I have a Mikrotik router in an offsite office. How do you recommend setting up remote access to the router without compromising security?
I setup an l2tp vpn server to gain remote access to my network and set an input firewall rule to accept tcp port 8291(winbox) from LAN.
If you don’t want to setup a vpn for whatever reason, and you have a strong enough password, you can just make an input firewall rule to accept all connections. The winbox port can also be changed if needed.
VPN is good solution. Drop access from public ip address and allow only from lan side.
If you plan to administer remote routers from central office, any other access method (ssh, webfig over SSL) will do as well. Just restrict access to those services to select trusted WAN IP address(es) (e.g. /ip firewall filter add action=accept chain=input comment=“SSH access from central office” in-interface-list=WAN protocol=tcp dst-port=22 src-address=X.Y.W.Z just before a general /ip firewall filter add action=drop chain=input comment=“drop anything else in input chain” in-interface-list=WAN).
IMHO winbox protocol is not any more secure than any other management method, it’s just that many people around here like winbox best.
Thanks guys.