Community discussions

MikroTik App
 
ouroborus
just joined
Topic Author
Posts: 3
Joined: Thu Nov 21, 2019 8:29 pm

Disable management access on port?

Thu Apr 28, 2022 9:44 am

I have a CRS312-4C+8XG. By default, all the ports are bridged together, including the management port. I'm trying to figure out how to separate/isolate the management port. So far, I've figure out how to move it to its own bridge and how to move the management IP address to that port. However, I appear the be able to access the management console through both ether1 and ether9 (the management port).

How do I disable management access on a particular port?

Image
 
holvoetn
Forum Guru
Forum Guru
Posts: 5412
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Disable management access on port?

Thu Apr 28, 2022 3:22 pm

How I would approach it (surely can be done more elegantly) :
Firewall
-allow input access on the port which you want to allow. I'm assuming you're using winbox and standard port TCP/ 8291 ?
-drop access for all interfaces not equal to ether9 for TCP/8291.

Caveat: use SAFE MODE when configuring this and make sure you are connected to that one interface.
If you goof up with the config, safe mode will revert back.
Otherwise you may lock yourself out of your device...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Disable management access on port?

Thu Apr 28, 2022 3:35 pm

how to move it to its own bridge
Management port on bridge?
The management port is usually alone and completely isolated.

I appear the be able to access the management console through both ether1 and ether9 (the management port).
until not differently programmed, you can access terminal or winbox from any interface

How do I disable management access on a particular port?
You must do not reasoning about how to disable management access on a particular port,
But how to enable management only from management port...
 
ouroborus
just joined
Topic Author
Posts: 3
Joined: Thu Nov 21, 2019 8:29 pm

Re: Disable management access on port?

Fri Apr 29, 2022 2:28 am

How I would approach it (surely can be done more elegantly) :
Firewall
-allow input access on the port which you want to allow. I'm assuming you're using winbox and standard port TCP/ 8291 ?
-drop access for all interfaces not equal to ether9 for TCP/8291.

Caveat: use SAFE MODE when configuring this and make sure you are connected to that one interface.
If you goof up with the config, safe mode will revert back.
Otherwise you may lock yourself out of your device...
This is likely what I'll be doing, barring some purpose-built solution. (For example, consumer wifi routers usually have an option to prevent management access from wifi connections. That configuration is usually separate from the any firewall configuration.)
 
ouroborus
just joined
Topic Author
Posts: 3
Joined: Thu Nov 21, 2019 8:29 pm

Re: Disable management access on port?

Fri Apr 29, 2022 2:39 am

Management port on bridge?
The management port is usually alone and completely isolated.
Physically, there is a port marked "management" but, as far as I can tell, its only practical difference is that it's slower than the other ports (1GbE vs 10GbE). I would have expected that a port marked "management" would be the only port with access to the management console.
I appear the be able to access the management console through both ether1 and ether9 (the management port).
until not differently programmed, you can access terminal or winbox from any interface

How do I disable management access on a particular port?
You must do not reasoning about how to disable management access on a particular port,
But how to enable management only from management port...
I've looked through the management interface and I'm not seeing something that seems like it is purpose-built for controlling which ports have management access. Sure, one could use the firewall to control that but I have doubts as to whether that is the proper tool for the job.

Who is online

Users browsing this forum: hatred, ywlhlp and 36 guests