Community discussions

MikroTik App
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

stopping login attempt to user admin

Sat Jul 17, 2021 9:43 pm

Hi all,
after i got all my network set up and running.
i found this alert
login attempt.PNG
may i know how to stop this ? or this is a common occurrence ?
You do not have the required permissions to view the files attached to this post.
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: stopping login attempt to user admin

Sat Jul 17, 2021 9:52 pm

Please mark this as solved,
once I disabled the API services no more funny msgs.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: stopping login attempt to user admin

Sat Jul 17, 2021 10:03 pm

Post your config
/export hide-sensitive file=anynameyouwish if you want the config reviewed for security practices................
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: stopping login attempt to user admin

Sat Jul 17, 2021 10:19 pm

Post your config
/export hide-sensitive file=anynameyouwish if you want the config reviewed for security practices................
Hi Anav,

I will share the export file soon.

Thank you
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: stopping login attempt to user admin

Sun Jul 18, 2021 5:10 am

Post your config
/export hide-sensitive file=anynameyouwish if you want the config reviewed for security practices................
Thanks Anav, i've attached the config. please help with the advice on the config.
You do not have the required permissions to view the files attached to this post.
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: stopping login attempt to user admin

Sun Jul 18, 2021 8:24 am

one more thing, anyone can advise ?
i'm following this instruction to securing the mac-server
https://help.mikrotik.com/docs/display/ ... figuration

i can't add the local interface
such as the example given in the link
/tool mac-server
disable 0;
add interface=local;

when I check in winbox GUI, there isn't an option for add
only have the attached options
mac server options.PNG
how should i add only for the 2nd port access ?
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: stopping login attempt to user admin

Mon Jul 19, 2021 2:21 am

You have no firewall rules so if there isnt any other device inbetween this hex should not be connected to the internet.
Also not sure why you have a bridge as its only used for one etherport?? What is the purpose of your bridge??

Interface list is made from the winbox interface List settings, You have to select the box around the word LISTS on the same line as the + symbol to create a new one.
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: stopping login attempt to user admin

Mon Jul 19, 2021 3:02 am

Oh dear, how should I add the firewall rule is the basic one from wiki mikrotik is ok?
Or is there a default firewall rule config I can load up?

The bridge is created following mikrotik wiki, when I connect using Mac. Should I remove this bridge?
i'm following this guide
https://help.mikrotik.com/docs/display/ ... figuration

Ok, i'll fiddle around with the + in the list
Last edited by dermawas on Mon Jul 19, 2021 4:49 am, edited 1 time in total.
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: stopping login attempt to user admin

Mon Jul 19, 2021 4:26 am

Hi Anav,

I've added some fw rules from https://wiki.mikrotik.com/wiki/Manual:S ... o_a_router
for ip4 only tho as i disabled ip6 so i didn't set any fw rules on ip6.
i've attached the config, any advice is very much appreciated.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: stopping login attempt to user admin

Mon Jul 19, 2021 6:01 pm

Unless you intend on using the MT app with your router, then this setting can be set to NONE.
/interface detect-internet
set detect-interface-list=all

The one thing I would do is remove the bridge as it really serves no purpose here.
You have four independent subnets each assigned to a port and thus the use of bridge is not required (nor do you use vlans).
However, there is nothing wrong with the current setup as it will work so you dont have to do anything just a suggestion.

More importantly is the firewall rules and the rest........ so will look now.

(1) Remove this stuff, it can be very CPU intensive and with https traffic being the norm, not as effective as it use to be. Its advanced config programming that one should avoid until you understand it.
/ip firewall layer7-protocol
add name=youtube regexp="^.+(youtube.com|www.youtube.com|m.youtube.com|ytimg.c\
om|s.ytmig.com|ytimg.l.google.com|youtube.l.google.com|i.google.com|google\
video.com|youtu.be|youtubekids.com).*\$"

(2) I dont usually do all the list of firewall addresses etc, but no harm in that, not to much bloat so to speak.

I would add this rule in the input chain Just before the ICMP allow rule, it seems to be missing.
add action=drop chain=input comment="Drop invalid" connection-state=invalid

(3) I personally dont like providing all your SUBNETS full access to the router. Only the admin needs full access to the router.
So if there is only one subnet the admin will use to access and configure the router, that is the only subnet that should have full access to the router.
The other subnets should at least have access to the services provided by the router that they may be using (which they get now because you gave them full access).

Typically its just DNS services (some have NTP services as well).
So recommend the following idea.
Add this rule in front of the existing rule (otherwise you may lock yourself out due to the drop all rule you have at the end of the input chain - great rule but disable it while making these changes and then turn it back on to be on the safe side............ When done and happy you can remove the old rule and re-enable the drop all rule.

add action=accept chain=input comment="Allow ADMIN to Router" log-prefix=\
AdminAccess in-interface-list=ServicePortOnly (AND OPTIONAL ----> ) src-address-list=authorized

Basically here we limit full access to the router to your interface list entry of serviceportonly and if you want to limit that further only to the IP addresses of the admins devices.
desktop, laptop, ipad, smartphone etc (statically set in the dhcp leases) that is up to you.

(4) By the way I noted that one subnet, didnt get full access to the router, which means it would not be getting proper dns services from the router either.
To fix that and to provide the necessary services to the subnets no longer with full access you need the following rules..

dd action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=AllLAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=AllLAN protocol=udp

If you dont want DVR to have DNS services, then my suggestion is to remove it from the AllLan list.....

