Dear Support,
Using RouterOS on Mikrotik routers and switches,
I did not find a simple way to restrict access to Web admin on a particular VLAN for security purpose.
Web admin is accessible on the main bridge, so it is accessible from all VLANs (on routers).
The only way to restrict access is to use IPtables.
Could you implement settings to restrict access to a single VLAN for security purpose?
pfSense and OPNsense offer this kind of feature.
Kind regards,
French Fries
May i ask why Firewall-Rules aren’t viable for you
as a way to restrict access to Web?
Exemple A:
/ip firewall filter
add action=drop chain=input dst-port=80 in-interface=!bridge1_vlan111 protocol=tcp
Exemple B:
/ip firewall filter
add action=accept chain=input dst-port=80 in-interface-list=listofvlans protocol=tcp
add action=drop chain=input disabled=yes
This is perfectly viable, thank you.
Glad i could help !
Good Luck and don’t forget to backup before changing anything =)
I found a more suitable way to do it.
Under ReOS 7.1, in services, I restricted access to a single subnet:
/ip/service> print
Flags: X, I - INVALID
Columns: NAME, PORT, ADDRESS, CERTIFICATE, VRFNAME PORT ADDRESS CERTIFICATE VRF
0 X telnet 23 main
1 X ftp 21
2 X www 80 main
3 ssh 22 main
4 www-ssl 443 aa.bb.cc.0/24 mikrotik_ssl_certificate.crt_0 main
5 X api 8728 main
6 X winbox 8291 main
7 X api-ssl 8729 none main
Just replace aa.bb.cc.0/24 by your subnet.
Also choose no SSL version lower than 1.2