Hello
I need some help securing my network.
I got a router box, RB1000 witch has a public IP and a private IP.
It is used as PPPoE, Usermanager and router.
I would like to only be able to reach management (ssh, telnet, winbox, usermanager-web etc) from one subnet 10.1.0.0/24.
Also PPPoE should only be awailable to connect form 192.168.1.0/24.
I use some RB411 as CPEs, how can I set them up so that only PPPoE traffic is allowed through eth?
How would I set this up in firewall?
Let’s get you started;
/ip firewall filter add chain=input action=accept src-address=10.1.0.0/24
You will then need a drop rule like this;
/ip firewall filter add chain=input action=drop
This rule blocks EVERYTHING unless the connection is coming from your subnet. You also won’t be able to connect remotely unless you add an ‘allow’ rule before the drop rule and specify this
in-interface=wan
This is a great place to start: http://wiki.mikrotik.com/wiki/Securing_New_RouterOs_Router
When your done with that you should also check out: http://wiki.mikrotik.com/wiki/Dmitry_on_firewalling
Of course, modify the rules to suit your own setup.
Cheers.
Thank you.
I have now made some simple rules, and it seems to work well.
But I need some help with this scenario.
I have clients with RB411 based equipment.
The only thing that should pass through is PPPoE to the Usermanager box.
The clients is set up as wds bridge.
PPPoE clients will connect to eth1 on the RB411.
In this case you can use bridge filters to allow pppoe and pppoe-discovery and drop the rest.
That works, thank you!