I'm very new to Mikrotik. I just bought a RB3011 few weeks ago, to replace my ISP Box (more for fun than for a real need , but for the moment, it's all but fun...)
Before configuring anything else, the first thing I want to do, is to have a dedicated management ethernet port on my router (let's say ether3 port), with the fixed IP 192.168.1.2 (192.168.1.0/24 is my management subnet on my LAN. It's on the "natave" VLAN). I don't want it to be possible to access the management tools on the router from other ports / subnet, either from winbox or by ssh.
Here are the steps of my different tries :
- i removed ether3 from the defaut bridge (on RB3011, ether2 to ether10 + sfp1 are bridged in the default configuration).
- I added the 192.168.1.2/24 IP address on ether3
- I forced my PC IP address to be 192.168.1.200 (mask 255.255.255.0 / gateway 192.168.1.2 just in case) and plugged it in ether3 port of the router => Can't connect either from WinBox and by ssh
- then, I forced the 192.168.1.0/24 subnet as source address on the Winbox service => no success. And, of course, from that step, I could not connect anymore on ether2 (with host IP set to 192.168.88.x). Fortunatly, connecting by MAC address still worked on ether2, so I have added 192.168.88.0/24 as source address on the Winbox service.
- I tried to put ether3 in a new bridge, just in case => no success
- I tried to add a firewall rule (chain : input / src:192.168.1.0/24 / Action : accept) at the very beginning of the rules => no success
- And other tries I don't remember of... => No success
What the hell is wrong with my actions ? Can someone here help me ?
And for my information, can someone also explain me how it is possible, out of the box, to manage the router from winbox (connecting by IP) and by SSH, with the default firewall rules, because none of them, related to the input chain, explicitly permit new connection (the only accept rules are for ICMP and for established and related states) ? That's a mistery for me.
Thank you for reading and... for replying