Block Router Admin Access from the Wireless Interfaces
Is there a way to block router admin access from the Wireless Interfaces?
-
-
vecernik87
Forum Veteran
- Posts: 882
- Joined:
Re: Block Router Admin Access from the Wireless Interfaces
If they are bridged, it won't be as easy. To be precise - it can't be done with a firewall, because the packet goes to the firewall from the bridge (therefore bridge is the in-interface). In order to block only wireless clients, you need to create the rule in bridge filters:
edit: I assume your wireless interfaces are bridged as it is the most common situation for both router as well as AP installations.
Code: Select all
/interface list
add name=wifi
# add more or change names to match your wireless interfaces
/interface list member
add interface=wlan1 list=wifi
add interface=wlan2 list=wifi
# modify the dst-address to match your router's LAN IP address! I used a default value
# add more rules if you enabled any other service (e.g. SSH = TCP port 22, Telnet = TCP port 23)
/interface bridge filter
add action=drop chain=input comment="blocks winbox on wifi" dst-address=192.168.88.1/32 dst-port=8291 in-interface-list=wifi ip-protocol=tcp mac-protocol=ip
add action=drop chain=input comment="blocks www on wifi" dst-address=192.168.88.1/32 dst-port=80 in-interface-list=wifi ip-protocol=tcp mac-protocol=ip
add action=drop chain=input comment="blocks mac-winbox on wifi" dst-address=192.168.88.1/32 dst-port=20561 in-interface-list=wifi ip-protocol=udp mac-protocol=ip
Re: Block Router Admin Access from the Wireless Interfaces
Thanks, this is perfect for what I need and I'm going to implement it tonight. Just one question...if my network is /24, I would change the /32 to /24?
Just as some background, I'm using the Mikrotik as an AP and it is connected to another router. The AP has an IP address so I can login and administer it. I want to block admin access via Wifi just as another layer of security. After I posted this I was thinking that I could also do something like below but it would be a bit inconvenient to administer the router as I would have to connect to it on a seperate ethernet port. Does this approach also make sense?
1. Make eth1 - eth4 and WAN1, WA2 as Bridge1
2. Make eth5 as Bridge2
3. Firewall rule that drops all traffic from Bridge1 to router (input block)
4. Restrict router access services to Bridge 2 only.
Thanks.
Just as some background, I'm using the Mikrotik as an AP and it is connected to another router. The AP has an IP address so I can login and administer it. I want to block admin access via Wifi just as another layer of security. After I posted this I was thinking that I could also do something like below but it would be a bit inconvenient to administer the router as I would have to connect to it on a seperate ethernet port. Does this approach also make sense?
1. Make eth1 - eth4 and WAN1, WA2 as Bridge1
2. Make eth5 as Bridge2
3. Firewall rule that drops all traffic from Bridge1 to router (input block)
4. Restrict router access services to Bridge 2 only.
Thanks.
Re: Block Router Admin Access from the Wireless Interfaces
Another option is to set your device IP or list of IP's in IP> Service.
Re: Block Router Admin Access from the Wireless Interfaces
FIRST IGNORE the advice from above. The pony is pretty but those are LSD colours! ;-P
There are many ways to accomplish this task, I use most of them.
There is nothing specific you have to set in wireless settings.
(1) Input chain firewall rules.
add action=accept chain=input comment="Allow ADMIN to Router" in-interface-list=adminsubnets src-address-list=adminaccess
add action=drop chain=input comment="Drop All Else" (as the last rule in the input chain)
a. adminsubnets: create an interface list members for the subnets you may as admin need or plan to access the router from
b. adminaccess: create a Firewall address list for IPs you use on various subnets to access the router (admin, desktop, laptop, ipad and any static IP you have set on a different lan for troubleshooting from ipad/laptop)
This entails removing the default input chain rule allowing all LAN users to access the router and replacing with the above rules and also allow rules for any services such as DNS, NTP you want users to be able to access.
(2) USERS - when defining users you can detail which subnets are allowed for user.
(3) TOOLS, MAC Server - MACWINBOX - interface should match 'adminsubnets' above.
(4) IP SERVICES - Services LIst-- WINBOX, change to non-standard port and limit subnets ......
There are many ways to accomplish this task, I use most of them.
There is nothing specific you have to set in wireless settings.
(1) Input chain firewall rules.
add action=accept chain=input comment="Allow ADMIN to Router" in-interface-list=adminsubnets src-address-list=adminaccess
add action=drop chain=input comment="Drop All Else" (as the last rule in the input chain)
a. adminsubnets: create an interface list members for the subnets you may as admin need or plan to access the router from
b. adminaccess: create a Firewall address list for IPs you use on various subnets to access the router (admin, desktop, laptop, ipad and any static IP you have set on a different lan for troubleshooting from ipad/laptop)
This entails removing the default input chain rule allowing all LAN users to access the router and replacing with the above rules and also allow rules for any services such as DNS, NTP you want users to be able to access.
(2) USERS - when defining users you can detail which subnets are allowed for user.
