But i cant access it.
Why?
I wrote this
Code: Select all
set winbox address=x.x.x.x/29
set winbox address=x.x.x.x/29
can you than tell me how to secure winbox port? I want access only within my local subnet, not everyone.Hello,
Do you realize that by giving your public IP address, you basically invited everybody to test your security?
Make sure you have a strong firewall and have secured your router.
Best regards,
Sent from Tapatalk
i am having l2tp over ipsec, site to site and access remotly via l2tp to routers. I want to set a rules and try to tight up a firewall to permit only my subnet to use it, not everyone..In other words I want to have a little bit more security on the routers in other citiesWinbox is to control the router and the router setup.
It should not be done via WAN connection (direct), it should be done with a VPN or at the very minimum the Port Knocking technique.
If you want access to a LAN from the WAN side, then again if its to a specific server use DESTINATION NAT.
In other words, its not clear to me your requirements.
/ip service
set api disabled=yes
set winbox address=172.16.0.0/21,172.16.8.0/21
i added my local subnet into remote router and add input in rulesTo begin with, remove the value entered with "/ip services set winbox address=X.X.X.X/Y". That's just plain bad!
Even if you're coming in from other offices, don't see it as coming in through the WAN port. You're coming in through a point-to-point link (L2TP/IPSEC, which is great) from an other LAN subnet.
Part 1:
This is what you could do:
Replace the subnets with your own, of course. This is easy, quick and dirty.Code: Select all/ip service set api disabled=yes set winbox address=172.16.0.0/21,172.16.8.0/21
Part 2:
Create network admin subnets in all remote sites and allow only those subnets to reach your routers using anything (telnet, ssh, ftp, etc.), including winbox. Use a combination of "input" and "forward" chains to limit routeur acces to all routers from all LAN and all sites.
Test in a lab before deploying. If your sites are far apart, you won't like locking yourself out and having to drive X kilometers.
Also learn abour "SAFE Mode" (https://wiki.mikrotik.com/wiki/Manual:Console#Safe_Mode) before doing anything. This is a life saver. Trust me!!!
Hi, i am using l2tp through ipsec and S2S to connect to distant locations. Can I put only public ip in address list? I added it and from another public IP I can connect to router.If you need to use winbox from the outside you do not have many option.
1. VPN (best option)
2. Open Winbox but:
a. change to other port than 8291
b. set an access list to reduce who can access it
c. use port knocking
d. setup some monitoring. example getting email every time some logs inn.
Theese are okay if you are using just a few mikrotiks. But when you get plenty of them in different places around the world sometimes in extra small places/networks making a VPN on each one and having tons of VPN connections on your workplace become great problem, as all of this is hard to maintain.Winbox is to control the router and the router setup.
It should not be done via WAN connection (direct), it should be done with a VPN or at the very minimum the Port Knocking technique.
maybe just to permit a login from one public IP and/or local subnet. But when I added to ip-services or/in firewall rules, only local subnet is working, but public ip even if it changes, i can enter it.Theese are okay if you are using just a few mikrotiks. But when you get plenty of them in different places around the world sometimes in extra small places/networks making a VPN on each one and having tons of VPN connections on your workplace become great problem, as all of this is hard to maintain.Winbox is to control the router and the router setup.
It should not be done via WAN connection (direct), it should be done with a VPN or at the very minimum the Port Knocking technique.
Same thing with port knocking, whick should be unique in different separated networks. But as number of devices grow...
Is there any wise solution for that, except opening winbox port an securing it with firewall?
Hello,Theese are okay if you are using just a few mikrotiks. But when you get plenty of them in different places around the world sometimes in extra small places/networks making a VPN on each one and having tons of VPN connections on your workplace become great problem, as all of this is hard to maintain.Winbox is to control the router and the router setup.
It should not be done via WAN connection (direct), it should be done with a VPN or at the very minimum the Port Knocking technique.
Same thing with port knocking, whick should be unique in different separated networks. But as number of devices grow...
Is there any wise solution for that, except opening winbox port an securing it with firewall?