Hi everyone, I’ve just set up most of the security steps suggested en Mikrotik wiki https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router#RouterOS_services
Left ssh and winbox service, each one in differents ports ( not the standard ones ) . Works well yesterday but today I receive this message in winbox: “ERROR: router does not support secure connection…” I activated Legacy mode but nothing happened… And with ssh I get refused connection although. What I did wrong?
Thanks!
Do you use such a command from your PC to connect to the device?:
ssh -pPORTNUM USERNAME@DEVICEIP
Can you ping the device?
Attach your PC to ether2 of the device, and set the IP of the PC into the same LAN subnet as of the device…
After you set up firewall rules to prevent management access, the first step to do is to try to create a new management connection before logging out from the running one. If you did this test yesterday, something went wrong with the machine; if you didn’t, it is likely that you’ve configured the firewall rules wrong and they prevent new management connections from establishing.
So unless you’ve also blocked MAC based access (mac-telnet and/or mac-winbox), you should be able to get in this way (Winbox from a PC directly connected to the LAN port of the box, mac-telnet from another Mikrotik connected there); if you’ve blocked this too, your last chance before resetting the configuration to defaults is a serial connection if the machine has a serial or USB port.
Suggest you reset to defaults and avoid the wiki.
Simply use the defaults here and then come back and we will add rules one by one that make sense for what you wish to accomplish.
Copying rules from any source beyond the default ones are fraught with danger for the uninitiated.
So what I am saying is come back clean and we will help you understand the default rules and what any changes you propose would do!!
PS. Most of us have knocked or locked ourselves out of the router at one time or another… Join the club!!! Use of the SAFE MODE at the top of winbox is a MUST! I now turn it on as habit whenever I open winbox.
Cheers
Default settings typically
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN