Community discussions

 
User avatar
NAB
Trainer
Trainer
Topic Author
Posts: 503
Joined: Tue Feb 10, 2009 4:08 pm
Location: UK
Contact:

How can I block access from Winbox.

Mon Jul 25, 2011 6:05 pm

Hi,

I have a RB493. It's running ROS 5.5.

I want to block all access from WinBox clients on 'ether4', unfortunately I don't seem to be able to do so.

If I create the following three rules:
/ip firewall filter
add action=drop chain=input disabled=no in-interface=ether4
add action=drop chain=output disabled=no out-interface=ether4
add action=drop chain=forward disabled=no
and then plug a PC into ether4, I can still connect Winbox to the MAC address of the router. The interesting thing is that the packet count for dropped packets on the input chain increases and I see absolutely no traffic matching the rule in the output chain.

The worrying thing is that the firewall appears to be working (input chain rule count incrementing), but it clearly isn't. What other kinds of traffic can bypass the filter?
Last edited by NAB on Mon Jul 25, 2011 6:14 pm, edited 1 time in total.
Nicholas Barnes BSc(hons)
Certified Mikrotik Consultant
Certified Mikrotik Trainer

Vitell - Asterisk, Linux and network consultants
Unofficial IRC channel: #routerboard on irc.z.je
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: How can I block access from Winbox.

Mon Jul 25, 2011 6:09 pm

You can't filter MAC address layer access to Winbox in the IP firewall. MAC-winbox runs on layer 2, the IP firewall runs on layer 3.

If you need to limit who has layer 2 access to Winbox delete or disable the item for all interfaces under "/tool mac-server mac-winbox" and add in specific entries for the interfaces you want to permit it from.

That said on all my production machines I disable all layer 2 access to the router completely. Either you access it via layer 3, or via the console port.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
User avatar
NAB
Trainer
Trainer
Topic Author
Posts: 503
Joined: Tue Feb 10, 2009 4:08 pm
Location: UK
Contact:

Re: How can I block access from Winbox.

Mon Jul 25, 2011 6:43 pm

MAC-winbox runs on layer 2
Argh. Major attack of the stupids. I knew this, I know I knew this. I just got caught up with the incrementing packet counts and stopped thinking.

Thank you!
Nicholas Barnes BSc(hons)
Certified Mikrotik Consultant
Certified Mikrotik Trainer

Vitell - Asterisk, Linux and network consultants
Unofficial IRC channel: #routerboard on irc.z.je

Who is online

Users browsing this forum: MSN [Bot] and 133 guests