(5) Now we get to the horror show of your forward chain.....egads butt ugly. Lets clean it up simplify!!!

Reduce it to this:
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
add action=allow comment="Allow internet traffic" in-interface-list=AllLAN out-interface-list=WAN (remember to remove DVR5 from AllLAn if shouldnt have internet)
add action=allow comment="Allow port forwarding" connection-nat-state=dstnat \
connection-state=new in-interface=1modem log=yes log-prefix=PortForwardedTraffic
add action=drop chain=forward comment="Drop all else!"


Thats all you need and the drop all else rule drops all other traffic (not already allowed LAN 2 LAN, LAN 2 WAN, WAN 2 LAN) . Without the drop all rule at the end, all the subnets could find each other because the router will route them at L3 and its a very efficient way of doing this vice stating all the subnets have to block traffic from each other in a larger number of rules!!.

However you do have all the firewall addresses and had a few more rules (that I dont use) but will see where they may fit.
Okay only one rule really applies, and that is to block Just before allowing internet traffic from your subnets, to block any requests from those subnets that are to non public IPs.
The rest are covered by the allow rule for only IPs from AllLAN and by the drop all rule at the end.

add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
add action=drop in-interface-list=AllLAN dst-address-list=not_in_internet
add action=allow comment="Allow internet traffic" in-interface-list=AllLAN out-interface-list=WAN (remember to remove DVR5 from AllLAn if shouldnt have internet)
add action=allow comment="Allow port forwarding" connection-nat-state=dstnat \
connection-state=new in-interface=1modem log=yes log-prefix=PortForwardedTraffic
add action=drop chain=forward comment="Drop all else!"
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: stopping login attempt to user admin

Mon Jul 19, 2021 6:41 pm

Unless you intend on using the MT app with your router, then this setting can be set to NONE.
/interface detect-internet
set detect-interface-list=all
I actually used the Mikrotik Mobile apps. quite handy when you want to block youtube on your kids pc at a request. :D
you are referring to this https://play.google.com/store/apps/deta ... l=en&gl=US right ?
The one thing I would do is remove the bridge as it really serves no purpose here.
You have four independent subnets each assigned to a port and thus the use of bridge is not required (nor do you use vlans).
However, there is nothing wrong with the current setup as it will work so you dont have to do anything just a suggestion.
Thanks for the suggestion, I've removed the bridge. I actually wants to remove it since yesterday as it seems not used but i'm not sure on the impact.
More importantly is the firewall rules and the rest........ so will look now.
Thanks in advance, will wait for your feedback.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: stopping login attempt to user admin

Mon Jul 19, 2021 6:45 pm

Yes, that is the correct link, but I have to go wash my hands now, as I am an IPHONE user LOL.
The bridge removal is fine.

When to use bridge, but dont use vlans - when two or more ports are using the same DHCP settings then using the bridge is effective in grouping ports for L2 separation from ports and subnets off the bridge. Keep in mind that all subnets require L3 firewall separation including vlans and this is accomplished on the forward chain of firewall rules (in our case the last rule block all else does this for us).
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: stopping login attempt to user admin

Mon Jul 19, 2021 7:51 pm

(1) Remove this stuff, it can be very CPU intensive and with https traffic being the norm, not as effective as it use to be. Its advanced config programming that one should avoid until you understand it.
/ip firewall layer7-protocol
add name=youtube regexp="^.+(youtube.com|www.youtube.com|m.youtube.com|ytimg.c\
om|s.ytmig.com|ytimg.l.google.com|youtube.l.google.com|i.google.com|google\
video.com|youtu.be|youtubekids.com).*\$"
I used this for blocking youtube during my kids study period. or is there another good way to block youtube ?
(2) I dont usually do all the list of firewall addresses etc, but no harm in that, not to much bloat so to speak.

I would add this rule in the input chain Just before the ICMP allow rule, it seems to be missing.
add action=drop chain=input comment="Drop invalid" connection-state=invalid
Added
(3) I personally dont like providing all your SUBNETS full access to the router. Only the admin needs full access to the router.
So if there is only one subnet the admin will use to access and configure the router, that is the only subnet that should have full access to the router.
The other subnets should at least have access to the services provided by the router that they may be using (which they get now because you gave them full access).

Typically its just DNS services (some have NTP services as well).
So recommend the following idea.
Add this rule in front of the existing rule (otherwise you may lock yourself out due to the drop all rule you have at the end of the input chain - great rule but disable it while making these changes and then turn it back on to be on the safe side............ When done and happy you can remove the old rule and re-enable the drop all rule.

add action=accept chain=input comment="Allow ADMIN to Router" log-prefix=\
AdminAccess in-interface-list=ServicePortOnly (AND OPTIONAL ----> ) src-address-list=authorized

Basically here we limit full access to the router to your interface list entry of serviceportonly and if you want to limit that further only to the IP addresses of the admins devices.
desktop, laptop, ipad, smartphone etc (statically set in the dhcp leases) that is up to you.
yes that is what happen the first time I play around with this router, I got locked out and in panic i resetted the whole thing.
my general idea for this is so I can manage the router, wherever i am in the house covered by the wlan, using my laptop, or mikrotik android apps.
(just a little control freak), is the access for admin access can be reversed ? i.e. i ensure to have my devices ip as static in both wired & wireless and list only that ip that can have admin access

(4) By the way I noted that one subnet, didnt get full access to the router, which means it would not be getting proper dns services from the router either.
To fix that and to provide the necessary services to the subnets no longer with full access you need the following rules..

dd action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=AllLAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=AllLAN protocol=udp

If you dont want DVR to have DNS services, then my suggestion is to remove it from the AllLan list.....
Added, may i know where should i priorities this 2 rules ? after ICMP ?
(5) Now we get to the horror show of your forward chain.....egads butt ugly. Lets clean it up simplify!!!

