Block winbox/neigbour scan from computers not in admin list.

kameelperdza · November 17, 2010, 9:26am

Hi there i have successfully setup mikrotik firewall filter rules.

I also have been able to block winbox scan by following this link
http://www.mikrotik.unimedcenter.org/uncategorized/block-scan-winbox-and-neighbour-mikrotik/

This is the 3 rules that i have used.

add action=drop chain=forward comment="block discovery mikrotik" disabled=no \
    dst-port=5678 protocol=udp src-address-list=!admin
add action=drop chain=input comment="block mikrotik discovery" disabled=no \
    dst-port=5678 protocol=udp src-address-list=!admin
add action=drop chain=output comment="block discovery mkrotik" disabled=no \
    dst-port=5678 protocol=udp src-address-list=!admin

It does block winbox scan, but the router does not show up when doing a scan from admin computer.
But is does show up when i add the ip address of the router to admin list.

But then when i do a scan from non-admin computer the router will appear after a few seconds.

If there more ports that i need to block or allow

Thanx

fewi · November 17, 2010, 2:00pm

Unless I’m mistaken the neighbor protocol sends announcement broadcasts, which are flooded to all hosts on the subnet. You can’t block broadcast delivery to some hosts on a router, that would be a feature of a switching platform.

dssmiktik · November 17, 2010, 5:55pm

You could create tunnels between your routing devices, and turn on MNDP for only those tunnels.
Or create a VPN connection on the admin computers you wish to receive MNDP (this may be a bit over-doing it though).

As fewi mentioned though, you can’t block a single host within the same broadcast domain for the others.

kameelperdza · December 10, 2010, 2:35pm

Thank you for all the replies. Is there a way to block mac telnet, but still allow it in the admin group. I see that port 20561 udp is added to admin port list.

I know that i can disable mac telnet by going to /tool/mac-telnet and then disable all interfaces in list.