Hi! Just got my first RouterBoard. Is there any way to make web interface accessible only in local network and not from the outside (I have a white IP)?
I don’t really like winbox and prefer using web interface instead, but I really dislike the idea that my router settings are public as hell. (if you noticed some mistakes, sorry, english is not my main language).
If you drop incoming new connections to port 80 from WAN, it will be blocked.
Afaik, the default config firewall rules prevent access from the internet to webfig…
You can add a firewall rule to block access to port 80 from the global network. By the way, it is best to assume the deny,allow policy so deny everything unless you really need it.
Tytaptalkowane na notatniku
You should by default block everything and enable explicitly what you need.
Apparantly, my router doesn’t do it. Yesterday I saw some strange attempts to login into my router from Internet using web interface.
Is there any list with default firewall rules or probably even terminal commands to add them in case some of them are missing?
Add this firewall rule to the very top of your INPUT chain:
/ip firewall filter
add chain=input action=accept protocol=tcp dst-address=your.mgmt.ip.address in-interface=!WAN-interface dst-port=22,443,8291
and this firewall rule to the very bottom of your INPUT chain:
/ip firewall filter
add chain=input action=drop
By placing this at the top of your INPUT chain, AND with a “drop all” rule at the bottom of the INPUT chain, you are effectively restricting access to the management IP of your router to your internal interfaces (!WAN-interface), and only allowing ports 22, 443, and 8291 (ssh, https, winbox). You could allow standard http and/or telnet, but you should always use secure protocols, even on internal networks.