Deny config access from public IP

RouterOS General
1

Hello everyone! Glad to finally being a member of this forum!
OK now here is my concern:
My mom has a small hotel and I installed an awesome little network there, and I also established an L2TP service in case I need to remotely config the router (HEX RB750Gr3) because I live in another city.
However, I noticed that I can also config the router simply by putting the public IP or the DDNS domain.
Is it possible to deny that access, by adding a firewall rule or something, but still be able to connect through the L2TP tunnel?
Any help is appreciated. Thanks

p.s.: Of course I am not using the default Admin credentials, but still one more level of security is always nice

2

Koutsik, what you say could be very concerning.
Please post your config so we can ensure your setup is secure

/export hide-sensitive file=anynameyouwish

(while your at it make sure you a separate user name, not admin identified to control the router)
(change the default winbox port to something else)

3

The firewall rules in the default configuration of SOHO models are a good starting point; as you can access configuration services via public IP, these seem to be unused - maybe because the router model is not a SOHO one so the defaults are different.

4

Hello there. It took me a lot of time but eventually i found it. I used these firewall rules

add chain=input action=accept comment=“VPN L2TP UDP 500” in-interface=pppoe1 protocol=udp dst-port=500
add chain=input action=accept comment=“VPN L2TP UDP 1701” in-interface=pppoe1 protocol=udp dst-port=1701
add chain=input action=accept comment=“VPN L2TP 4500” in-interface=pppoe1 protocol=udp dst-port=4500
add chain=input action=accept comment=“VPN L2TP ESP” in-interface=pppoe1 protocol=ipsec-esp
add chain=input action=accept comment=“VPN L2TP AH” in-interface=pppoe1 protocol=ipsec-ah

add action=accept chain=input comment=“default configuration” connection-state=established,related
add action=accept chain=input src-address-list= “my pool”
add action=accept chain=input protocol=icmp
add action=drop chain=input

Now it works as intended

Thanks anyway