I’d like to remove the internet facing admin login on an RB5009, RouterOS 7.8.
Going into IP–> Services → www and disabling port 80 unfortunately disables all web
traffic to the router, including internal. So it stops router management.
Is there a way to do this that will just block incoming login attempts from outside, but
leave the internal web connection on LAN intact?
Doesn’t the default firewall do that?
Not that I can see. RB5009 out of the box allows www connections on port
80 to the router on the WAN side.
I’ve blocked www in Services and that stops outside logins, and I use
WinBox to connect internally on the LAN side, but I’d rather have port
80 connections to the router rather than WinBox so that I can connect
from linux - if there’s a good way to do it.
I wasn’t asking; I was hinting. You’ve done something locally to break this. The default configuration contains a line like this:
/ip/firewall/filter
add chain=input action=drop in-interface-list=!LAN comment="defconf"
That comes from a “/system/default-configuration/print” command on my RB4011.
What you do about this is up to you, but I would at least consider starting over with the default configuration and then reapplying your local changes again, more carefully this time.
Going into IP–> Services → www and disabling port 80 unfortunately disables all web
traffic to the router, including internal. So it stops router management.
No need to disable it completely, but add the “Available From” values ? Eg. 192.168.x.y or multiple ranges that you want it to be “managed” from.
Not providing this value means : world wide open
In ADDITION, you should adapt your INPUT-chain to drop anything from the outside world hitting your Mikrotik that is not really needed.
So ALLOW inbound stuff like VPN/IPSEC/…
The last line would be a “drop” on the input chain in total, as other suggest too :
filter add chain=input action=drop in-interface-list=!LAN comment=“defconf”
Thanks jvanhambelgium. This did the trick. The RB5009 routers we have
didn’t have this locked down by default firewall rules.