[flash=][/flash]Can someone help me create a firewall rule so that clients can not access the winbox port through ethernet?
I created this rule but can continue to enter the rb2011
add action=drop chain=forward in-interface=bridge1 protocol=tcp src-port=8291
Use dst-port instead of src-port and change forward to input.
Your question is not clear.
Do you mean.
a. clients on the LANS/VLANS behind the router going out to the internet and then reaching back to the router
b. clients on the LANS/VLANS behind the router accessing the router directly from there (lans/vlans to router)
c. clients on the internet coming from external WANIPs accessing the router
Advice.
Question
2. Why is winbox available on the external side? This is bad security!
At a minimum use port knocking and better use VPN if you must access winbox externally.
I disagree all users should be cognizant of how Winbox is accessible and the following settings
a. input chain rules matter (access to router)
b. ip service list matters (access to services)
c. Users defined matters
Sorry for not being clear, I explain myself better
1- I have an RB2011 where in the eth10 arrives at CCR1009 with internet access.
2- In the RB2011 are connected 5 clients by ethernet, eth1, ether2, ether3, …
3- all of them are in a brich
4-I do not want them to be able to access winbox. So they do not make brute force.
thank you very much for your apollo
Thank you that is very clear,
The idea is to only give the IP addresses you want on your network to be able to access to the winbox.
This can be done in many ways.
One question is that are all the clients on the ports on ONE LAN or are they supposed to be separated from one another?
You can create a “white-list” of IP addresses in Firewall, that could include your LAN and / or VPN, but NOT include your customer IP addresses… Then simply allow Winbox from that IP address list only in input chain, not forward.
all clients are separated, each client is connected to an ethernet port