Community discussions

MikroTik App
 
Asma
just joined
Topic Author
Posts: 2
Joined: Wed Jun 30, 2021 4:49 pm

How to secure my router

Wed Jun 30, 2021 7:06 pm

I got RouterOS 951 and I have installed it at my home, How can I secure this device so no one can connect to it or change the configuration that I set?
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2866
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: How to secure my router

Wed Jun 30, 2021 7:48 pm

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to secure my router

Wed Jun 30, 2021 8:05 pm

The default configuration firewall rules are safe and good to go.
If you start changing them or the config all bets are off.

What can be said is
a. dont use default user ID "Admin", add your own with full permissions and then remove the admin one but write all info down in a safe place.
b. make a strong password
c. recommend changing winbox port to a random high number port
d. set tools MAC, server MAC server interface to NONE
e. set tools MAC WINBOX mac server interface to LAN
f. turn services off except winbox....

Dont be afraid to ask questions here..................
 
Asma
just joined
Topic Author
Posts: 2
Joined: Wed Jun 30, 2021 4:49 pm

Re: How to secure my router

Wed Jun 30, 2021 11:51 pm

The default configuration firewall rules are safe and good to go.
If you start changing them or the config all bets are off.

What can be said is
a. dont use default user ID "Admin", add your own with full permissions and then remove the admin one but write all info down in a safe place.
b. make a strong password
c. recommend changing winbox port to a random high number port
d. set tools MAC, server MAC server interface to NONE
e. set tools MAC WINBOX mac server interface to LAN
f. turn services off except winbox....

Dont be afraid to ask questions here..................
Hello Anav, thank you and I really appreciate your help I am using the default configuration firewall rules and I did your steps a, b, e only step c: How can I change winbox port to a random high number port? How to set that in winbox? step d:How to set tools MAC, server MAC server interface to NONE? step f:How to turn services off except winbox.. ? And I have a question about step e , does this step prohibit me and others to login to the router through the network but allow me only to access the router when I'm at my home( LAN) only ? Is that right?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to secure my router

Thu Jul 01, 2021 12:33 am

To the last question, yes that helps as well as good firewall rules.
By setting interface to LAN, only those on the LAN interface or associated with it can access winbox functionality.
In addition the firewall rules only allow those on the LAN to access the router (to and from router firewall control is done via the INPUT CHAIN rules )
Your safe at the moment with default setup not to worry.
I always ensure I am using the latest LONG term version of software as its usually more stable then the very latest release.
Either or are fine.

(1) TO ACCESS Services and winbox!
select main menu item: IP
select sub-menu item: Services
disable all services except: Winbox and perhaps SSH
provide a non-standard high number port for both winbox and SSH.

(2) TO ACCESS MAC SERVERS etc.......
select main menu item: Tools
select sub-menu item: MAC Server
select sub sub-menu item: MAC Telnet Server
choose allowed interface List = none!
select sub sub-menu item: MAC WinBox SErver
choose allowed interface List = LAN
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: How to secure my router

Thu Jul 01, 2021 1:52 pm

Here is a good article to start with: https://help.mikrotik.com/docs/display/ ... our+router
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to secure my router

Thu Jul 01, 2021 6:08 pm

Hi Normis I dont necessarily agree with some of the advice there.....

Specifically these two.................
/tool mac-server mac-winbox set allowed-interface-list=none
/ip dns set allow-remote-requests=no
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: How to secure my router

Thu Jul 01, 2021 7:21 pm

/tool mac-server mac-winbox set allowed-interface-list=none
I risk to be banned to the forum if I write what really I think about this and other suggested settings for "production environment"....
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to secure my router

Fri Jul 02, 2021 2:46 pm

Hey max, if you have any doubts at all on your current config recommend starting fresh with netinstall and change userid, password, winbox port etc,
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: How to secure my router

Fri Jul 02, 2021 2:53 pm

Hi Normis I dont necessarily agree with some of the advice there.....

Specifically these two.................
/tool mac-server mac-winbox set allowed-interface-list=none
/ip dns set allow-remote-requests=no
This is a boilerplate for people who don't know better. If you see something and know the reason why you don't agree, just configure your device differently.
Basic beginner doesn't speficially need his router to be a DNS cache, let him use 1.1.1.1 or the DNS given by the ISP.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: How to secure my router

Fri Jul 02, 2021 3:07 pm

You are right,
but the real annoying thing is because they are called "production environment" or "production network"
:-)


I suggest:
force instantly the user to change default admin user
do not permit user lengt less than 8 char, must not contain admin, root, or similar
set password to serial number if device are resetted
require strong password, at least 8 char with at least one foreach up/low/num/char
It prevent thousand of thousand of problems...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to secure my router

Fri Jul 02, 2021 6:51 pm

Thanks Normis,
Understood, using the router to cache DNS may be considered 'not beginner' and the default of using the router ISP DNS or directly entered DNS, (in dhcp-network-server) is not a bad thing and further changing the settings to IP DNS Remote to "allow" should be made when has a better understanding of the router config.

However the second item the winmac server, I find confusing. The default settings setup the router so that its accessible from the LAN (input chain rules).
Which ties nicely into winmac server = LAN interface. I believe it defaults to = ALL, and the MT recommendation is NONE.

Wont the user be locked out of using winbox when they change the interface setting to NONE??
Here is where using winbox is not medium or advanced, using winbox is beginner or boilerplate!!

Who is online

Users browsing this forum: k6ccc and 9 guests