Reduce it to this:
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
add action=allow comment="Allow internet traffic" in-interface-list=AllLAN out-interface-list=WAN (remember to remove DVR5 from AllLAn if shouldnt have internet)
add action=allow comment="Allow port forwarding" connection-nat-state=dstnat \
connection-state=new in-interface=1modem log=yes log-prefix=PortForwardedTraffic
add action=drop chain=forward comment="Drop all else!"

Thats all you need and the drop all else rule drops all other traffic (not already allowed LAN 2 LAN, LAN 2 WAN, WAN 2 LAN) . Without the drop all rule at the end, all the subnets could find each other because the router will route them at L3 and its a very efficient way of doing this vice stating all the subnets have to block traffic from each other in a larger number of rules!!.
Done
add action=allow comment="Allow internet traffic" in-interface-list=AllLAN out-interface-list=WAN (remember to remove DVR5 from AllLAn if shouldnt have internet)
add action=allow comment="Allow port forwarding" connection-nat-state=dstnat \
i can't find action=allow, so i assume action=accept ?
all the previous drop rules is gone
i'm still including dvr in allLan as it needs internet for us to check

However you do have all the firewall addresses and had a few more rules (that I dont use) but will see where they may fit.
Okay only one rule really applies, and that is to block Just before allowing internet traffic from your subnets, to block any requests from those subnets that are to non public IPs.
The rest are covered by the allow rule for only IPs from AllLAN and by the drop all rule at the end.

add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
add action=drop in-interface-list=AllLAN dst-address-list=not_in_internet
add action=allow comment="Allow internet traffic" in-interface-list=AllLAN out-interface-list=WAN (remember to remove DVR5 from AllLAn if shouldnt have internet)
add action=allow comment="Allow port forwarding" connection-nat-state=dstnat \
connection-state=new in-interface=1modem log=yes log-prefix=PortForwardedTraffic
add action=drop chain=forward comment="Drop all else!"
ok this last part.similar to below ?
i've attached complete export as well
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=drop chain=input comment="\"Drop invalid\"" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "block Just before allowing internet traffic from your subnets" \
    dst-address-list=not_in_internet in-interface-list=AllLan
add action=accept chain=forward comment="Allow internet traffic" \
    in-interface-list=AllLan out-interface-list=WAN
add action=accept chain=forward comment="Allow port forwarding" \
    connection-nat-state=dstnat connection-state=new in-interface=1modem log=\
    yes log-prefix=PortForwardedTraffic
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
    connection-state=new dst-port=53 in-interface-list=AllLan protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
    connection-state=new dst-port=53 in-interface-list=AllLan protocol=udp
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop all else!"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=1modem
add action=dst-nat chain=dstnat comment="to see cctv from outside" dst-port=\
    8000 in-interface=1modem protocol=tcp to-addresses=192.168.10.254 \
    to-ports=8000
add action=dst-nat chain=dstnat comment="to see cctv from wireless network" \
    dst-port=8000 in-interface=4wireless protocol=tcp to-addresses=\
    192.168.10.254 to-ports=8000
noted on the bridge and thanks, apple fanboy LOL
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: stopping login attempt to user admin

Mon Jul 19, 2021 8:35 pm

If the youtube rules work for you by all means, I am surprized they do LOL.


The problem regarding admin access is that you will need to change the
Tools mac winmac server entry for allowed interface from ServicePortOnly to ALL.
I recommend you reserve access from ServicePortOnly though................

If you do feel the need to access from all subnets, then dont use an interface list entry of ServicePortOnly if you want to be able to access the router from any subnet in the house.
In this case just ensure whatever device you use has a static lease on that subnet and add that to the firewall address list.
So you may have four different IP addresses for your smartphone or laptop for example on the firewall address list

Not sure what you mean if admin access can be reversed??
Add the DNS rules just before the block all rule is fine or after icmp as well.

Now to look at config..........................

argg............the order of your rules is now messed up.
For easy reading and less errors typically one has all the input rules grouped together and all the forward rules grouped together.....
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related

add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=drop chain=input comment="\"Drop invalid\"" connection-state=\
invalid
add action=drop chain=forward comment=\
"block Just before allowing internet traffic from your subnets" \
dst-address-list=not_in_internet in-interface-list=AllLan
add action=accept chain=forward comment="Allow internet traffic" \
in-interface-list=AllLan out-interface-list=WAN
add action=accept chain=forward comment="Allow port forwarding" \
connection-nat-state=dstnat connection-state=new in-interface=1modem log=\
yes log-prefix=PortForwardedTraffic

add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=AllLan protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=AllLan protocol=udp
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop all else!"


