Set in /ip services allowed address range or set up firewall rules to block access from public interface.
i'm using ports 80 and 433 on RB, but i don't need webfig RB shows by webfig directly username...why? That is big issue How can i block the access to webfig in general (not over local and public interface)? Please help me! Thanks in advance
1. I've changed the username "admin" ... but webfig shows still "admin". What is this? Where from does this name come? Note: temporary files are removed already by browser, checked it by two pc ... receive the same result. (changed through Winbox -> System -> Users -> system default user "admin")
2. Regardless that's not a nice solution . Please make a function on the future version, with that can we disable the service webfig. I think, it will take no great effort or?
i can not disable "www" and "www-ssl", because i use "www" for web-server and "www-ssl" for the User Manager
Why is it predefined? It is not difficult to write itself I do constantly upgrade operation, whenever a new version comes out. So should i send always the email for new version to receive the modified HTML or need not be?
Joined: Fri May 28, 2004 11:04 am Posts: 19097 Location: Riga, Latvia
Paka, maybe it is confusing for you - but for a new customer, when he connects to the device, it is nice that he doesn't need to look for default username in the manual. He is automatically logged in, where he sees Quickset.
Webfig is the main configuration option on RouterOS. I still don't understand why you want to disable it ?
For safety reasons we have blocked all connections to configure settings of device over Public IP. But it is reachable still with webfig. If i leave the access to webfig, where remains my security concept?
User Manager and Hotspot you don't need on the public interface. The rule only blocks them on the public port.
APs are in a certain place, Radius is in other place. Customers of hotspots use the user manager over public interface. Moreover PayPal server connects with the user manager over public interface. I hope, you find any solution
You do not have web server on your router, so my mentioned rule will not block that traffic. It is "forward" traffic not "input". The same for user manager, if it is set on other router behind gateway.
@normis my customer use the link http://myhost/user to manage own data yes, correct is - user manager connects to paypal server
@mrz you're right. By retrieving http://myhost is forwarded to my web server. Here can be not seen the webfig page , so i don't need it for port 80. But by rertieving https://myhost i receive the webfig page. So i' ve forwarded any access over port 443 to web proxy.
So following configurations are made, but unsuccessful
1. block direct access to web proxy ip firewall filter add chain=input protocol=tcp dst-port=8080 in-interface=ether1 action=drop
2. enable the web proxy ip proxy set enabled=yes
3. forwarding to web proxy ip firewall nat add chain=dstnat dst-address=publicip protocol=tcp dst-port=443 action=redirect to-ports=8080
4. add access rule by web proxy to block webfig ip proxy access add dst-address=publicip path="/webfig/*" action=deny
5. add access rule by web proxy to allow user manager ip proxy access add dst-address=publicip path="/user/*" action=allow ip proxy access add dst-address=publicip path="/userman/*" action=allow
Users browsing this forum: No registered users and 17 guests
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot post attachments in this forum