I want to create an “Input” firewall rule that blocks all ports on the RB except for the ones that are needed for normal operation of the network, hotspot logins and admin access etc.
e.g. I will add these ports to an address list and then block all ports that are not on the list.
Q: Is this a good idea and if so, then which ports should I allow?
The router is a 433AH. My wireless traffic flows in and out through this router and it is connected to the Internet via a 750G. The hotspot and user login page are on the 433AH, but the RADIUS server and user manager run on the 750G.
Yes, that is a good idea. What ports/protocols are required depends on your use case, there’s no generic answer to your question.
The Hotspot takes care of itself (it creates dynamic firewall rules that permit everything that is required).
As far as normal network operations go, clients do not have to have access to the router at all - unless you use the router as a DHCP server (special case, you cannot block DHCP on the RouterOS firewall as the built in DHCP server works in raw mode and grabs the packets before they are processed by the firewall), DNS server, NTP server etc. - in which case you should allow access to those services, but only to machines with a source address on your LANs behind the router.
Administrative access again depends - do you use just SSH, or also Winbox? Do you use the API? Make an address list containing administrative IPs and permit access to the relevant ports sourced by that list.
Do you use routing protocols or VPNs? Allow access for the relevant traffic.
