Hi Everyone,
I was hoping that someone could tell me where I could find the ports and protocols used to manage RouterOS?
I’d like to setup the appropriate firewall rules to prevent discovery and access for all but a single VLAN.
Thank you!
Overall access to make changes via Winbox is user name-password protected.
Access TO the Router ( or more accurately to router services ) is controlled by the firewall filter INPUT CHAIN.
In addition, access to winbox functionality can be further delineated in two locations:
a. Tools / MAC Server / MAC Winbox Server { By interface list argument entry }
b. IP / Services / Services List / Winbox { By IP address/subnet argument entry } Note: winbox Port also Identified here
Note: The absence of any rules on config = allow everything.
A typical type of setup will have:
/interface list members
add interface=BaseVLAN99 list=MGMT
add interface=TrustedWork88 list=MGMT
add interface=Offbridge-ether5 list=MGMT
/ip firewall address-list
add address=192.168.99.5/32 list=Authorized comment=“Admin Desktop management subnet static dchp lease”
add address=192.168.88.5/32 list=Authorized comment=“Admin ipad work wifi static dhcp lease”
add address=10.10.10.2/32 list=Authorized comment=“Remote Admin wireguard”
add address=192.168.55.2 list=Authorized comment=“offbridge access”
add chain=input action=accept in-interface-list=MGMT src-address-list=Authorized
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
( change user name from default admin is first security step )
( change default winbox port from 8291 is second step ).
( I tend to use interface lists to limit the number of subnets with access to winbox)
( I use the inbox input chain to narrow down to IP if necessary )
( I may or may not use (lazy) Services to include subnets with access to winbox port )