Malicious IP blocking sites started warning users about Mikrotik routers regarding open proxies. This issue escalated so much that now it is officially warned about!

I guess it is finally time for Mikrotik stuff to take this issue seriously and allow Mikrotik proxy to be set on per interface base with default not to be attached to any interfaces until specifically set to.

Now, at the moment web proxy is enabled, it is open on all interfaces including wan interfaces which not only has no sense but is dangerous making router vulnerable. This has to be changed.

In real world when one runs service he has option to bind it to specific interfaces. Mikrotik does not offer this even after it was asked by users on numerous occasions in the past.

Same issue is with DNS service, ti is also by default attached to wan interfaces making router vulnerable.

Default MUST be safe, and that means such services, when enabled should not be by default available on wan interfaces. Currently, admin has to additionally set firewall rules to block access to such services from public network, which is ridiculous, as service should not be bind to those interfaces at all.

Proxy is not enabled by default.
Also default firewall drops all incoming traffic IIRC.

I don't see what the problem with RouterOS is. What you describe is bad configuration on your part.

Proxy is not enabled by default but when enabled it is bind to all interfaces which is wrong.

You are wrong about me, but your response is kind of expected. i have not problems with this as I set this up each time I have to deal with router. However, this is an issue, as it requires advanced thinking, as enabling proxy itself makes router vulnerable, which is not obvious.

If there is an option to select which interfaces to bind to, it would be obvious which interfaces proxy is bound to. it is mater of common sense, usability and good security. User has to make router vulnerable by doing something wrong, not by not doing something to fix bad design.

I pointed out an issue that blacklisting services NOW WARN PEOPLE ABOUT MIKROTIK! They do not say "Check if you have open proxy" they say "If you use Mikrotik then check if you have open proxy".

Mikrotik is now publicly stigmatized as BAD! This is bad for business, not just Mikrotik itself but everyone who sells Mikrotik as routing platform.

There is a way to take care about the traffic incoming to whatever port right from the first packet. Its name is firewall and the traffic goes first to it and then and only then, if it is allowed to pass, it reaches the internal service. If you configure the firewall correctly you have all the security at one place. Nothing more is needed and I would say, it would be even contraproductive.

I respect your opinion but hope it will not be heard.

I agree that it would be useful for all mikrotik services to have the ability to bind to specific interfaces. It's a nice feature request for some use cases and would be mostly welcomed if Mikrotik finally decided to implement it.

But in your specific case (the way you describe it at least) it's not needed at all. You ask it more for convenience rather than security.

There's nothing to warn about.
Do you see any warnings on mailservers saying that if you configure it as an open relay you will get blacklisted? You are supposed to know what you are doing.

Same goes for Cisco or other vendors. I've never seen warnings like the one you propose. When you use advanced network equipment it's your responsibility to know how it works. If you think that it's 'too advanced', there are always the D-Links and TP-Links for the masses

There are some conflicting interests here. For example, this was previously brought up for DNS several times. Current MikroTik's position is that everything is safe by default, because there's firewall and it blocks incoming connections from WAN. It's true, there's drop rule with in-interface=<WAN>. But then user manually adds another WAN (e.g. PPPoE) and suddenly there's no protection, because input's default action is accept. The suggestion was to use reverse approach, allow connections from LAN (well, rather "interface currently configured as LAN", because there's no hard set LAN or WAN in RouterOS) and have default unconditional drop rule at the end. MikroTik's response was along the lines that it would help, but then when users would add e.g. another LAN, they could be confused, because everything from there would be by default blocked, they would not know what to do, would think the router is broken, and so on. And that's true too. Now what to choose? One approach is clearly better for security, but the other one makes sense too, especially for MikroTik, because they don't want users returning "broken" routers.

Another thing are access control options currently available in RouterOS. In short, it's not good. Some services (winbox, ssh, ...) can be configured in IP->Services and you can set allowed IP subnets. Others (socks, web proxy) have own access rules. SMB has own option to select allowed interfaces. And DNS doesn't have anything like that at all. This is clearly bad for users (even advanced ones). These settings need to be available for *all* services, we should be able to allow requests from selected IP subnets, interfaces and interface lists for any of them. Preferably at one common place (*1).

But even if we get these nice access control options for everything, there's still a problem what defaults there should be (see first paragraph). Remember, it's not about me, you and others who do know something about RouterOS, we'll always get by. But there are millions of users who don't know anything and just got the router because someone told them it's better than others. If it's too complicated for them, it's bad for MikroTik's sales. If it's too easy to mess up, it's bad for everyone (DDOS attacks using misconfigured routers, ...) and MikroTik's reputation too (even though it's not completely fair to blame them). It needs the right balance... and I'm not saying it's easy to find it.

