Community discussions

MikroTik App
 
stalker802
newbie
Topic Author
Posts: 42
Joined: Mon Nov 22, 2010 3:50 pm

Firewall

Sat Apr 29, 2023 4:19 am

I saw video about firewall, where it says, that it is not recommended to open firewall even from specific public IP to the router. If this IP is my trusted network, why shouldn't i do that? It could be spoofed or somehow bypassed in another way?
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Firewall

Sat Apr 29, 2023 9:40 am

Personally allowing access to a device on Internet through a "whitelisted" source-IP(s) is acceptable to me and we do that for customers across our projects.
VPN is not always an option or sometimes overkill.
Just make sure you have additional layers like (encrypted) authentication using complex logins (both username & password) and make your have logging + notification enabled.
And additionally LIMIT the exposure off course, filter only the ports that are needed!

The attack-vector with a construction like this is pretty low. A "zero-risk" does not exist, not for any solution.
 
stalker802
newbie
Topic Author
Posts: 42
Joined: Mon Nov 22, 2010 3:50 pm

Re: Firewall

Sun May 21, 2023 1:46 am

How these attacks are called? I would read more about them.
Attack-vector? Or spoofing?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall

Sun May 21, 2023 2:24 am

Disagree with JV, the clue here he is a well trained person knowing what he is doing, and giving such flippant advice to a beginner is both dangerous and foolish.

The only method you should consider connecting to your router for the purposes of accessing LAN resources or more likely to be able to config the router is through VPN and wireguard is part of RoS and fairly easier compared to other VPN methods. Highly recommended.
Another common method to access servers on your LAN is port forwarding and here ensure
a. the server is password protected 2 factor best
b. you limit users by source address

instead of port forwarding.
......... if it all possible use ZeroTrust Cloudflare tunnel in a container ( sadly although highly needed, MT has elected not to make this available as part of OS like wireguard, but not even an options package, shame on them ).

Who is online

Users browsing this forum: Bing [Bot], Husky, rplant and 62 guests