For WAN access it is understandable, but for LAN, why not use separate VLAN? Tunnel / VPN seems to be a overhead...
Even with a separate VLAN, it’s still exposing the webfig interface to the network, which isn’t permitted. It would also require that the API client be on site with the router, which it isn’t.
I find myself quite often setting up wireguard for management anyway, I just find it way simpler than vlan-ing everything. Of course this is only a matter of taste.
Some sort of isolation is required, and to me at least conceptually the simplest to do is end-to-end. We can of course take different steps on getting there: okay, vlans, then isolate the vlan only to trunks that really-really need it, disable MVRP, submerge the trunked cables in water, add alligators...
What would be really nice is the ability to enable client TLS certificates on the HTTPS services. That would solve these problems. And the implementation is already there: both openvpn and sstp rely on it in fact.
Well that's info which is not provided before, ok then it make sense...
My impression was when stated
It’s not public-facing.
at post #5 that connection is over LAN.
1 Like
Not public facing and not LAN. WAN.
Got it, I was in LAN context all the time
1 Like
It’s a reasonable assumption. I should have been clearer.
I got no idea when it got introduced, but it seems to be possible now, disable WebFig but keep REST/REST-SSL enabled
This is on 7.21.2
/ip/service/webserver> print
index-plain: yes
webfig-plain: yes
graphs-plain: yes
rest-plain: yes
crl-plain: yes
scep-plain: yes
acme-plain: yes
index-secure: yes
webfig-secure: yes
graphs-secure: yes
rest-secure: yes
Edit: Found it, its in changelog for 7.21
*) www - added option to disable individual web services in /ip/service/webserver and IP>Services>Web Server;
1 Like
Yup. Introduced in 7.21 last month. Waiting for it to get in to long-term and will start deploying.
It does not yet include user-manager, and I believe in the meantime there was another new one.
Is user manager handled in the web server still? I've just been configuring it in RouterOS.
You cannot disable WebFig and the main HTTPS page separately from the REST API because they all use the same www-ssl service. RouterOS has no per path control for HTTPS.
The only clean options are to restrict www-ssl by source IP to only your automation host, bind it to localhost and access it via SSH tunnel, or put a reverse proxy in front and allow only the /rest path. Otherwise use the classic API which can be enabled independently.
This bots spam is getting annoying.
And it's not even correct
3 Likes
The configuration of the user manager can now only be done on the RouterOS interface, but there is a webpage where each user can login with their assigned username and password, and view the configuration and their past sessions.
When you use user manager to do MAC-level authentication of course the user name is widely known and the password is blank or the same as the address, and people can peek in your data.
This function should be enabled/disabled somewhere in user manager settings or in the www option to disable individual web services, but it is not possible.
1 Like