Also,
(1) You still have wide open address lists for subnets to the router vice an actual list of admin Devices IP addresses.
(2) The green block of rules in teh middle should all be moved down as a group just before the last DROP ALL RULE in green. AKA after the invalid rule.
(3) The input chain rule for allowed access to router should be moved down one to below the invalid rule (well see 4 first lol).
(4) The input chain rule for ICMP should be just after the invalid rule and before the allowed access rule.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: stopping login attempt to user admin

Mon Jul 19, 2021 8:46 pm

Okay I missed this before.......
add action=dst-nat chain=dstnat comment="to see cctv from wireless network" \
dst-port=8000 in-interface=4wireless protocol=tcp to-addresses=\
192.168.10.254 to-ports=8000


If you want the wifi network to be able to access the CCTV that is a forward firewall chain rule and stick this just before the drop all rule (assumes the CCTV is on 5DVR)

add chain=input action=accept in-interface=4wireless out-interface=5DVR dst-address= 192.168.10.254 dst-port=8000 protocol=tcp


The question I have is what protections do you have from accessing the DVR from the outside?
Is there a simple username login? Is it encrypted?
In other words, your CCTV may be open to the world????
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: stopping login attempt to user admin

Tue Jul 20, 2021 5:33 am

If the youtube rules work for you by all means, I am surprized they do LOL.
they work, only on 1 pc, but doesn't work on the the other, which is weird.
I've make a post of it here viewtopic.php?f=13&t=176964
The problem regarding admin access is that you will need to change the
Tools mac winmac server entry for allowed interface from ServicePortOnly to ALL.
I recommend you reserve access from ServicePortOnly though................

If you do feel the need to access from all subnets, then dont use an interface list entry of ServicePortOnly if you want to be able to access the router from any subnet in the house.
In this case just ensure whatever device you use has a static lease on that subnet and add that to the firewall address list.
So you may have four different IP addresses for your smartphone or laptop for example on the firewall address list

Not sure what you mean if admin access can be reversed??
Ok, i've updated the address list to access winbox service as such
winbox service.PNG
now only accessible from port 2 and 2 static IP.

Add the DNS rules just before the block all rule is fine or after icmp as well.

Now to look at config..........................

argg............the order of your rules is now messed up.
For easy reading and less errors typically one has all the input rules grouped together and all the forward rules grouped together.....
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related

add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=drop chain=input comment="\"Drop invalid\"" connection-state=\
invalid
add action=drop chain=forward comment=\
"block Just before allowing internet traffic from your subnets" \
dst-address-list=not_in_internet in-interface-list=AllLan
add action=accept chain=forward comment="Allow internet traffic" \
in-interface-list=AllLan out-interface-list=WAN
add action=accept chain=forward comment="Allow port forwarding" \
connection-nat-state=dstnat connection-state=new in-interface=1modem log=\
yes log-prefix=PortForwardedTraffic

add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=AllLan protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=AllLan protocol=udp
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop all else!"


Also,
(1) You still have wide open address lists for subnets to the router vice an actual list of admin Devices IP addresses.
(2) The green block of rules in teh middle should all be moved down as a group just before the last DROP ALL RULE in green. AKA after the invalid rule.
(3) The input chain rule for allowed access to router should be moved down one to below the invalid rule (well see 4 first lol).
(4) The input chain rule for ICMP should be just after the invalid rule and before the allowed access rule.
ok, this should be how it looks.
firewall list sequence.PNG
Number 8 rule should already follow your sugestion "(1) You still have wide open address lists for subnets to the router vice an actual list of admin Devices IP addresses."
number 3 and number 6 seems similar, only different in input & forward, should 3 move to 6 and delete 6 ?
please cmiiw, but rule number 2 & 10 is the same, so number 2 should be deleted ?
Number 9 is also i think not needed ? this drop everything that is input, similar to drop everything else in number 17.

exported firewall as below
# jul/20/2021 09:30:02 by RouterOS 6.48.3
# software id = XF6Q-13TJ
#
# model = RB750Gr3
# serial number = CC220DD3DF58
/ip firewall layer7-protocol
add name=youtube regexp="^.+(youtube.com|www.youtube.com|m.youtube.com|ytimg.com|s.ytmig.com|ytimg.l.go\
ogle.com|youtube.l.google.com|i.google.com|googlevideo.com|youtu.be|youtubekids.com).*\$"
/ip firewall address-list
add address=192.168.0.242 list=allowed_to_router
add address=192.168.88.2-192.168.88.254 comment="Service Port IP" list=allowed_to_router
add address=192.168.8.100 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=drop chain=input comment="\"Drop invalid\"" connection-state=invalid
add action=accept chain=input comment="Allow LAN DNS queries - TCP" connection-state=new dst-port=53 \
in-interface-list=AllLan protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" connection-state=new dst-port=53 \
in-interface-list=AllLan protocol=udp
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=\
invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Allow Acces to router - Based on address list" \
src-address-list=allowed_to_router
add action=drop chain=input
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Block Just before allowing internet traffic from your subnets" \
dst-address-list=not_in_internet in-interface-list=AllLan
add action=accept chain=forward comment="Allow internet traffic" in-interface-list=AllLan \
out-interface-list=WAN
add action=accept chain=forward comment="Allow port forwarding" connection-nat-state=dstnat \
connection-state=new in-interface=1modem log=yes log-prefix=PortForwardedTraffic
add action=accept chain=forward comment="Allow Wireless to access DVR" connection-nat-state=dstnat \
connection-state=new dst-address=192.168.10.254 dst-port=8000 in-interface=4wireless \
out-interface=5DVR protocol=tcp
add action=drop chain=forward comment="Drop youtube from Desktop DEHD" disabled=yes layer7-protocol=\
youtube src-address=192.168.0.242
add action=drop chain=forward comment="Drop youtube from Desktop QUNO" disabled=yes layer7-protocol=\
youtube src-address=192.168.8.100
add action=drop chain=forward comment="Drop all else!"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=1modem
add action=dst-nat chain=dstnat comment="to see cctv from outside" dst-port=8000 in-interface=1modem \
protocol=tcp to-addresses=192.168.10.254 to-ports=8000
add action=dst-nat chain=dstnat comment="to see cctv from wireless network" dst-port=8000 \
in-interface=4wireless protocol=tcp to-addresses=192.168.10.254 to-ports=8000
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
You do not have the required permissions to view the files attached to this post.
Last edited by dermawas on Tue Jul 20, 2021 7:53 am, edited 5 times in total.
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: stopping login attempt to user admin

