didn't) - you can add a third rule to block port 443.
If you want to block telnet and SSH, do the same for ports 23 and 22. (respectively - both are still TCP)

That will give the functionality you want without having to break the WiFi into a separate LAN network.

Hope this helps! Happy routing!

Edit - Thanks Sob for informing me about the packet-type=host function, which is far superior to the dst-address=x.x.x.x method I originally proposed

- set Dst. Port: to 8251
This will block Winbox (which uses TCP port 8251)

8291

If your LAN interface has multiple IP addresses, you'll need to do all of these rules again, using each IP address applied to your LAN interface.

Not just LAN addresses, you can also connect to WAN address or any other address on router (e.g. if there's some VPN). Luckily the bridge filter has packet-type=host option, which matches any address on router. I've never used it before, just did a very quick test now and it seems to work (same way as dst-address-type=local does in IP firewall).

Thanks for replies! What is good - i can not anymore log on via wifi to 192.168.88.1 with my username and password, what is not very good - i can log on via wifi with mac adress and my username and password :/.

Any ideas how to fix it?

That's because MAC-based winbox doesn't use IP, and the bridge filter rules discussed here only look at frames that contain IP.

You could either disable the MAC server, or else sniff the packets and look at the protocol number in the Ethernet header, making a rule that filters such frames in-interface=wlan1 in a similar fashion. (You wouldn't need to worry about the type=host portion because ethernet can't pass through routers)

If someone else in this thread knows what protocol number to match on ethernet frames for WinBox, feel free to chime in and fill in the blanks.

According to my quick test, Wireshark shows MAC WinBox packets as IPv4 UDP:

Client to server: <client address>:54614 -> 255.255.255.255:20561
Server to client: 0.0.0.0:20561 -> 255.255.255.255:54614

According to this, which addresses I should block?

block in-interface=wlan1, in-bridge=lan, protocol=ip, dst IP = 255.255.255.255, IP-protocol=udp, dst-port = 20561 ( no need for the type=host condition because this destination is not routable across the Mikrotik)

It definitely blocks something, but I still able to log on via mac. Each time I log on amount of dropped packets and bytes increases. (First time when I've applied this rule, i have been disconnected)

Have I done everything right?
Chain - input
In.interface - wlan1
In.Bridge - bridge(that's name of my bridge)
Mac Protocol 800(ip)
IP
--Dst.Adress 255.255.255.255
--Dst.Port 20561
--Protocol 17(udp)
Action tab:
Action - drop

If the protocol/port provided by Sob is correct, then that should be the rule. It could possibly be using random port numbers or something.

If your model Mikrotik has a serial port and you can connect to that, then I'd suggest just turning off MAC server if you can't get a filter rule to block it - or else accept the fact that people coming to your location might figure out that it's a Mikrotik router and download Winbox and do MAC telnet and then know your password. . .

It's correct, but previously I only checked what's used when I connect, I didn't try to block it. Turns out, it really wants to connect, so if 255.255.255.255 fails, it tries 239.255.255.255. And if it doesn't work either, it tries local broadcast, i.e. 192.168.88.255 for default config. So just skip the address and it will block all.

For the record, I read the thread again and whole thing feels possibly wrong. If someone gets lucky with wifi password, then protected administration of router is good, but what about the rest of network? If it's bridged, then all other devices are accessible. Do you need one common network for both wifi and ethernet at all?

I don't need one common network) As i've mentioned I didn't remove default configuration

If you don't need one common network, then your job gets easier in the blocking department - you just need to remove wlan1 from the bridge, and then add an IP address (e.g. 192.168.99.1/24) to the interface wlan1, and then set up dhcp-server on that interface. (the dhcp-server has a wizard that will walk you through the steps if you already have an IP address on the interface, so it's not hard to do).

Then you can just use input rules in the standard IP firewall filters.
Allow icmp, dhcp, and dns in-interface=wlan1
drop everything else in-interface=wlan1

MAC server might still be an issue though, but maybe not. Try it this way and see whether MAC is also blocked by the firewall rule.

How can I remove wlan1 from my bridge?

bridge menu > ports tab
You will see an entry where interface wlan1 is a port on "bridge"
Remove that entry, and it's no longer bridged.

Okay, I've tried to add IP adress to my wlan1 via IP menu -> adresses, but is it a right way to do it?( I have no internet access on wi-fi)

Should I remove default configuration if I don't use home network or something like that?( I mean, can I go on without any bridge?)

Also, do I need DHCP-server or DHCP-client?

Yes, you have to set a (different) IP address, configure a DHCP pool, configure a DHCP network, and a DHCP server.