Community discussions

MikroTik App
just joined
Topic Author
Posts: 6
Joined: Sat Feb 23, 2019 3:31 am

Block access to winbox on eth 1

Wed Aug 21, 2019 11:27 pm

I have a case where we have several RB450G routers in one building that communicate to the same gateway (server). I want to setup firewall rules to block winbox, webfig, possible Mac discovery for winbox just on the ETH port 1 of all the routers, I can manage them locally amd do not want remote access. I would like to still be able to access via winbox on the other ETH ports.

I saw this example while searching for a solution, sorry if I wasn’t suppose to post this. This example allowed a particular IP access to winbox, is it possible to rework this so that no winbox access is available from ETH1? Thanks

/tool mac-server
add disabled=yes interface=all
/tool mac-server ping
set enabled=no
/ip firewall filter
add action=drop chain=input comment="block mikrotik discovery" disabled=no dst-port=5678 protocol=udp
add action=drop chain=input comment="ALL WINBOX REQUEST By MAC Address" disabled=no dst-port=20561 protocol=udp
add action=drop chain=input comment="ALL WINBOX REQUEST EXCEPT FROM MY PC" disabled=no dst-port=8291 protocol=tcp src-address=!
You can Also Disable Network Neighbor Discovery on the interface to which your network users are connected

Example: /ip neighbor discovery set ether1 discover=no
Posts: 41
Joined: Fri Jun 30, 2017 11:27 pm

Re: Block access to winbox on eth 1

Thu Aug 22, 2019 11:05 am

User avatar
MikroTik Support
MikroTik Support
Posts: 24709
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Block access to winbox on eth 1

Thu Aug 22, 2019 11:06 am

Yes, this sounds good. You can even do more, here are some ideas: ... our_Router
No answer to your question? How to write posts
User avatar
Forum Guru
Forum Guru
Posts: 5103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Block access to winbox on eth 1

Thu Aug 22, 2019 4:21 pm

The input chain is a good place to start.
Dont need to make any rules to block, simply make your last rule block all.
I personally prefer NOT to identify my winbox port in my firewall rules.

a. change winbox port to something non-standard
b. ensure you have a drop all last rule in input chain
c. only allow admin IP addresses access to router on input chain
d. all other lan devices only access to router is if needed for DNS (and that is limited by ports).
e. ensure you have a admin name and password applied to the router (get rid of default)
f. In Ip Services for winbox minimize access to the router appropriately

(PS I wish this had been available when I started LOL.......... )
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
Posts: 41
Joined: Thu Apr 07, 2016 1:40 pm

Re: Block access to winbox on eth 1

Mon Aug 26, 2019 10:58 am

block connection to mikrotik winbox from some ether and allow from some ether
Khaled mulsi ->>> I love mikrotik :D --TIFTOK--

Who is online

Users browsing this forum: arcc and 31 guests