Community discussions

MikroTik App
 
JJOliver998
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Wed May 13, 2009 11:48 am

Feature request - Better control of ip/services/

Wed Dec 09, 2009 4:47 pm

Hi.

I'm pretty new to mikrotik, but what seems to be glaringly obvious is that IP / Services which, forgive me for explaining, allows you to connect to the mikrotik in differing fashions via Api, FTP, ssh, telnet, winbox, www and www-ssl.

What seems to be at fault is that you can only put a single ip address or ip range such as 10.200.0.0/16 or 10.200.1.0/24.

Why can't I add more than one IP address or use an IP pool? This seems to be a major flaw. I have several fixed IP addresses that connect from different sites, adding a VPN to each one seems a major hassle to allow a user to connect for 5 minutes without adding a huge security risk.

Anyone else think so?
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6695
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Feature request - Better control of ip/services/

Wed Dec 09, 2009 4:51 pm

Yes, it is correct that you can put one or block of IP address, service will be accessible then.
But you can use /ip firewall filter and create as much complicated restrictions as you need.
 
JJOliver998
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Wed May 13, 2009 11:48 am

Re: Feature request - Better control of ip/services/

Wed Dec 09, 2009 4:59 pm

Sure I appreciate that.

For example if I want to allow 10.200.1.5 and 79.234.1.2 there doesn't seem to be an easy way.

For example, the use of aliases / ip pools would be a very helpful feature in this situation.
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Feature request - Better control of ip/services/

Wed Dec 09, 2009 5:00 pm

Example:
/ip services
set ssh address=0.0.0.0/0 
set ssh enabled=yes
set winbox address=0.0.0.0/0
set winbox enabled=yes
/ip firewall address-list
add list=SSH_Access address=192.168.1.10/32
add list=SSH_Access address=10.1.0.45/32
add list=Winbox_Access address=192.168.1.10/32 
add list=Winbox_Access=172.17.1.59/32
/ip firewall filter
add chain=input action=drop protocol=tcp dst-port=22 src-address-list=!SSH_Access
add chain=input action=drop protocol=tcp dst-port=8291 src-address-list=!Winbox_Access
Edit: or for your example:
/ip firewall address-list
add list=admins address=10.200.1.5/32
add list=admins address=79.234.1.2/32
/ip firewall filter
add chain=input action=drop protocol=tcp dst-port=21,22,23,80,443,8291,8727 src-address-list=!admins
 
JJOliver998
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Wed May 13, 2009 11:48 am

Re: Feature request - Better control of ip/services/

Wed Dec 09, 2009 5:08 pm

Thanks so much, that looks really helpful.

Any chance of letting me know what that does?

Josh
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Feature request - Better control of ip/services/

Wed Dec 09, 2009 5:20 pm

/ip firewall address-list
Go into the firewall section that builds address lists. Address lists are an easy way to refer to more than one IP address or network.
add list=admins address=10.200.1.5/32
add list=admins address=79.234.1.2/32
Add your two management IP addresses to an address list named 'admins'. Now whenever you refer to that address list, either IP matches.
/ip firewall filter
add chain=input action=drop protocol=tcp dst-port=21,22,23,80,443,8291,8727 src-address-list=!admins
Install a firewall filter in the 'input' chain (which contains all traffic destined to the router directly, i.e. traffic that doesn't flow through the router but terminates on it, like management traffic). Drop all traffic to ports 21, 22 etc. (compare those ports to the ports listed in '/ip service') that isn't sourced from the IPs on the 'admins' address list, effectively locking access to those ports to just your two management stations. If you need more admin stations, add their IPs to the address list.

All of these commands and their syntax are explained rather well on the wiki. If you are new to firewalls themselves, the primers on netfilter.org (the Linux firewall project that RouterOS's firewall is built on) are very good.
 
JJOliver998
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Wed May 13, 2009 11:48 am

Re: Feature request - Better control of ip/services/

Wed Dec 09, 2009 5:49 pm

Thanks so much for helping in this issue, this seems to be a much better way of working and I really really appreciate it.

Sorry to have asked a question that was apparently very simple to solve.

Who is online

Users browsing this forum: Amazon [Bot], EmuAGR and 78 guests