Hello
Can someone give me a hand here. im looking to block port 80 behind our routers. we use 80 to manage our CPE’s and would like to block access from the outside
Hi,
Is your CPE’s also mikrotik devices?
No they are ubnt
Are the UBNTs’ IP addresses in a dedicated management network? (management VLAN) or are there also users in the same network?
If there is no management VLAN, then the users can access the UBNT devices directly without going through the router, so you’re stuck…
If there IS a management VLAN, so the users’ traffic must pass through the router first, then you can easily use the ip firewall filter rules to block this traffic in various ways.
One example:
allow only a specific management network (10.10.10.0/24) to reach the MgtVlan interface-
chain=forward out-interface=MgtVlan src-address=!10.10.10.0/24 action=drop
(the ! means ‘not’)
Or if you have multiple networks/IP addresses that you want to allow access, but block all others, the best way is to use an address list:
/ip firewall address-list
add list=mgtAllowed address=10.10.10.0/24
add list=mgtAllowed address=192.168.55.19
etc…
/ip firewall filter
add chain=forward out-interface=MgtVlan src-address-list=!mgtAllowed action=drop