Community discussions

MikroTik App
 
KoutsiDK
just joined
Topic Author
Posts: 2
Joined: Fri May 22, 2020 2:50 pm

Deny config access from public IP

Fri May 22, 2020 3:01 pm

Hello everyone! Glad to finally being a member of this forum!
OK now here is my concern:
My mom has a small hotel and I installed an awesome little network there, and I also established an L2TP service in case I need to remotely config the router (HEX RB750Gr3) because I live in another city.
However, I noticed that I can also config the router simply by putting the public IP or the DDNS domain.
Is it possible to deny that access, by adding a firewall rule or something, but still be able to connect through the L2TP tunnel?
Any help is appreciated. Thanks

p.s.: Of course I am not using the default Admin credentials, but still one more level of security is always nice
 
anav
Forum Guru
Forum Guru
Posts: 4159
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Deny config access from public IP

Fri May 22, 2020 3:25 pm

Koutsik, what you say could be very concerning.
Please post your config so we can ensure your setup is secure

/export hide-sensitive file=anynameyouwish

(while your at it make sure you a separate user name, not admin identified to control the router)
(change the default winbox port to something else)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
sindy
Forum Guru
Forum Guru
Posts: 5007
Joined: Mon Dec 04, 2017 9:19 pm

Re: Deny config access from public IP

Fri May 22, 2020 3:26 pm

The firewall rules in the default configuration of SOHO models are a good starting point; as you can access configuration services via public IP, these seem to be unused - maybe because the router model is not a SOHO one so the defaults are different.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
KoutsiDK
just joined
Topic Author
Posts: 2
Joined: Fri May 22, 2020 2:50 pm

Re: Deny config access from public IP

Sat May 23, 2020 2:17 am

Hello there. It took me a lot of time but eventually i found it. I used these firewall rules

add chain=input action=accept comment="VPN L2TP UDP 500" in-interface=pppoe1 protocol=udp dst-port=500
add chain=input action=accept comment="VPN L2TP UDP 1701" in-interface=pppoe1 protocol=udp dst-port=1701
add chain=input action=accept comment="VPN L2TP 4500" in-interface=pppoe1 protocol=udp dst-port=4500
add chain=input action=accept comment="VPN L2TP ESP" in-interface=pppoe1 protocol=ipsec-esp
add chain=input action=accept comment="VPN L2TP AH" in-interface=pppoe1 protocol=ipsec-ah

add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list= "my pool"
add action=accept chain=input protocol=icmp
add action=drop chain=input

Now it works as intended

Thanks anyway

Who is online

Users browsing this forum: Bing [Bot], eworm, gergelylevente, kswong, plisken, Toto87 and 57 guests