Tue Jul 20, 2021 5:40 am

Okay I missed this before.......
add action=dst-nat chain=dstnat comment="to see cctv from wireless network" \
dst-port=8000 in-interface=4wireless protocol=tcp to-addresses=\
192.168.10.254 to-ports=8000


If you want the wifi network to be able to access the CCTV that is a forward firewall chain rule and stick this just before the drop all rule (assumes the CCTV is on 5DVR)

add chain=input action=accept in-interface=4wireless out-interface=5DVR dst-address= 192.168.10.254 dst-port=8000 protocol=tcp
I've added the firewall rules (number 14 in the above post), but it seems something is missing.
I cannot see the camera through the hikvision apps from wireless lan but I am able to see from hikvision app from mobile network (outside network)
The question I have is what protections do you have from accessing the DVR from the outside?
Is there a simple username login? Is it encrypted?

In other words, your CCTV may be open to the world????
in other word, yes the DVR is open to the world.
but strangely i cannot access the DVR web menu from outside network using public ip or no-ip dns which i set up for the dvr.
the dvr is only accessible from hikvision mobile apps using the no-ip dns.


after fiddling around with the firewall sequence for "allowing wireless to access dvr" from 14 to 11
fwlistupdate.PNG
now able to see the camera from wireless network. and have added a new firewall rule to drop winbox attemp from internet
winbox.PNG
Please lemme know of your feedback on this fw setup, export file is attached.
if it's looks good i'll remove the disabled ones.
You do not have the required permissions to view the files attached to this post.
Last edited by dermawas on Tue Jul 20, 2021 8:08 am, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: stopping login attempt to user admin

Tue Jul 20, 2021 6:26 pm

not going to comment until you fix the order of rules.
you have added more lines that are not correct or at least Ive never seen, such as forward chain dst nat rule which I dont understand..........
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: stopping login attempt to user admin

Tue Jul 20, 2021 7:39 pm

ok, I've cleaned up the firewall list rule
firewall list sequence 0.4.PNG
the code export as below.
# jul/20/2021 23:33:31 by RouterOS 6.48.3
# software id = XF6Q-13TJ
#
# model = RB750Gr3
# serial number = CC220DD3DF58
/ip firewall address-list
add address=192.168.0.242 list=allowed_to_router
add address=192.168.88.2-192.168.88.254 comment="Service Port IP" list=allowed_to_router
add address=192.168.8.100 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
/ip firewall filter
add action=accept chain=input comment="default configuration - Established, Related" connection-state=established,related
add action=drop chain=input comment="\"Drop invalid\"" connection-state=invalid
add action=drop chain=input comment="Drop Winbox on WAN" dst-port=8291 in-interface=1modem protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=udp
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=accept chain=forward comment="Allow Wireless to access DVR" connection-nat-state=dstnat connection-state=new dst-address=192.168.10.254 dst-port=8000 \
    in-interface=4wireless log=yes log-prefix=WirelessToDVR out-interface=5DVR protocol=tcp
add action=drop chain=forward comment="Block Just before allowing internet traffic from your subnets" dst-address-list=not_in_internet in-interface-list=AllLan
add action=accept chain=forward comment="Allow internet traffic" in-interface-list=AllLan out-interface-list=WAN
add action=accept chain=forward comment="Allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface=1modem log=yes log-prefix=PortForwardedTraffic
add action=drop chain=forward comment="Drop all else!"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=1modem
add action=dst-nat chain=dstnat comment="to see cctv from outside" dst-port=8000 in-interface=1modem protocol=tcp to-addresses=192.168.10.254 to-ports=8000
add action=dst-nat chain=dstnat comment="to see cctv from wireless network" dst-port=8000 in-interface=4wireless protocol=tcp to-addresses=192.168.10.254 to-ports=8000
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
just curious, which one you haven't seen ?
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: stopping login attempt to user admin

Tue Jul 20, 2021 7:47 pm

dermawas, one hint:

/interface detect-internet
set detect-interface-list=none


without checking if they are right or not, or something is missing, this is the correct order of the one already written:

