Community discussions

MikroTik App
 
openair030
just joined
Topic Author
Posts: 23
Joined: Thu Jul 14, 2022 3:35 pm
Location: Berlin

Most convenient way to block mng traffic from cpu

Thu Aug 18, 2022 12:45 am

Personally I prefer to do all security related things early as possible (and at least in the firewall).

How true are following assumptions/designs:

If I have WLAN traffic and do not assign an IP to the bridge all clients in these Wlans aren't able to access the management (webfig) interface of the AP.

If the WLANs also do have VLAN tags (>1) and none of them has an IP on the bridge then none of the clients can access the cpu and any inter-vlan communication isn't possible at all.
(Bckgnd: If a e.g. 10.10/16 wlan client would try a 10.20/16 address the bridge would route it if the wlans do have IPs on the bridge. Of course it can be done in the firewall, too. But why if I can do it much simpler and more effective since there can't be a misconfigured rule in the firewall).


Is the /switch port switch1cpu the "same" as the bridge?
By means of that I can add /switch rules based on IP simply denying access to the cpu.
I'd use a rule with new-dst-ports="" for IP ranges that shall only be forwarded but shall not access the cpu/webfig.

If I do a management ip on some port then besides the firewall(input rules) I have to do this in the user accounts of the system?

Who is online

Users browsing this forum: BioMax, PBondurant and 44 guests