(3) TOOLS, MAC Server - MACWINBOX - interface should match 'adminsubnets' above.
(4) IP SERVICES - Services LIst-- WINBOX, change to non-standard port and limit subnets ......
-
-
vecernik87
Forum Veteran
- Posts: 882
- Joined:
Re: Block Router Admin Access from the Wireless Interfaces
@go4030:
so you are selecting only the destination mikrotik device (single host = /32). If you put /24, you may block access to other devices in theory, depending on your network setup.
@2frogs
@anav
Let me rephrase your statement: "There are many ways to accomplish security of RouterOS"
Please keep in mind that I did not have knowledge he uses it in a non-defconf way. Given that assumption, I did not want to complicate things. We could argue if it is really necessary to separate wlan/eth interfaces and use different subnets. I admit it is more secure approach, but I consider it rather overkill in basic home situation.
No. we are talking aboutJust one question...if my network is /24, I would change the /32 to /24?
Code: Select all
dst-addressYou could kinda say that in original post...I'm using the Mikrotik as an AP and it is connected to another router.
Absolutely! your thinking is perfectly valid and this approach is called "management port" That means only one port (or few selected ports) can be used to manage the device. Just few notes from me:1. Make eth1 - eth4 and wlan1, wlan2 as Bridge1
2. Make eth5 as Bridge2
3. Firewall rule that drops all traffic from Bridge1 to router (input block)
4. Restrict router access services to Bridge 2 only.
- do not confuse wlan/wan - those are two very different things. I understand it was just a typo, but less obvious typos can easily steer others to give you wrong answer.
- make sure that you restrict access to Bridge2 not just in , but also inCode: Select all
/ip firewall.Code: Select all/tool mac-server
Optional: - create a dhcp-server on the Bridge2 with some different subnet. That way you will get IP address from the router when you connect to your Eth5 and that will allow you to connect easily via IP, not just MAC.
- you may also configure your Mikrotik to allow internet connection from the Bridge2, which will allow you to search on the internet and look for help/reference, while you are connected to the Eth5
@2frogs
That would be reliable only if your IP is static. You did not mention that, therefore if OP followed your advice, he would sooner or later lose access, because his IP would change.Another option is to set your device IP or list of IP's in IP> Service.
@anav
I love you too... But I also dare you to prove with an example, when will my answer fail to do what OP asked?FIRST IGNORE the advice from above. The pony is pretty but those are LSD colours! ;-P
Not really. The question was pretty clear - prevent wifi clients from accessing the interface. Thats it. OP did not ask for complete reconfiguration of his router.There are many ways to accomplish this task
Let me rephrase your statement: "There are many ways to accomplish security of RouterOS"
Please keep in mind that I did not have knowledge he uses it in a non-defconf way. Given that assumption, I did not want to complicate things. We could argue if it is really necessary to separate wlan/eth interfaces and use different subnets. I admit it is more secure approach, but I consider it rather overkill in basic home situation.
Re: Block Router Admin Access from the Wireless Interfaces
I understand where you are coming from and I am simply extrapolating the requirement stated to the ACTUAL REQUIRMENT unstated! Yes we learn mind reading in the MTUNA certification!!
Lets look at it logically, the OP has clearly stated he is concerned with people accessing the router besides the admin.
Sure the ones the op is concerned about are on the wireless networks, but there is NO REASON, for any one other than the admin to access the router. He should be concerned with all users as all users computers could get infected besides wirelessly connected computers. Bad actors dont have to be directly connected to the network via ethernet cable or wifi to cause issues.
As I stated, if lan users need access to services on the router ONLY provide those services.
This is not overkill its common sense.
I have sharper hooves so save yourself for another day, the colour red would turn your coat purple. Assuming my flatulence didnt knock you out before reaching me.
Lets look at it logically, the OP has clearly stated he is concerned with people accessing the router besides the admin.
Sure the ones the op is concerned about are on the wireless networks, but there is NO REASON, for any one other than the admin to access the router. He should be concerned with all users as all users computers could get infected besides wirelessly connected computers. Bad actors dont have to be directly connected to the network via ethernet cable or wifi to cause issues.
As I stated, if lan users need access to services on the router ONLY provide those services.
This is not overkill its common sense.
I have sharper hooves so save yourself for another day, the colour red would turn your coat purple. Assuming my flatulence didnt knock you out before reaching me.
-
-
vecernik87
Forum Veteran
- Posts: 882
- Joined:
Re: Block Router Admin Access from the Wireless Interfaces
That is just untrue. Look again on the original question - it barely provides any info. You simply arrived late as always, after there was more info provided.The OP has clearly stated he is concerned with people accessing the router besides the admin.
I have sharper hooves so save yourself for another day
Talk to me once you get the MTCUME certification as well. It will teach you what to do with your hooves...Yes we learn mind reading in the MTUNA certification!!
Who is online
Users browsing this forum: Amazon [Bot], Google [Bot], Majestic-12 [Bot] and 22 guests