question on configuring WEBfig

kitkat · September 24, 2011, 2:19am

Hi,

How do you control WEBfig? I want to move it from port 80 to another non-standard port and have the interface accessible from the WAN public IP?

Thanks

fewi · September 24, 2011, 2:29am

Configure the port in “/ip service”. Access is controlled by the address parameter in that configuration section, as well as the firewall filter input chain.

kitkat · September 24, 2011, 3:05am

thanks ill try that, also, is there a standard firewall list I can simply copy and start from there?

kitkat · September 24, 2011, 3:07am

I enabled www-ssl in ip service list and no address, and I cannot access the webfig using https…

tjc · September 24, 2011, 3:12am

You have to give it a certificate for it to work.

As for a “standard” firewall there are a number described in the documentation on the wiki. http://wiki.mikrotik.com/wiki/Category:Firewall

A minimal one allows establish and related connection and drops anything else from the outside (WAN) interface.

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s

/ip firewall filter
add chain=input action=accept protocol=icmp comment="Allow ping and the like"
add chain=input action=accept connection-state=established comment="Allow established connections"
add chain=input action=accept connection-state=related comment="Allow related connections"
add chain=input action=drop connection-state=invalid comment="Drop invalid connections"
add chain=input action=drop in-interface=ether1-gateway comment="Drop anything else aimed at the router from outside"
# Implicitly accept anything else from inside

add chain=forward action=accept connection-state=established comment="Allow established connections"
add chain=forward action=accept connection-state=related comment="Allow related connections"
add chain=forward action=drop connection-state=invalid comment="Drop invalid connections"
add chain=forward action=drop in-interface=ether1-gateway comment="Drop anything else forwarded from outside"
# Implicitly accept anything else from inside

/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1-gateway comment="NAT from LAN to WAN"

These are some more complicated ones:
http://wiki.mikrotik.com/wiki/Securing_New_RouterOs_Router
http://wiki.mikrotik.com/wiki/Dmitry_on_firewalling

kitkat · September 24, 2011, 11:50am

thanks for the firewall stuff…

what do you mean a certificate? how is this done?

tjc · September 24, 2011, 2:59pm

http://tldp.org/HOWTO/SSL-Certificates-HOWTO/x64.html

For private admin purposes a self signed certificate is probably sufficient.