Community discussions

MikroTik App
 
ceylan
newbie
Topic Author
Posts: 27
Joined: Sat Feb 10, 2018 3:03 pm
Location: CYPRUS
Contact:

winbox user security measures

Fri Mar 15, 2019 11:00 pm

Hi, I want to take security measures. I've added a new user with allowed local address to the router.i was thinking to only this local ip can connect to devices in the local network.but its not working
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21665
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: winbox user security measures

Fri Mar 15, 2019 11:56 pm

Your requirements are poorly worded.

Who is allowed to access the router?
The only reason to access the router itself is to change or manage the configuration.
So I have an adminaccess input chain rule for this purpose.
Separately I have allow in-interface-list=LAN rule on my input chain to allow DNS remote requests on port 53 udp/tcp.
Other than that there is no requirement for users to access the router.

To access the router there are a few steps.
a. ensure you have an INPUT CHAIN rule that allows access from the subnet, or IP address or list of IPs of those devices and admins that will have the ability to modify the configuration.
b. ensure you to go IP services and ensure winbox is selected, you can put in the same address or subnet
(you may put the whole subnet in the firewall rule but in the winbox rule narrow it to a single IP).
(for example yuou could put your desktop IP and then your laptop IP (and if you plug your laptop into other subnets, and they are set to static IPs, you can add those so no matter what subnet you plug into you can get to winbox).
c. Another place to consider is the WINBOX MAC setting under TOOLS, typically this is a major interface so that the mac address of the winbox can be available across all the subnets.
The winbox service rule and firewall rule then limit who can use the info.

Finally, highly suggest you change the default port for winbox to something NOT 8291!!

Who is online

Users browsing this forum: cozmintoader, hsleL4jsNet, mrbyte and 26 guests