RB750GL Security

david54 · February 6, 2012, 1:19pm

Dear Group,

My first post. I am using Webfig to program the MikroTik devices.

I have a RB750GL that I wish to use as a router with a public IP address, I’ve turned off DHCP and the router seems to work OK.

How can I stop a ping to the WAN? I don’t mind if the router does not respond to pings on all ports.

What security is enabled by default? What other security can I add?

David.

justfishing · February 7, 2012, 4:34am

to turn off your wan ping, disable the icmp line on the Firewall side

For security, here’s where I started with some great vids from a seasoned pro in the Mikrotik community:
http://gregsowell.com/?cat=17

Some of his stuff is material for older versions of RouterOS. So I don’t delete my initial config. like most suggest. But good info on disabling services, changing admin uid, and etc. You can also google securing mikrotik router and you will find alot of old references from 2008 that talk about alot of the same stuff.

Hope that helps

david54 · February 7, 2012, 7:59am

Thank you for the reply.

I’ll try the firewall settings, but I’m on the learning curve, and it’s very steep! Thank goodness for the ability to reset the device back to manufacturers settings and try again.

The Greg Sowell site looks very interesting.

David.

david54 · February 9, 2012, 4:49pm

I’ve tried disabling ICMP in the firewall, but I must be missing something.

Further down the page are ICMP options.

The original ICMP was on the default firewall rule number 0, accept and input, removing this option did not stop the ping to wan.

Can somebody point me in the right direction.

Thank you,

David.

tjc · February 10, 2012, 1:47am

Are you trying to keep people on the WAN from pinging machines on your LAN and getting a response? Or trying to keep people on your LAN from pinging machines on the WAN?

Presuming that you’re trying to stop WAN → LAN the normal firewall rules (have you enabled the firewall?) in the forward chain should do that since they only allow outgoing and related sessions.

Stopping people on the LAN from sending pings out is usually not a good idea, but to do it you would add a firewall rule that drops certain ICMP packets to the forward chain. Beware that stopping all ICMP traffic can break things, since that is how you signal connection issues.

Stopping ICMP from the WAN to the router on the input chain carries the same cautionary note.

These wiki pages have some suggestions for setting up your firewall:
http://wiki.mikrotik.com/wiki/Securing_New_RouterOs_Router
http://wiki.mikrotik.com/wiki/NetworkPro_on_firewalling

david54 · February 10, 2012, 7:27am

Thank you for the pointers, I’ve downloaded them to read later, work comes first unfortunately.

I need this router to replace a Cisco unit that does not perform well, quoted thoughput 20M and I’ve got a 50M line, which may be upgraded to 100M.

As this 750GL (I wanted a 250, but they are out of stock) will have a public IP I need to put as much protection into it as I can, I’ve had so much rubbish thrown at my connection recently it stops the router.

David.