/ip firewall filter
add action=accept chain=input comment="default configuration - Established, Related" connection-state=established,related disabled=yes
add action=drop chain=input comment="\"Drop invalid\"" connection-state=invalid disabled=yes
add action=accept chain=input comment="Allow LAN DNS queries-UDP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=tcp
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Allow to router" disabled=yes log=yes log-prefix=AdminAccess src-address-list=allowed_to_router
duplicated ---> add action=accept chain=input comment="Allow ADMIN to Router" disabled=yes log=yes log-prefix=AdminAccess src-address-list=allowed_to_router
add action=drop chain=input disabled=yes
add action=drop chain=forward comment="Drop youtube from Desktop DEHD" disabled=yes layer7-protocol=youtube src-address=192.168.0.242
add action=drop chain=forward comment="Drop youtube from Desktop QUNO" disabled=yes layer7-protocol=youtube src-address=192.168.8.100
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=forward comment="Allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface=1modem log=yes log-prefix=PortForwardedTraffic
add action=accept chain=forward comment="Allow Wireless to access DVR" connection-nat-state=dstnat connection-state=new dst-address=192.168.10.254 dst-port=8000 in-interface=4wireless log=yes log-prefix=WirelessToDVR out-interface=5DVR protocol=tcp
add action=drop chain=forward comment="Block Just before allowing internet traffic from your subnets" dst-address-list=not_in_internet in-interface-list=AllLan
add action=accept chain=forward comment="Allow internet traffic" in-interface-list=AllLan out-interface-list=WAN
add action=drop chain=forward comment="Drop all else!"
Last edited by rextended on Tue Jul 20, 2021 8:27 pm, edited 3 times in total.
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: stopping login attempt to user admin

Tue Jul 20, 2021 8:08 pm

Seno, one hint:
oh well, have to change user name...... :(
/interface detect-internet
set detect-interface-list=no


without checking if they are right or not, or something is missing, this is the correct order of the one already written:

/ip firewall filter
add action=accept chain=input comment="default configuration - Established, Related" connection-state=established,related disabled=yes
add action=drop chain=input comment="\"Drop invalid\"" connection-state=invalid disabled=yes
add action=accept chain=input comment="Allow LAN DNS queries-UDP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=tcp
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Allow to router" disabled=yes log=yes log-prefix=AdminAccess src-address-list=allowed_to_router
duplicated ---> add action=accept chain=input comment="Allow ADMIN to Router" disabled=yes log=yes log-prefix=AdminAccess src-address-list=allowed_to_router
add action=drop chain=input disabled=yes
add action=drop chain=forward comment="Drop youtube from Desktop DEHD" disabled=yes layer7-protocol=youtube src-address=192.168.0.242
add action=drop chain=forward comment="Drop youtube from Desktop QUNO" disabled=yes layer7-protocol=youtube src-address=192.168.8.100
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=forward comment="Allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface=1modem log=yes log-prefix=PortForwardedTraffic
add action=accept chain=forward comment="Allow Wireless to access DVR" connection-nat-state=dstnat connection-state=new dst-address=192.168.10.254 dst-port=8000 in-interface=4wireless log=yes log-prefix=WirelessToDVR out-interface=5DVR protocol=tcp
add action=drop chain=forward comment="Block Just before allowing internet traffic from your subnets" dst-address-list=not_in_internet in-interface-list=AllLan
add action=accept chain=forward comment="Allow internet traffic" in-interface-list=AllLan out-interface-list=WAN
add action=drop chain=forward comment="Drop all else!"

thanks for the hint, so should be like follow?
# jul/21/2021 00:05:20 by RouterOS 6.48.3
# software id = XF6Q-13TJ
#
# model = RB750Gr3
# serial number = CC220DD3DF58
/ip firewall address-list
add address=192.168.0.242 list=allowed_to_router
add address=192.168.88.2-192.168.88.254 comment="Service Port IP" list=allowed_to_router
add address=192.168.8.100 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
/ip firewall filter
add action=accept chain=input comment="default configuration - Established, Related" connection-state=established,related
add action=drop chain=input comment="\"Drop invalid\"" connection-state=invalid
add action=accept chain=input comment="Allow LAN DNS queries - TCP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=udp
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=input comment="Drop Winbox on WAN" dst-port=8291 in-interface=1modem protocol=tcp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=forward comment="Allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface=1modem log=yes log-prefix=PortForwardedTraffic
add action=accept chain=forward comment="Allow Wireless to access DVR" connection-nat-state=dstnat connection-state=new dst-address=192.168.10.254 dst-port=8000 \
    in-interface=4wireless log=yes log-prefix=WirelessToDVR out-interface=5DVR protocol=tcp
add action=drop chain=forward comment="Block Just before allowing internet traffic from your subnets" dst-address-list=not_in_internet in-interface-list=AllLan
add action=accept chain=forward comment="Allow internet traffic" in-interface-list=AllLan out-interface-list=WAN
add action=drop chain=forward comment="Drop all else!"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=1modem
add action=dst-nat chain=dstnat comment="to see cctv from outside" dst-port=8000 in-interface=1modem protocol=tcp to-addresses=192.168.10.254 to-ports=8000
add action=dst-nat chain=dstnat comment="to see cctv from wireless network" dst-port=8000 in-interface=4wireless protocol=tcp to-addresses=192.168.10.254 to-ports=8000
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: stopping login attempt to user admin

Tue Jul 20, 2021 8:18 pm

this is useless ---->add action=drop chain=input comment="Drop Winbox on WAN" dst-port=8291 in-interface=1modem protocol=tcp
because this exist:
add action=drop chain=input

you do not need to specify nothig less general before that rule, drop "all"!

