Hello, I'm totally new to Mikrotek routers and router OS. I'm using a RB750r2 with RouterOC 6.47.1(stable). I would like to be able to access the router using winbox or Webfig remotely. I have a public IP address from my ISP and the RB750r2 router is configured with the Public IP address (provided by my ISP) on Ethernet1 port. I got internet working on my network using the mikrotek router; WAN is set as static IP on ethernet1 port with the setting provided by my ISP.
My local LAN devices are connected using an unmanaged switch(Netgear) and wireless access point (TP-Link) and all IPs for the local network are assigned by DHCP from the mikrotek router.

How would I configure the mikrotek router so that it can be managed remotely using ethernet1 port remotely using this public IP address.

best solution is with ipsec vpn server on mikrotik.

While best practice would be to add a second layer of security by implementing a VPN, I tend not to use a VPN out of convenience.

I create an address list called "net.mgmt" in which I add my known public IP allocations such as office and colo where I would normally be logging in from. I also add a DNS entry named something like mgmt.<mydomain>.<tld> to that address list. The routers I administer query for this DNS pretty regularly, so if I need to add a new source IP, I can add it to my DNS.

Another method I use is port knocking. I wrote a small batch file that uses nping to send a single TCP packet for each port in the designated port sequence so I can easily add the source IP I'm coming from to the net.mgmt address list for 24 hours.
In the firewall, I have an input chain rule that accepts inbound connections from any source IP in the "net.mgmt" address list.

Use WinBox, not WebFig, and in addition to the above suggestions, use non-standard ports.

1) IP whitelisting provides limited security. Your ISP and any 3rd party in between your SRC and DST is in full control over data going through and can simulate connection with a fake IP.
2) Nonstandard port provides also very limited security. Technically, it is a "security through obscurity" and that is generally not considered secure
3) Port knocking is similar to non-standard port - again a "security through obscurity". It can be perceived as a plaintext password, nothing more.

And if you put so much effort to implement these techniques, you would better be with a proper VPN which has been designed by cybersecurity professionals and protects not just authentication but also encrypts transferred data. If nothing else, even the simpliest PPTP (which you can set up in 2 minutes) will do better job than any of aforementioned methods.

tl'dr:Never open your management access to any interface, which can't be fully trusted

1) IP whitelisting provides limited security. Your ISP and any 3rd party in between your SRC and DST is in full control over data going through and can simulate connection with a fake IP.
2) Nonstandard port provides also very limited security. Technically, it is a "security through obscurity" and that is generally not considered secure
3) Port knocking is similar to non-standard port - again a "security through obscurity". It can be perceived as a plaintext password, nothing more.

1) Not really, its a about statistics .... if you only allow 1 IPv4 address to connect for management, then the chance of this happening could me 1 out of 4,294,967,296
Sure if can be spoofed, but the chances are pretty,pretty,pretty low...

2) Agree, it helps only "a bit"

3) I don't agree. Its not of the same "obscurity" level as a non-standard port. Again a matter of statistics. What is the chance that somebody would issue X amount of TCP-hits in a certain defined sequence within a certain defined amount of time. You can control these parameters making the chances practically 0 (eg. 3 or 4 TCP-sequences, within 10 seconds)

A "permanent open" VPN entry-point is also a potential problem. Any hacker can try as many times as they want, consuming more resources compared to eg. port-knock.
I don't Mikrotik has the option to "black list" after X amount of failed-authentications and place them on a ACL and filter them before reaching VPN authentication phase ?
Sure your transport traffic is encrypted, but so is Winbox.

1+3) If we are talking about spoofing IP for TCP connection, then attacker must be on the route between original IP which he is trying to spoof and the target. Otherwise he will never get the reply, therefore no TCP connection... Statistics are applicable only if you are talking about random hacker from the internet. But that is not always the case. Do you trust your ISP? Do you trust your government? There are many parties transporting the data between your SRC and DST, which can sniff your data, figure out required IP (or por-knocking sequence) and spoof it.