-
(*1) It might sort of "conflict" with advanced access options used by socks and web proxy. I don't see a major problem with it, even if it would mean that there would be "basic" access rules for service in IP->Services and more detailed ones where they are now. Someone might not like that ("same" options in two places), but I think it's solvable, there could be e.g. some kind of link to the other place, so nobody would get lost.

The major problem in understanding comes from missing the target of Mikrotik ROS itself. It's not a consumer-grade router and no fancy web panels can change that. RouterOS was built for users with solid network knowledge - this comes with ultimate flexibility and 101 ways to shoot-yourself-into-a-foot.
While option to bind services to specific interfaces might be useful it's not a high priority for anyone who works with networks and is used to configure firewall. Don't get me wrong guys. but saying that this will protect in case of "accidents" where user adds a new WAN is just missing the point of what ROS is. If I set /root folder to be 0777 should I be surprised that normal user removed or altered root stuff? No one asks any distribution to magically do something to protect users from setting /root to 0777 - everyone just knows that improper configuration of permissions will cause problems... and improper configuration of firewall will expose services and will cause problems....

Exactly. Maybe mikrotik could open a new line of devices. Like Cisco with Linksys if the customers ask for it...

It's not a consumer-grade router ...

Yes and no. Take a look at routerboard.com and I think you'll agree that quite a few of those products are targeted at consumers.

It seems to me that every time a request to make RouterOS a little more secure (read "foolproof") is made, some people read it as request to dumb it down. But it's not the same thing. I'd be the first one to protest if it was the latter, as I like all the features and possibilities. I mean, 101 ways to shoot myself in foot? Not enough, I want at least 102! But the goal here is to have something that will prevent most common accidents, nothing more.

I also don't think that new line of devices with (implied) simplified interface is good idea. Every other manufacturer has those, what could MikroTik offer in this competition? It's the unique user interface and possibilities offered by RouterOS that make the difference, you can't take any of it away.

Well. We can have many ideas and different opinions on them. But how it helps and to whom? For example I wouldn't wear a gun with safety switch here and lock there and reloading voice guide talking from my phone. The hell not. I want to right shoot when I press a trigger and not to fight with the foolproof mechanism. Only without security latches and switches I know that my guns are loaded and ready to fire. Always. The same with routers. Overcomplicated foolproof security is just a source of failures.

For a moment, I had a thought about using gun safety switch as a positive example. Then I thought I'd rather not, because mere mention of guns tends to cause unnecessary agitation in anti-guns people, regardless of what the context is. Now I know better to not use guns as example in any case at all.

And it would be bad example anyway, because gun's safety switch is hardware thing, you can't get rid of if with few mouse clicks.

Another thing are access control options currently available in RouterOS. In short, it's not good. Some services (winbox, ssh, ...) can be configured in IP->Services and you can set allowed IP subnets. Others (socks, web proxy) have own access rules. SMB has own option to select allowed interfaces. And DNS doesn't have anything like that at all. This is clearly bad for users (even advanced ones). These settings need to be available for *all* services, we should be able to allow requests from selected IP subnets, interfaces and interface lists for any of them. Preferably at one common place (*1).

This much I agree with. I could go either way on the firewall rules work-around and how permissive or not to set the defaults in favor of usability over security. At the end of the day more consistent configuration options for like portions of the code base the better.

Yes and no. Take a look at routerboard.com and I think you'll agree that quite a few of those products are targeted at consumers.

I see that differently - these devices, like "hAP lite" or "hAP ac lite tower", are targeted more towards ISPs which are supplying these devices to clients and thus they're properly configured

Unfortunately, when such topic is raised it ends up the same as always: by insulting people for alleged ignorance. This forum bacame place for some people to demonstrate ill ego on others covered by anonymity.

Lets clear some things:

1. I am not novice user. I use Mikrotik for almost decade. I teach Mikrotik.

2. Mikrotik is not just for highly experience networking gurus (or wanabees). There are number of devices targeted for plain office use, as direct replacements for mentioned D-Link or TP-link routers, and indeed good replacement. Mikrotik did quite a lot of work to make this product easier to use for such users. So claiming that Mikrotk is just for experienced adminstrators is WRONG. It might feed someones ego to think that he is elite because he uses Mikrotik, but that is all - feeding ego.

3. I raised this topic because I found out that blacklist services WARN, not about misconfigured routers but specifically about misconfigured MIKROTIK routers. That should ring some bells!!!! Regardless what someone wishes or plans, it is clear that Mikrotik is more and more used by people who are not that experienced to recognize and prevent such problems and thus cause bad name for Mikrotik.

I don't think it is necessary to insult anyone that he is feeding his ego just because he wrote a different opinions than yours. Everyone is free to express his statement here. It doesn't have so much influence anyway because mikrotik makes these decisions on business level. At least I believe. So they will always do what they think is the best for the owners regardless what we all others think about it.

Of course it is insulting when one instead discussing on topic goes to personal side and judges about someones knowledge looking him down based just on egoistic assumptions.

Who did that?