There is a typo!
must be set to none, not to "no"
/interface detect-internet
set detect-interface-list=none
Last edited by rextended on Tue Jul 20, 2021 8:28 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: stopping login attempt to user admin

Tue Jul 20, 2021 8:19 pm

oh well, have to change user name...... :(
it was a veiled suggestion ... correct your post by removing it from the writings and the various exports...

/system script
owner=dermawas
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: stopping login attempt to user admin

Tue Jul 20, 2021 10:18 pm

rexentended, the OP uses the MT App sometimes to access the router and thus detect internet is useful I believe......... (they are linked somehow).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: stopping login attempt to user admin

Tue Jul 20, 2021 10:28 pm

OP, i dont know if you are actually a thinking being or just copying down stuff and hoping for the best,
Its time you start understanding the config not just copy & paste incorrectly LOL

Here is your input chain .................what is wrong??
/ip firewall filter
add action=accept chain=input comment="default configuration - Established, Related" connection-state=established,related
add action=drop chain=input comment="\"Drop invalid\"" connection-state=invalid
add action=accept chain=input comment="Allow LAN DNS queries - TCP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=udp
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=input comment="Drop Winbox on WAN" dst-port=8291 in-interface=1modem protocol=tcp
add action=drop chain=input

(1) How will you as admin access the router???
Yup missing the input chain rule of accept for your Interface-list or your firewall address list etc...

(2) Why do you have a drop winbox rule?? Hint look at the last rule, it already does this for you!!!! thus not needed.

(3) This rule does not belong in the forward chain its a NAT RULE!! (and you already have a nat rule for this traffic!!)
add action=accept chain=forward comment="Allow Wireless to access DVR" connection-nat-state=dstnat connection-state=new \
dst-address=192.168.10.254 dst-port=8000 in-interface=4wireless log=yes log-prefix=WirelessToDVR out-interface=5DVR protocol=tcp

(4) Still not convinced you need a NAT rule to allow the wifi interface access to a single device in the DVR interface, as this is normally just a forward chain rule.
Not
add action=dst-nat chain=dstnat comment="to see cctv from wireless network" dst-port=8000 in-interface=4wireless protocol=tcp to-addresses=192.168.10.254 to-ports=8000
BUT this
add action=accept chain=forward in-interface=WIFI4 out-interface=DVR5 dst-address=192.168.10.254 (optional to add dst-port and protocol)
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: stopping login attempt to user admin  [SOLVED]

Wed Jul 21, 2021 12:52 pm

OP, i dont know if you are actually a thinking being or just copying down stuff and hoping for the best,
Its time you start understanding the config not just copy & paste incorrectly LOL
lol, i am tempted to do that, i turned the detect internet to none. but can't stand open the apps without internet connection status.
is it a vulnerability to have detect internet set ?
Here is your input chain .................what is wrong??
/ip firewall filter
add action=accept chain=input comment="default configuration - Established, Related" connection-state=established,related
add action=drop chain=input comment="\"Drop invalid\"" connection-state=invalid
add action=accept chain=input comment="Allow LAN DNS queries - TCP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=udp
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=input comment="Drop Winbox on WAN" dst-port=8291 in-interface=1modem protocol=tcp
add action=drop chain=input

(1) How will you as admin access the router???
Yup missing the input chain rule of accept for your Interface-list or your firewall address list etc...
yep realised it last night, so i've added
add action=accept chain=input comment="Allow winbox to connect from listed IP" dst-address=192.168.88.1 src-address-list=allowed_to_router
(2) Why do you have a drop winbox rule?? Hint look at the last rule, it already does this for you!!!! thus not needed.
okay, it's removed. was added previously when i check that there is double drop all rules and one of them i disable :D
(3) This rule does not belong in the forward chain its a NAT RULE!! (and you already have a nat rule for this traffic!!)
add action=accept chain=forward comment="Allow Wireless to access DVR" connection-nat-state=dstnat connection-state=new \
dst-address=192.168.10.254 dst-port=8000 in-interface=4wireless log=yes log-prefix=WirelessToDVR out-interface=5DVR protocol=tcp

(4) Still not convinced you need a NAT rule to allow the wifi interface access to a single device in the DVR interface, as this is normally just a forward chain rule.
Not
add action=dst-nat chain=dstnat comment="to see cctv from wireless network" dst-port=8000 in-interface=4wireless protocol=tcp to-addresses=192.168.10.254 to-ports=8000
BUT this
add action=accept chain=forward in-interface=WIFI4 out-interface=DVR5 dst-address=192.168.10.254 (optional to add dst-port and protocol)
ok, i've created as you suggested, and put it before the "Block Just before allowing internet traffic from your subnets" and it works.

looks like the firewall list is ok now export file is attached if you want to view it.
and about the you tube rule, yep you're right. now it no longer works, so i've deleted them.
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: stopping login attempt to user admin

Wed Jul 21, 2021 1:56 pm

One question: you are forced to use 74:DA:DA:83:AB:FE as MAC address???

