As we all know it’s very important how to configure firewall and services on our Miktotik routers.
A lot of us are using Winbox for remote administrating because its easiest, changing port from 8021 to any other doesnt rise security level. So next step is to use SSH but I read that I can’t force to login using ONLY certificates (maybe I’m wrong?) so next step is VPN but here is also lack of using certyficates in client-server mode.
So how to configure router in safe mode and administarte it in case when my computer has variable IP? Could You give me/us some examples?
You can add source ip rule in NAT where u port forward the port.
In case you use dynamic ip simple add your dns name under adress list, than under nat add it to src address list.
Best way would be to close all the ports from the outside then use autossh to tunnel the ssh port from behind the router to a remote location so you would actually have access to a system behind the router through ssh and then tunnel the Winbox port remotely this way nothing remains open. it can also be done with a vpn but Mikrotik doesn’t support anything with a good encryption so I prefer ssh tunneling instead.
[/quote]
In case you use dynamic ip simple add your dns name under adress list, than under nat add it to src address list.
[/quote]
hmm interesting and easy to implement.
How often Mikrotik routers updates dns entries in address list? ie. My LTE modem got new IP evertytime its connect to network so I imagine that my IP could change few time a day and my pair dns_dane and IP changing few time a day. Is it a problem?
In theory IP address on clud (a.k.a. xxx.sn.mynetname.net) changes at the moment that router does update. And hopefully it does it immediately after changed WAN IP address.
When you set FQDN name instead of IP address, then RB keeps same IP address for duration of DNS record’s TTL, after expiry it checks DNS record again. If I’m not much mistaken DNS records from sn.mynetname.net have TTL of 60 seconds.
autossh rely mainly on a ssh trust between two systems for passwordless login and will initiate the ssh connection whenever it is not up
you can also configure the tunnel to “push” the local ssh port to a remote location or “push” a remote ssh port that the computer can reach to a remote server
e.g.
system behind nat (192.168.1.50) can tunnel the local ssh port (192.168.1.50:22) to a remote system port (12345) and can also push a remote ssh port to that remote system (192.168.1.150:22)
that way the trusted endpoint will have those ports available locally through ssh
I read on this forum that this option will work on ROS 7.x - interesting. I can’t find it on Wiki. Maybe someone from Mikrotik could confirm is that expected behavior for next releases of RoS or just feature that they testing?
I’m not sure which one would be more secure. I’d go through the VPN/SSH certificate route. Just because is one more layer, before someone can do damage. First the VPN, then the SSH.
But I would say that the best way is to use a VPN.
Set up all remote MT to call home to a sentral server using a secure VPN.
Then you can manage all MT using this tunnel.
Get a $3/month VPS with a static IP and run RouterOS CHR on it.
Connect a VPN from all your routers to there and also from your home.
You can also run The Dude on it for your monitoring…
Why not use the IPCloud? Just use it straight, or point a CNAME to it. Free, already installed and solves your dynamic IP problem.
[/quote]
Because I prefer simple and reliable solution. Of course IPCloud (could You give us url for that?) or any other dyn_dns solution is an option but this is another point of failure…
In my opinion VPN is a best option because You can connect in secure way from any IP not only from your home.
IP Cloud is native Mikrotik solution to dynamic IP. It is already installed on your device - just enable it. VPN is another service. IP Cloud just take care of name resolution for You dynamic IP.
Original question was how to protect router and connect to it from computer (not router) with dynamic IP. I can’t use IPCloud on Windows 10 - do You agree?
No, I don’t agree. Read the manual about it, and You will understand why. It would solve one of your problems - how to connect to a dynamic IP VPN server.