router page access

namo · October 24, 2009, 7:14pm

I have Mikrotik router with level 4 RouterOS license. the the router is connected to ADSL modem. I created hot spot users accounts for other people and myself.

I don’t want other people to see the page of the router or modem. of use they can know that the gateway of the router is 192.168.1.1 for example but when they enter this IP in the browser they get nothing or error.

fewi · October 24, 2009, 8:28pm

Implement firewalls rules that drop all access except from your specific client IP.

Since you give nearly no specific information, here a generic rule that assumes your client is 192.168.1.254, that all services run on their default ports and that no one other than 192.168.1.254 should ever have access to any administrative functions:

/ip firewall filter add place-before=0 chain=input action=drop src-address=!192.168.1.254/32 protocol=tcp dst-port=21,22,23,80,443,8291,8728

namo · October 24, 2009, 9:57pm

fewi:

Implement firewalls rules that drop all access except from your specific client IP.

Since you give nearly no specific information, here a generic rule that assumes your client is 192.168.1.254, that all services run on their default ports and that no one other than 192.168.1.254 should ever have access to any administrative functions:
/ip firewall filter add place-before=0 chain=input action=drop src-address=!192.168.1.254/32 protocol=tcp dst-port=21,22,23,80,443,8291,8728

OK. This is a command. where should I put it? I usually use winbox.

fewi · October 24, 2009, 10:23pm

Click on the terminal button and paste it into the command line window that will open.

roc-noc.com · October 24, 2009, 10:48pm

To take care of the router… go to ‘IP Services’ and disable everything but winbox from the IP service list. We also leave ssh enabled just in case we have a problem with winbox.

Tom

namo · October 26, 2009, 7:41am

thank you but I think this will only not allow the user to access the Mikrotik router web page. but what about the modem page.

My modem LAN IP 192.168.0.10 subnet 255.255.255.0
My Mikrotik router WAN IP is 192.168.0.70/24
Mikrotik router LAN 192.168.1.1/24

fewi · October 26, 2009, 3:04pm

Depends on whether or not you NAT your LAN IP. Without NAT, the following should work, again assuming your management station is 192.168.1.254:

/ip firewall filter add chain=forward action=drop src-address=!192.168.1.254/32 dst-address=192.168.0.10/32

You should read the generic firewall manual: http://wiki.mikrotik.com/wiki/Firewall_filter

namo · October 29, 2009, 6:22am

fewi:

namo:

thank you but I think this will only not allow the user to access the Mikrotik router web page. but what about the modem page.

My modem LAN IP 192.168.0.10 subnet 255.255.255.0
My Mikrotik router WAN IP is 192.168.0.70/24
Mikrotik router LAN 192.168.1.1/24

Depends on whether or not you NAT your LAN IP. Without NAT, the following should work, again assuming your management station is 192.168.1.254:
/ip firewall filter add chain=forward action=drop src-address=!192.168.1.254/32 dst-address=192.168.0.10/32
You should read the generic firewall manual: http://wiki.mikrotik.com/wiki/Firewall_filter

Can I add two unblocked IP (two station that I can manage the router from)?How?

fewi · October 29, 2009, 3:01pm

Make an address-list that contains both IP management IP addresses:

/ip firewall address-list add name=management address=192.168.1.254/32
/ip firewall address-list add name=management address=192.168.1.253/32

and change the rule to:

/ip firewall filter add chain=forward action=drop src-address-list=!192.168.1.254/32 dst-address=192.168.0.10/32

Again, read the firewall manual. All this stuff is explained there, with examples.

namo · November 3, 2009, 8:00am

fewi:

Implement firewalls rules that drop all access except from your specific client IP.
/ip firewall filter add place-before=0 chain=input action=drop src-address=!192.168.1.254/32 protocol=tcp dst-port=21,22,23,80,443,8291,8728

I did this now only this IP can access the the router using Winbox but I can not access the web interface of the router.