hello everyone, I try to block all rdp traffic to ip address, but my rulles didn't work.
here are the rules
ip firewall filter> add action=drop chain=input dst-address=192.168.88.* dst-port=rdp
or
add chain=input connection-state=new dst-address=192.168.88.* dst-port=rdp action=drop
I don't know how to fix thi problem, please help me.
Re: block rdp on mikrotik
Multiple issues:
First of all input chain is only managing connections to the router not for other equipment. So forward chain is the way to go.
192.168.88.* is not a valid address or netmask. You probably want to use 192.168.88.0/24
dst-port must be numeric, no named protocols like rdp, smtp, ssh and so on. Microsofts default RDP port is 3389. Furthermore you need to specify the layer 4 protocol (TCP, UDP, ...)
So the correct rule for disabling all RDP access on default port (ingoing AND outgoing):
/ip firewall filter add chain=forward protocol=tcp dst-port=3389 action=reject reject-with=tcp-reset
To reject only access from WAN interface (assuming ether1) you should go like this:
/ip firewall filter add chain=forward in-interface=ether1 protocol=tcp dst-port=3389 action=reject reject-with=tcp-reset
Keep in mind that connections already established will keep open by the the common ESTABLISHED,RELATED rules.
But I think your way is not straightforward. Do not block the things you don´t want but allow the things you want and reject all the rest.
First of all input chain is only managing connections to the router not for other equipment. So forward chain is the way to go.
192.168.88.* is not a valid address or netmask. You probably want to use 192.168.88.0/24
dst-port must be numeric, no named protocols like rdp, smtp, ssh and so on. Microsofts default RDP port is 3389. Furthermore you need to specify the layer 4 protocol (TCP, UDP, ...)
So the correct rule for disabling all RDP access on default port (ingoing AND outgoing):
/ip firewall filter add chain=forward protocol=tcp dst-port=3389 action=reject reject-with=tcp-reset
To reject only access from WAN interface (assuming ether1) you should go like this:
/ip firewall filter add chain=forward in-interface=ether1 protocol=tcp dst-port=3389 action=reject reject-with=tcp-reset
Keep in mind that connections already established will keep open by the the common ESTABLISHED,RELATED rules.
But I think your way is not straightforward. Do not block the things you don´t want but allow the things you want and reject all the rest.
Re: block rdp on mikrotik
Thanks for help, but this rules didnt work. I still can connect to computer via rdp.
Then I try this rule
ip firewall filter add chain=forward dst-address=192.168.88.248 protocol=rdp action=drop or action=reject, but they didn't work to.
Then I try this rule
ip firewall filter add chain=forward dst-address=192.168.88.248 protocol=rdp action=drop or action=reject, but they didn't work to.
Re: block rdp on mikrotik
You can not use protocol=rdp. This is absolutely wrong. Protocol RDP stands for Reliable Data Protocol and has NOTHING to do with the Remote Desktop Protocol that you mean.
RemoteDP is based on TCP and uses port 3389 by default.
I´m 99.9% sure my rule is correct, so please post an export of your configuration if you want more help.
RemoteDP is based on TCP and uses port 3389 by default.
I´m 99.9% sure my rule is correct, so please post an export of your configuration if you want more help.
Re: block rdp on mikrotik
The main question is:
Do you want to block MS RDP going from LAN to LAN devices or from LAN to devices on WAN side or to just blok access from WAN side to any device on LAN side ?
Do you want to block MS RDP going from LAN to LAN devices or from LAN to devices on WAN side or to just blok access from WAN side to any device on LAN side ?
Re: block rdp on mikrotik
I just thougt about it and I guess he tries to block RDP within his private LAN which probably will not work as he expected because his PCs share the same subnet using the switch feature or a bridge or even a separate switch, so Firewall Filtering will never take place.
fess: Please describe in detail which devices are connected, what you are trying to do and what´s your current config.
fess: Please describe in detail which devices are connected, what you are trying to do and what´s your current config.
Re: block rdp on mikrotik
Thanks for help. I want to block rdp going from LAN to LAN. I have WAN port and bridge-local. All my pc's connect to my mikrotik. I share RDP on my pc and try to block it in my LAN and all my pc's in same LAN.
Re: block rdp on mikrotik
/ip firewall filter does not apply to bridged ports.
The first thing you could try is to enable "Use IP Firewall" under Bridge -> Settings: http://wiki.mikrotik.com/wiki/Manual:In ... e_Settings
The other thing is a separate Bridge Firewall: http://wiki.mikrotik.com/wiki/Manual:In ... e_Firewall
Rule could look something like this:
/interface bridge filter add chain=forward mac-protocol=ip ip-protocol=tcp dst-address=192.168.88.248/32 dst-port=3389 action=drop
The first thing you could try is to enable "Use IP Firewall" under Bridge -> Settings: http://wiki.mikrotik.com/wiki/Manual:In ... e_Settings
The other thing is a separate Bridge Firewall: http://wiki.mikrotik.com/wiki/Manual:In ... e_Firewall
Rule could look something like this:
/interface bridge filter add chain=forward mac-protocol=ip ip-protocol=tcp dst-address=192.168.88.248/32 dst-port=3389 action=drop