MikroTik

Community discussions
https://forum.mikrotik.com/

firewall

https://forum.mikrotik.com/viewtopic.php?t=144821

Page 1 of 1

firewall

Posted: Sat Feb 02, 2019 5:23 am
by ciberica
[flash=][/flash]Can someone help me create a firewall rule so that clients can not access the winbox port through ethernet?

I created this rule but can continue to enter the rb2011

add action=drop chain=forward in-interface=bridge1 protocol=tcp src-port=8291

Re: firewall

Posted: Sat Feb 02, 2019 11:55 am
by sid5632
Use dst-port instead of src-port and change forward to input.

Re: firewall  [SOLVED]

Posted: Sat Feb 02, 2019 3:27 pm
by anav
Your question is not clear.
Do you mean.
a. clients on the LANS/VLANS behind the router going out to the internet and then reaching back to the router
b. clients on the LANS/VLANS behind the router accessing the router directly from there (lans/vlans to router)
c. clients on the internet coming from external WANIPs accessing the router

Advice.
1. Ensure you have latest firmware

Question
2. Why is winbox available on the external side? This is bad security!
At a minimum use port knocking and better use VPN if you must access winbox externally.

Re: firewall

Posted: Sat Feb 02, 2019 11:05 pm
by anav
I disagree all users should be cognizant of how Winbox is accessible and the following settings

a. input chain rules matter (access to router)
b. ip service list matters (access to services)
c. Users defined matters

Re: firewall

Posted: Sun Feb 03, 2019 2:47 am
by ciberica
Sorry for not being clear, I explain myself better

1- I have an RB2011 where in the eth10 arrives at CCR1009 with internet access.
2- In the RB2011 are connected 5 clients by ethernet, eth1, ether2, ether3, ....
3- all of them are in a brich
4-I do not want them to be able to access winbox. So they do not make brute force.

thank you very much for your apollo

Re: firewall

Posted: Sun Feb 03, 2019 6:09 am
by anav
Thank you that is very clear,
The idea is to only give the IP addresses you want on your network to be able to access to the winbox.
This can be done in many ways.

One question is that are all the clients on the ports on ONE LAN or are they supposed to be separated from one another?

Re: firewall

Posted: Sun Feb 03, 2019 8:29 am
by ghostt
You can create a "white-list" of IP addresses in Firewall, that could include your LAN and / or VPN, but NOT include your customer IP addresses.... Then simply allow Winbox from that IP address list only in input chain, not forward.

Re: firewall

Posted: Mon Feb 04, 2019 2:39 am
by ciberica
all clients are separated, each client is connected to an ethernet port
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/