I do see this all over the forum.
My response to that is to use VPN. And if VPN can not be used or you have no clue or possibility to set it up, I do recommend:How to administrate my router over internet?
My router are behind NAT, how to reach it for admin?
1. Use another port than default.
2. Use port knocking. This prevents someone from seeing open ports.
3. Use a long and good password.
4. Use access list to prevent any random internet from accessing your router.
5. Log everything. (See my signature for example.)
6. Upgrade firmware to latest stable release
7. ++++
Here is where RemoteWinBox can help out. It sets up a secure VPN (SSTP) to a sentral site. Then you can from your location use WinBox to connect to your remote router by using RemoteWinBox VPN server as a tunnel.
You get up to 5 host free, then you have to pay some for each extra ruter you like to monitor.
Start by creating an account at www.remotewinbox.com.
Create a router profile. Than you will get some like this to install on the router (user/pass changed):
Code: Select all
/interface sstp-client add connect-to=vpn1.remotewinbox.com:443 disabled=no name=RemoteWinboxVPN password="bXok95fadsfadsFDgsfRfdgsfj" user="uzCDsevbrrW01A3" comment="Remote Winbox connection for My_Router"
:if ([:len [/ip firewall filter find where chain=input and action=drop]] >0) do={ \
[/ip firewall filter add action=accept chain=input comment="Allow Remote Winbox" in-interface=RemoteWinboxVPN place-before=1]\
} else={ \
[/ip firewall filter add action=accept chain=input comment="Allow Remote Winbox" in-interface=RemoteWinboxVPN]}
/user add name=ZZSSFgrgrgWW password=9RSAssdGGRrgkrg56gGDFREwefgrrer group=full address="10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" comment="Remote Winbox user" group=read
/log info "Remote Winbox configuration added!"
1. Add an SSTP VPN to RemoteWinBox
2. Add an input rule to allow WinBox (at the top of the filter list)
3. Add a new admin user to log inn to your Router.
4. Sends a log message.
You will get a link like this:
vpn1.remotewinbox.com:12345
Open WinBox an copy it tot "Connect to"
Use username and password found in last line to connect.
Then you are ready to administrate your router.
Conclusion.
Works as it should and works fine behind other NAT routers. Not sure if I recommend this solution directly. You could add a schedule that opens the SSTP tunnel, just some minutes every week. Since there are noe certificate solution, anyone can try to brute force access your router.
+
* Simpel setup
* 5 free users
* Works behind NAT
-
* Do you trust a third party to have password for your routers
* May be a problem that you need have port xxxx open out from you admin location.
* Should use certificate to secure the connection
* Brute-force attack against vpn1.remotewinbox.com port 1-65535 will access your router and if you have a weak password, they will enter.