Accessing WinBox remotely

kaptain1 · October 1, 2010, 3:44pm

Good morning,

I opened a port number 8291 on my RB450G to access WinBox remotely, and I have “Secure Mode” box checked in Win-Box as well as the “lock symbol” in top right corner, but I have a few security related concerns:

Is this an acceptable way of accessing Mikrotik from outside? (just by opening a port) Any concerns?
Is my username/password encrypted when I connect?
Is WinBox traffic encrypted? Is it strong encryption, or weak?
This “Secure Mode” is it really secure? Or just a bit better than “plain text”?

Do I need to worry about anything? And is there a better/safer way to access Mikrotik via WinBox remotely?

Thank You

usmans · October 1, 2010, 8:00pm

disable network discovery u will become more secure
sorry for bad english

fewi · October 1, 2010, 11:14pm

On Monday or Tuesday the slides from the 2010 US MUM will be posted here: http://wiki.mikrotik.com/wiki/MUM_2010_US

Steve Discher had a presentation on port knocking, and it’s already up. You should take a look at it.

nirmal · July 31, 2013, 5:54am

where we can find the network discovery?

How to make IP access list? which means some of Particular Ip only it will be able to access like tht…

Zavi · July 31, 2013, 8:51am

/ip neighbor discovery

and disable WAN port, this will stop RB from broadcasting, that it is on network.

If you need to set only one range or address, you can set it right in

/ip service edit winbox address

For more addresses or ranges use firewall and his address lists:

/ip firewall address-list
add list=winboxaccess address=192.168.2.0/24
add list=winboxaccess address=1.1.1.1
add list=winboxaccess address=2.2.2.2
...

/ip firewall filter add chain=input action=accept src-address-list=winboxaccess protocol=tcp dst-port=8291

Don’t forget to move this rule above drop/reject rules!
You can do more advacned config such as port knocking with firewall and address lists too.

nirmal · August 6, 2013, 4:19am

/ip service edit winbox address - I hope the above comment is working I believe. we will able to control the access with only defind IP’s here.

Small dought:
/ip firewall address-list
add list=winboxaccess address=192.168.2.0/24
add list=winboxaccess address=1.1.1.1
add list=winboxaccess address=2.2.2.2
/ip firewall filter add chain=input action=accept src-address-list=winboxaccess protocol=tcp dst-port=8291

I dont thing so the firewall command will help for the secure access, kindly suggest us which one is good to control the mikrotik access control? My consecrate is it’s should be able to access form all places, it should be able to access only from defined IP’s?

for the above command , I have created the Management servers in the address-list, then I have written the rule in firewall & same time i made the accept for only Management server IP’s & made drop for all but it didn’t help to block the access. here with i attached config sheets . kindly help me, if this won’t work what is the purpose to use this firewall comment.
rule -3.jpg

address list -management - server.jpg