Device: CRS125
OS: 6.7
Could someone please show me how to lock WebFig access down to a single interface / network?
The goal is to have ether1 be uplink, ether2 be a “management access network” which can access webfig, and ether3-24 be dedicated to other networks which cannot access Webfig.
Thanks!
It depends on how your network is setup, but it could be done a bunch of different ways. Post your export +/- a network diagram. But the simplest approach is to just use the firewall to block access to the webfig via the input chain… but if you are running vlans, etc… you can also lock it down in the /ip services to available from of only the IP you want.
FYI you seem to have a lot of questions… if you want more direct support you can always email directly (free as I have time or if you wanted to hire me for some time for scripting config, etc).
-Eric
Hey thanks Eric. The questions oughtta taper off after I have my network put into place. Right now it’s mostly in the staging phase before I swap out the existing core with the CRS that came in Friday. Yea wrapping my head around all the new options and capabilities that come with having a real router for my lab instead of DD-WRT. I’ll probably do it in the firewall since I’m pretty decent with iptables rules. I didn’t know if there was anything within webfig itself that I was missing beyond just setting iptables rules.
Under IP>Services you can restrict it to an IP range… but frankly the firewall way is more secure.
For this goal you have some way.
The simple way is with firewall like this:
/ip firewall filter add chain=input src-address=192.168.2.0/24 action=drop
This rule block all conection to your device from network 192.168.2.0/24
If you need block only http access
/ip firewall filter add chain=input src-address=192.168.2.0/24 action=drop protocol=tcp dst-port=80
Send from my mobile phone using Tapatalk.