Block WinBox discovery from specific address

David1234 · January 7, 2018, 11:23am

Hello,
I want to know if I can blockthe discovery from a specific address in my netwrok
so the router will be 10.0.0.1/24
my netwrok is 10.0.0.0/24
but I will only see the it in winbox from 10.0.0.10-10.0.0.20
all other computers in the network that aren’t this address will not see it

can I do this ?

this is what I have so far -

/ip firewall filter
add action=drop chain=input dst-port=5678 protocol=udp src-address-list=\
    !Office
add action=drop chain=forward dst-port=5678 protocol=udp src-address-list=\
    !Office
add action=drop chain=output dst-port=5678 protocol=udp src-address-list=\
    !Office
add action=reject chain=input dst-port=20561 protocol=udp src-address-list=\
    !Office
add action=reject chain=output dst-port=20561 protocol=udp src-address-list=\
    !Office
add action=reject chain=forward dst-port=20561 protocol=udp src-address-list=\
    !Office

/ip firewall address-list
add address=10.0.0.10-10.0.0.20 list=Office

but now I can’t see it from all the netwrok…

what I need to fix ?

Thanks ,

haik01 · January 7, 2018, 2:01pm

I see no TCP, only UDP.

What does Winbox uses? UDP or TCP?

netvisionip · January 7, 2018, 2:54pm

If you go to IP → Services.

Select winbox and you can add the IP addresses you want to have access to winbox.
Maybe best testing with safemode first.

16again · January 8, 2018, 8:27pm

Discovery packets are sent from the MT router to broadcast IP 255.255.255.255:5678 , which isn’t blocked by your rules

David1234 · January 9, 2018, 12:34pm

so how can I block it ?
I know how to limit the network to connect to the router.
but I also don’t want to block the discovery
so how can I do this ?

Deantwo · January 9, 2018, 2:35pm

It isn’t good enough to just block neighbor discovery from an interface? It has to be a specific IP address?

/ip neighbor discovery set [find name=ether1] discover=no

Alternatively I’ll ask why it is all on the same network if it has to be separate. Wouldn’t it be easier to set up VLANs?

David1234 · January 10, 2018, 1:40pm

no I can’t use Vlan

Deantwo · January 17, 2018, 2:11pm

From the sound of it, the easiest fix is to just totally disable neighbor discovery, and then just save the IP address in WinBox.
That way no one can see the MikroTik router via neighbor discovery, only if they know the IP address of the router can they access it, and only if they know it is a MikroTik router will they think of using WinBox.

/ip neighbor discovery set [find] discover=no