I became the owner of a small WISP quite by chance. In upgrading the infrastructure, I purchased an RB1100 as my core router.
I’m really using it in a very simple way. Static routes are configured for the subnetworks run by each of my radios. I also have a single PPTP end point setup, so that I can be “in network” to manage the CPE’s etc. What concerns me at this point, is that the public WAN if is exposed to the outside, and I seem to have a new best friend in Russia trying to crack my SSH password.
What I would like to do, is disable the web and SSH interfaces to all but my private IP addresses internal to the network. So either I’m in-network or VPN’d into the network. So an interface 10.10.1.1 would still have web and SSH access available, but all other ports/interfaces would be disabled.
On the WEB interface, there is a Firewall feature that lets you select an interface, and “protect Router”. Is this what I’m looking for? Or is there a more explicit way of doing?
do not use the web interface of v4 at any cost. avoid it like the plague. it is for beginner users, and it gives you about 0.5% of the true functionality of the device, use Winbox or SSH, and do a system reset before you do, to remove any dummy rules the web interface set up for you. An exception is v5 webfig, which is different.
Your not the first person to tell me to stay away from the Web interface! The one feature I like about it is the graphing. I’m slowly but surely getting some proper monitoring equipment onto my site, but its up a mountain, on an island, not where I live… So I didn’t want to disable the web interface just yet. My other issue is I’ve become a Mac bigot over the past few years, so I can’t easily run Winbox or the Dude for that matter. Still trying to figure out the best way around my “life choice”
I think I tackled the problem in a different way - unless my VPN is still subject to attack from Bruteforcer? I went into /ip service and limited access to both web and ssh to my internal 10.10.1.0/24 subnetwork. Seems to do what I want for now. Port scan still shows 22 active, but it rejects all calls in unless I’m behind my router.