Duplicate logging, the prefix do not "choice" anything, you simply log two time the same thing. Better remove prefix and set the prefix only on firewall rules:

dermawas code

/system logging
add prefix=PortForwardedTraffic topics=firewall
remove-this --> add prefix=WirelessToDVR topics=firewall

provide everytime two DNS, not all device work correctly with only one... (and use faster 1.1.1.1 DNS)
paste this on terminal
/ip dhcp-server network
set [find] dns-server=1.1.1.1,8.8.8.8

If I can suggest a cosmetic change, is useful when ask help on forum, without made complicated the reading of export:
/interface ethernet
set [ find default-name=ether1 ] name=ether1-modem comment="MAC 74:DA:DA:83:AB:FE"
set [ find default-name=ether2 ] name=ether2-local
set [ find default-name=ether3 ] name=ether3-wired
set [ find default-name=ether4 ] name=ether4-wireless
set [ find default-name=ether5 ] name=ether5-DVR

/interface list
set AllLan name=LAN

/ip pool
set dhcp_pool0 name=pool-local
set dhcp_pool4 name=pool-wired
set dhcp_pool3 name=pool-wireless
set dhcp_pool5 name=pool-DVR

/ip dhcp-server
set dhcp2local name=dhcp-local
set dhcp3wired name=dhcp-wired
set dhcp4wlan name=dhcp-wireless
set dhcp5dvr name=dhcp-DVR

You can also update the script NO-IP:

change code

FROM
:local inetinterface "1modem"

TO
:local inetinterface [/int eth get [find default-name=ether1] name]
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: stopping login attempt to user admin

Wed Jul 21, 2021 2:14 pm

One question: you are forced to use 74:DA:DA:83:AB:FE as MAC address???
yep, the ISP is very pick on the mac address that connect to their modem.
Duplicate logging, the prefix do not "choice" anything, you simply log two time the same thing. Better remove prefix and set the prefix only on firewall rules:

dermawas code

/system logging
add prefix=PortForwardedTraffic topics=firewall
remove-this --> add prefix=WirelessToDVR topics=firewall
Kewl, have removed WirelessToDVR
provide everytime two DNS, not all device work correctly with only one... (and use faster 1.1.1.1 DNS)
paste this on terminal
/ip dhcp-server network
set [find] dns-server=1.1.1.1,8.8.8.8
ok, this is done too
If I can suggest a cosmetic change, is useful when ask help on forum, without made complicated the reading of export:
/interface ethernet
set [ find default-name=ether1 ] name=ether1-modem comment="MAC 74:DA:DA:83:AB:FE"
set [ find default-name=ether2 ] name=ether2-local
set [ find default-name=ether3 ] name=ether3-wired
set [ find default-name=ether4 ] name=ether4-wireless
set [ find default-name=ether5 ] name=ether5-DVR

/interface list
set AllLan name=LAN

/ip pool
set dhcp_pool0 name=pool-local
set dhcp_pool4 name=pool-wired
set dhcp_pool3 name=pool-wireless
set dhcp_pool5 name=pool-DVR

/ip dhcp-server
set dhcp2local name=dhcp-local
set dhcp3wired name=dhcp-wired
set dhcp4wlan name=dhcp-wireless
set dhcp5dvr name=dhcp-DVR
ok, for this, i'll keep my naming, as it is more familiar to me, but i have added mac address in the comment for the interface.
Thanks
You can also update the script NO-IP:

change code

FROM
:local inetinterface "1modem"

TO
:local inetinterface $[/int eth get [find default-name=ether1] name]
this i'll need find sometime to change it as i want to test first.

:local inetinterface $[/int eth get [find default-name=ether1] name] this is automatic? so it will search ether1 for the inetinterface or if the modem uses ether2 it will change to ether2 also ?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: stopping login attempt to user admin

Wed Jul 21, 2021 2:32 pm

:local inetinterface $[/int eth get [find default-name=ether1] name]
this is automatic?
so it will search ether1 for the inetinterface or if the modem uses ether2 it will change to ether2 also ?
No, is still manual the change for ether1 / 2 / 3 etc., but it works regardless the name you use for ether1.
This is for the "cosmetic change", the rest of the script is full of errors, but is not this the topic.
Last edited by rextended on Wed Jul 21, 2021 2:41 pm, edited 4 times in total.
 
dermawas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Jul 10, 2021 7:06 am

Re: stopping login attempt to user admin

Wed Jul 21, 2021 2:38 pm

:local inetinterface $[/int eth get [find default-name=ether1] name]
this is automatic?
so it will search ether1 for the inetinterface or if the modem uses ether2 it will change to ether2 also ?
No, is still manual the change for ether1 / 2 / 3 etc., but it works regardless the name you use for ether1.
This is for the "cosmetic change", the rest of the script is full of errors, but is not this the topic.
ow ok, got it.

i'm not sure on the script, i got it somewhere in the forum to update noip hahaha.
as long as it works :D
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: stopping login attempt to user admin

Wed Jul 21, 2021 2:40 pm

For example this:

original code

# Strip the net mask off the IP address
:for i from=( [:len $currentIP] - 1) to=0 do={
    :if ( [:pick $currentIP $i] = "/") do={
        :set currentIP [:pick $currentIP 0 $i]
    }
}
Errors:
Why complicate an easy thing?
It doesn't stop at the first occurrence of "/"
currentIP has changed within the function
currentIP is fetched not from the beginning (-1) but at the 1st character (0) [it is the same, but conceptually and on some cases changes ...]

must be simply writed as:

rextended code

# Strip the net mask off the IP address
:set currentIP [:pick $currentIP -1 [:find $currentIP "/" -1]]
pick currentip from the beginning (-1) to where you first find "/" on currentip [ from the beginning (-1) ]

Who is online

Users browsing this forum: baragoon, sokalsondha and 50 guests