Help requested.
I have a basic router configuration on a RB450G box. I have ether1 connected to an ADSL modem and a basic firewalled connection to my internal network on ether2. There are no firewall filter rules and only a simple masquerade NAT rule. All IP/services are turned off except winbox (port 8291) and www (port 8888) and they are supposedly only available from 192.168.0.0/24 (my private network).
If I do an external port scan (using ShieldsUp) both 8291 and 8888 are flagged as being open. Why? What am I missing?
I want to lock down the router as far as possible.
It means that you can connect only from 192.168.0.0/24, it doesn’t mean that ports will not be visible. For router protection set up proper firewall in input chain.
Beware with the in-interface= instruction.. you should use the one is on your internet connection, on your post you said you use ether1 as in-interface so that what i use..
You should drop all inbound traffic with an chain=input action=drop rule. Not doing so will turn your router into a DDoS participant soon enough since you’ll be an open resolver.