Community discussions

MikroTik App
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

[Request} Restrict web admin to a VLAN in RouterOS [Fixed]

Fri Oct 29, 2021 12:17 pm

Dear Support,

Using RouterOS on Mikrotik routers and switches,
I did not find a simple way to restrict access to Web admin on a particular VLAN for security purpose.

Web admin is accessible on the main bridge, so it is accessible from all VLANs (on routers).

The only way to restrict access is to use IPtables.
Could you implement settings to restrict access to a single VLAN for security purpose?

pfSense and OPNsense offer this kind of feature.

Kind regards,
French Fries
Last edited by ffries on Sun Dec 05, 2021 12:30 pm, edited 1 time in total.
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: [Request} Restrict web admin to a VLAN in RouterOS

Fri Oct 29, 2021 1:17 pm

May i ask why Firewall-Rules aren't viable for you
as a way to restrict access to Web?

Exemple A:
/ip firewall filter
add action=drop chain=input dst-port=80 in-interface=!bridge1_vlan111 protocol=tcp
Exemple B:
/ip firewall filter
add action=accept chain=input dst-port=80 in-interface-list=listofvlans protocol=tcp
add action=drop chain=input disabled=yes
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: [Request} Restrict web admin to a VLAN in RouterOS

Mon Nov 29, 2021 10:37 pm

This is perfectly viable, thank you.
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 724
Joined: Tue Dec 17, 2019 1:08 pm

Re: [Request} Restrict web admin to a VLAN in RouterOS

Tue Nov 30, 2021 12:22 am

Glad i could help !

Good Luck and don't forget to backup before changing anything =)
 
ffries
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Wed Aug 25, 2021 6:07 pm

Re: [Request} Restrict web admin to a VLAN in RouterOS [Fixed]

Sun Dec 05, 2021 12:32 pm

I found a more suitable way to do it.

Under ReOS 7.1, in services, I restricted access to a single subnet:
/ip/service> print
Flags: X, I - INVALID
Columns: NAME, PORT, ADDRESS, CERTIFICATE, VRF
# NAME PORT ADDRESS CERTIFICATE VRF
0 X telnet 23 main
1 X ftp 21
2 X www 80 main
3 ssh 22 main
4 www-ssl 443 aa.bb.cc.0/24 mikrotik_ssl_certificate.crt_0 main
5 X api 8728 main
6 X winbox 8291 main
7 X api-ssl 8729 none main
Just replace aa.bb.cc.0/24 by your subnet.
Also choose no SSL version lower than 1.2

Who is online

Users browsing this forum: Guntis and 23 guests