There is a much simpler way... dynamic whitelisting
1) Get a DynDNS client (or URL) on your client device (hint: could also be another Mikrotik device on the same client network
https://wiki.mikrotik.com/wiki/Manual:IP/Cloud )
2) Add that DynDNS name (not IP address) to Firewall address list in the router you wish to access (hint: timeout recommended but not required
https://wiki.mikrotik.com/wiki/Manual:I ... dress_list )
3) Add a firewall exception rule for that address list
4) Result = Secure (with no open ports at all to attack) authenticated encrypted (Winbox / HTTPS) remote access, to as many sites (devices) or users your like with zero overhead
Hint:
https://www.cloudns.net/features/ is Google recommended and has non-authenticated dynamic DNS for free (
https://www.cloudns.net/wiki/article/255/ ), including the free domain.
Something along the lines of:
/ip firewall address-list add address=xxxxxxxxxxxx.sn.mynetname.net list=whitelisted-admin comment="some other Mikrotik device with Cloud IP"
/ip firewall address-list add address=mydyndnsclient.dyn.com list=whitelisted-admin comment="some other DynDNS client"
/ip firewall filter add action=accept chain=input comment="Allow whitelisted-admin" in-interface-list=WAN src-address-list=whitelisted-admin
Please note: if the two DNS names resolve to the same IP address then only one item is added on the list.