Please do not assume that you (as an average individual) can figure out more secure approach than world-class scientists who worked on VPNs specifications.

You are partially right that Mikrotik can't blacklist after X amount of failed authentications. Mikrotik certainly has option to blacklist after X amount of new connections. You see - if your authentication fails, you have to create a new connection. If you authentication succeds, you don't need a new connection. Therefore - connection limit per time. Easy peasy and very efficient killer of bruteforce attacks.

re winbox encryption: Never assume that proprietary protocol is secure. Over past 4 years, there has been so many flaws found (some of them did not even require authentication!), that you would have to be really stupid to trust it. And you are not stupid, right?
Any zero day vulnerability in winbox protocol will leave you defenceless. But you like statistics, so what is the chance that winbox protocol and VPN protocol will have vulnerability at the same time? I would say significantly lower.

I like the pony's advice. In other words if you are configuring devices for a business (paid etc), then VPN is the only acceptable method. If this is just for yourself, then the risk is on you to take.
I wouldnt do either of the suggested tricks, as my better half would skin me alive if we were hacked due to me taking shortcuts...........

... as my better half would skin me alive if we were hacked due to me taking shortcuts...........

So your own business-case comes with very hard conditions ;-)

Thank you all for the reply. I understand some of the things being talked about here. But as I said in my opening post, I'm new to RouterOS and Mikrotek. What I mean by that is I'm not familiar with winbox interface and writing codes in the terminal and such. I'm trying to implement this solution as a way to connect my home office with a different apartment. I understand the security point of view that is talked about here and I appreciate that, but at this point I'm trying to figure out how to get access to the management interface of RouterOS. Like, in winbox, where do I go, and what tabs do I go to set this up. I'm sorry if this sounds very stupid but I'm trying to learn about RouterOS and I've tried looking up tutorials and videos but still couldn't figure it out. And this is why I posted here, for someone to help with step my step instructions on how to go about accessing this RB750r2 with a public IP on ether1 port using either Winbox or Winfig from a remote PC connected to the internet.

I'm familiar with DD-WRT for regular consumer routers and that interface has a remote management area under admin panel where this feature can be enabled and the ports can be set up, which just works very well. In the browser of a remote PC, i would type in https://(DD-WRT_Router's_WAN_Port_Real_IP):Port# and it just works. Is something like this possible with RouterOS on RB750r2? If ye, how do I enable/get it to work using Winbox?

Sorry if I'm coming off as extremely dumb, but I'm not an IT professional, I learn by trail and error and I'm looking for someone to give me some guidance and instructions.
Thanks a lot everyone.

If you have default config, all services are running, only access from outside is blocked by firewall in IP->Firewall->Filter. When it's service on router itself, you need to be looking at input chain. I don't have it in front of me, but I think default config allows access from LAN and then unconditionally blocks the rest. Rules are processes in order from top to bottom and first matching rule is used. Look at what's there now and try to understand it.

To allow something, you need to add new rule(s) in same chain and drag it before the last drop rule. Exact parameters depend on what you want to allow:

- IPSec VPN needs protocol udp with ports 500 and 4500, and protocol ipsec-esp
- L2TP/IPSec needs the same, plus udp 1701 and this one with additional IPSec Policy in:ipsec (on Advanced tab)
- SSTP needs tcp 443 (or whatever else you choose)
- plain WinBox needs tcp 8291 (if you didn't change it in IP->Services)
- plain WebFig needs tcp 80 (same as ^^^)

You've been warned enough, but the decision is yours, so take your pick.

In all cases you need action=accept (it's default). If you know that access from selected address(es) would be enough, you can add Src. Address (or Src. Address List) parameter. If you use list, it's managed in IP->Firewall->Address Lists and it can take also hostnames, not just numeric addresses.

Thanks a lot Sob, this is exactly what I was looking for and I got it to work on a test environment.