Block WinBox discovery from specific address

David1234 · Sun Jan 07, 2018 1:23 pm

Hello,
I want to know if I can blockthe discovery from a specific address in my netwrok
so the router will be 10.0.0.1/24
my netwrok is 10.0.0.0/24
but I will only see the it in winbox from 10.0.0.10-10.0.0.20
all other computers in the network that aren't this address will not see it

can I do this ?

this is what I have so far -

/ip firewall filter
add action=drop chain=input dst-port=5678 protocol=udp src-address-list=\
    !Office
add action=drop chain=forward dst-port=5678 protocol=udp src-address-list=\
    !Office
add action=drop chain=output dst-port=5678 protocol=udp src-address-list=\
    !Office
add action=reject chain=input dst-port=20561 protocol=udp src-address-list=\
    !Office
add action=reject chain=output dst-port=20561 protocol=udp src-address-list=\
    !Office
add action=reject chain=forward dst-port=20561 protocol=udp src-address-list=\
    !Office

/ip firewall address-list
add address=10.0.0.10-10.0.0.20 list=Office

but now I can't see it from all the netwrok....

what I need to fix ?

Thanks ,

haik01 · Sun Jan 07, 2018 4:01 pm

I see no TCP, only UDP.

What does Winbox uses? UDP or TCP?

netvisionip · Sun Jan 07, 2018 4:54 pm

If you go to IP -> Services.

Select winbox and you can add the IP addresses you want to have access to winbox.
Maybe best testing with safemode first.

16again · Mon Jan 08, 2018 10:27 pm

Discovery packets are sent from the MT router to broadcast IP 255.255.255.255:5678 , which isn't blocked by your rules

David1234 · Tue Jan 09, 2018 2:34 pm

so how can I block it ?
I know how to limit the network to connect to the router.
but I also don't want to block the discovery
so how can I do this ?

Deantwo · Tue Jan 09, 2018 4:35 pm

It isn't good enough to just block neighbor discovery from an interface? It has to be a specific IP address?

/ip neighbor discovery set [find name=ether1] discover=no

Alternatively I'll ask why it is all on the same network if it has to be separate. Wouldn't it be easier to set up VLANs?

David1234 · Wed Jan 10, 2018 3:40 pm

no I can't use Vlan

Deantwo · Wed Jan 17, 2018 4:11 pm

I want to know if I can blockthe discovery from a specific address in my netwrok
so the router will be 10.0.0.1/24
my netwrok is 10.0.0.0/24
but I will only see the it in winbox from 10.0.0.10-10.0.0.20
all other computers in the network that aren't this address will not see it

From the sound of it, the easiest fix is to just totally disable neighbor discovery, and then just save the IP address in WinBox.
That way no one can see the MikroTik router via neighbor discovery, only if they know the IP address of the router can they access it, and only if they know it is a MikroTik router will they think of using WinBox.

/ip neighbor discovery set [find] discover=no

Block WinBox discovery from specific address

Block WinBox discovery from specific address

Re: Block WinBox discovery from specific address

Re: Block WinBox discovery from specific address

Re: Block WinBox discovery from specific address

Re: Block WinBox discovery from specific address

Re: Block WinBox discovery from specific address

Re: Block WinBox discovery from specific address

Re: Block WinBox discovery from specific address

Who is online