hello bro ,i first time use the routeros ,would you mind help me solve my problem?
router ip:192.168.1.1 (i want maintain the router from port 8728 ,8291,80)
nas :192.168.1.100 (i want from 8080,21)
nintendo switch :192.168.1.18 (need DMZ,because have not UPNP)
how to solve this 3 problem
my router all config is deflaut setting.many thanks
Re: access winbox from internet
I have a Mikrotik router at my house and my Nintendo switch works just fine w/o any NAT rules or UPNP whatsoever.router ip:192.168.1.1 (i want maintain the router from port 8728 ,8291,80)
nas :192.168.1.100 (i want from 8080,21)
nintendo switch :192.168.1.18 (need DMZ,because have not UPNP)
FTP to the NAS is going to be a bit tricky because of the whole active/passive FTP thing. If the NAS lets you configure a range of ports for the data connections, then you'll want to configure it to use passive FTP with a specified range of ports, and also map that range of ports to the NAS in addition to 8080 and 21.
To map a set of ports in dstnat:
/ip firewall nat add chain=dstnat in-interface=MyWanInterfaceName protocol=tcp dst-port=8080,21,10000-10999 action=dst-nat to-address=192.168.1.100
You'll also need to make sure that your filter rules in the forward chain also allow such connections - the easiest way is to add a rule which allows all ports with nat-state=dstnat
Re: access winbox from internet
As normal, ZeroByte had it right, but if you are going to allow internet access to your router, you need to look very seriously at access security. There are several different things that can be implemented, including (but not limited to):router ip:192.168.1.1 (i want maintain the router from port 8728 ,8291,80)
Use of non-standard port numbers (for God's sake, don't use port 80),
Only allow secure access modes (i.e. SSH rather than Telnet, https rather than http, etc),
Limit IPs that can access from the internet,
Port knocking,
Secure tunnels,
Complex passwords.
-
-
onepiece999
newbie
- Posts: 30
- Joined:
Re: access winbox from internet
Thank you sir
i don't know which is my =MyWanInterfaceName , would yu mind mind me?
/ip firewall nat add chain=dstnat in-interface=MyWanInterfaceName protocol=tcp dst-port=8080,21,10000-10999 action=dst-nat to-address=192.168.1.100
You'll also need to make sure that your filter rules in the forward chain also allow such connections - the easiest way is to add a rule which allows all ports with nat-
and then can you tell me, which rule is no useful ,whick i can delete it?
attachment for you ref.
i don't know which is my =MyWanInterfaceName , would yu mind mind me?
/ip firewall nat add chain=dstnat in-interface=MyWanInterfaceName protocol=tcp dst-port=8080,21,10000-10999 action=dst-nat to-address=192.168.1.100
You'll also need to make sure that your filter rules in the forward chain also allow such connections - the easiest way is to add a rule which allows all ports with nat-
and then can you tell me, which rule is no useful ,whick i can delete it?
attachment for you ref.
You do not have the required permissions to view the files attached to this post.
Re: access winbox from internet
This isn't really useful in today's world. Port scanners also fingerprint the sockets they discover, so even if it's sshd running on port 9147, they'll find and catalog it.Use of non-standard port numbers (for God's sake, don't use port 80),
All of the other points are spot-on, though.
In your screenshots it appears to be ether1i don't know which is my =MyWanInterfaceName , would yu mind mind me?
-
-
onepiece999
newbie
- Posts: 30
- Joined:
Re: access winbox from internet
thanks bro ,now my nas work on internet,would you mind help about winbox & webfig?
thank you so much
thank you so much
You do not have the required permissions to view the files attached to this post.
Re: access winbox from internet
That is sort of true. Casual attacks are only looking for the more commonly used ports. Even if a port scanner is trying every port and fingerprinting it (and yes, sophisticated scanners do this as ZeroByte said), it's easy to include a set of filter rules that will block a port scanner from being able to accomplish much. I was reminded of this not long ago when I attempted a port scan on one of my routers at home, and it failed to find most of the ports that should have been open. Then I remoted into the router and sure enough, the filter rules for blocking port scanners showed a large number of dropped packets. Disabled the port scanner blocker rules and ran the port scan again and found exactly the expected open ports (I was happy). Yes, I then remembered to re-enable to port scanner blocker rulesThis isn't really useful in today's world. Port scanners also fingerprint the sockets they discover, so even if it's sshd running on port 9147, they'll find and catalog it.Use of non-standard port numbers (for God's sake, don't use port 80),
.-
-
onepiece999
newbie
- Posts: 30
- Joined:
Re: access winbox from internet
thanks bro , can you tell me which is port scanner blocker rules?
Re: access winbox from internet
This was taken essentially directly from the Wiki. The only changes I made were to make this a separate chain and jump to it, specifically drop packets from IPs on my "Manual Blacklist" list, and to exclude IPs on my "Safe" list from being affected.
Could it be improved? Likely, but it works from what I have observed...
Code: Select all
add action=drop chain=Attack comment=\
"Drop all connections from IPs on the Manual Blacklist" log=yes \
log-prefix="Manual Blacklist" src-address-list="Manual Blacklist"
add action=drop chain=Attack comment=\
"Detect and drop TCP port scan connections" protocol=tcp psd=21,3s,3,1
add action=drop chain=Attack comment=\
"Detect and drop UDP port scan connections" protocol=udp psd=21,3s,3,1
add action=return chain=Attack comment=\
"Prevent safe IPs from getting tarpitted." src-address-list=Safe
add action=tarpit chain=Attack comment="Suppress DoS attackby tarpitting" \
connection-limit=3,32 protocol=tcp src-address-list=Black_list
add action=add-src-to-address-list address-list=Black_list \
address-list-timeout=1d chain=Attack comment="Detect DoS attack" \
connection-limit=10,32 log=yes log-prefix="Black list" protocol=tcp
add action=return chain=Attack comment="Return from Attack chain"
-
-
onepiece999
newbie
- Posts: 30
- Joined:
Re: access winbox from internet
Thanks Bro,my problem solved.
Now i create L2TP/IPSEC use by iphone local network is ok,but dont know why internet connect to my home vpn is fail.....i think i miss config firewall.....how to sove this problem...thanks thanks
Now i create L2TP/IPSEC use by iphone local network is ok,but dont know why internet connect to my home vpn is fail.....i think i miss config firewall.....how to sove this problem...thanks thanks