Community discussions

 
tomislav91
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 76
Joined: Fri May 26, 2017 12:47 pm

secure winbox port access only by wan ip

Sat Nov 10, 2018 8:08 pm

I added to ip services winbox that address is my WAN IP.
But i cant access it.
Why?
I wrote this
set winbox address=x.x.x.x/29
Last edited by tomislav91 on Sat Nov 10, 2018 8:45 pm, edited 1 time in total.
 
huntah
Member Candidate
Member Candidate
Posts: 257
Joined: Tue Sep 09, 2008 3:24 pm

Re: secure winbox port access only by wan ip

Sat Nov 10, 2018 8:28 pm

You need to allow also in firewall filter
Place it before drop tule
 
User avatar
AlainCasault
Trainer
Trainer
Posts: 438
Joined: Fri Apr 30, 2010 3:25 pm
Location: Laval, QC, Canada
Contact:

Re: secure winbox port access only by wan ip

Sat Nov 10, 2018 8:36 pm

Hello,

Do you realize that by giving your public IP address, you basically invited everybody to test your security?

Make sure you have a strong firewall and have secured your router.

Best regards,


Sent from Tapatalk

___________________________
Alain Casault, Eng.
If I helped you, let me know!
 
tomislav91
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 76
Joined: Fri May 26, 2017 12:47 pm

Re: secure winbox port access only by wan ip

Sat Nov 10, 2018 8:41 pm

Hello,

Do you realize that by giving your public IP address, you basically invited everybody to test your security?

Make sure you have a strong firewall and have secured your router.

Best regards,


Sent from Tapatalk
can you than tell me how to secure winbox port? I want access only within my local subnet, not everyone.
Only to allow local IP?
 
anav
Forum Veteran
Forum Veteran
Posts: 952
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: secure winbox port access only by wan ip

Sat Nov 10, 2018 9:39 pm

Winbox is to control the router and the router setup.
It should not be done via WAN connection (direct), it should be done with a VPN or at the very minimum the Port Knocking technique.

If you want access to a LAN from the WAN side, then again if its to a specific server use DESTINATION NAT.
In other words, its not clear to me your requirements.
 
tomislav91
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 76
Joined: Fri May 26, 2017 12:47 pm

Re: secure winbox port access only by wan ip

Sat Nov 10, 2018 10:56 pm

Winbox is to control the router and the router setup.
It should not be done via WAN connection (direct), it should be done with a VPN or at the very minimum the Port Knocking technique.

If you want access to a LAN from the WAN side, then again if its to a specific server use DESTINATION NAT.
In other words, its not clear to me your requirements.
i am having l2tp over ipsec, site to site and access remotly via l2tp to routers. I want to set a rules and try to tight up a firewall to permit only my subnet to use it, not everyone..In other words I want to have a little bit more security on the routers in other cities
 
User avatar
AlainCasault
Trainer
Trainer
Posts: 438
Joined: Fri Apr 30, 2010 3:25 pm
Location: Laval, QC, Canada
Contact:

Re: secure winbox port access only by wan ip

Sat Nov 10, 2018 11:20 pm

To begin with, remove the value entered with "/ip services set winbox address=X.X.X.X/Y". That's just plain bad!

Even if you're coming in from other offices, don't see it as coming in through the WAN port. You're coming in through a point-to-point link (L2TP/IPSEC, which is great) from an other LAN subnet.

Part 1:
This is what you could do:
/ip service
set api disabled=yes
set winbox address=172.16.0.0/21,172.16.8.0/21
Replace the subnets with your own, of course. This is easy, quick and dirty.

Part 2:
Create network admin subnets in all remote sites and allow only those subnets to reach your routers using anything (telnet, ssh, ftp, etc.), including winbox. Use a combination of "input" and "forward" chains to limit routeur acces to all routers from all LAN and all sites.

Test in a lab before deploying. If your sites are far apart, you won't like locking yourself out and having to drive X kilometers. ;)
Also learn abour "SAFE Mode" (https://wiki.mikrotik.com/wiki/Manual:Console#Safe_Mode) before doing anything. This is a life saver. Trust me!!! :D
___________________________
Alain Casault, Eng.
If I helped you, let me know!
 
tomislav91
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 76
Joined: Fri May 26, 2017 12:47 pm

Re: secure winbox port access only by wan ip

Mon Nov 12, 2018 7:22 pm

To begin with, remove the value entered with "/ip services set winbox address=X.X.X.X/Y". That's just plain bad!

Even if you're coming in from other offices, don't see it as coming in through the WAN port. You're coming in through a point-to-point link (L2TP/IPSEC, which is great) from an other LAN subnet.

Part 1:
This is what you could do:
/ip service
set api disabled=yes
set winbox address=172.16.0.0/21,172.16.8.0/21
Replace the subnets with your own, of course. This is easy, quick and dirty.

Part 2:
Create network admin subnets in all remote sites and allow only those subnets to reach your routers using anything (telnet, ssh, ftp, etc.), including winbox. Use a combination of "input" and "forward" chains to limit routeur acces to all routers from all LAN and all sites.

Test in a lab before deploying. If your sites are far apart, you won't like locking yourself out and having to drive X kilometers. ;)
Also learn abour "SAFE Mode" (https://wiki.mikrotik.com/wiki/Manual:Console#Safe_Mode) before doing anything. This is a life saver. Trust me!!! :D
i added my local subnet into remote router and add input in rules
add action=accept chain=input dst-address=10.10.50..0/24 dst-port=8291 \
protocol=tcp

is this enough? Can I limit connection to pass only from my public ip?
 
User avatar
Jotne
Long time Member
Long time Member
Posts: 590
Joined: Sat Dec 24, 2016 11:17 am

Re: secure winbox port access only by wan ip

Mon Nov 12, 2018 8:44 pm

If you need to use winbox from the outside you do not have many option.

1. VPN (best option)

2. Open Winbox but:
a. change to other port than 8291
b. set an access list to reduce who can access it
c. use port knocking
d. setup some monitoring. example getting email every time some logs inn.
 
tomislav91
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 76
Joined: Fri May 26, 2017 12:47 pm

Re: secure winbox port access only by wan ip

Mon Nov 12, 2018 10:48 pm

If you need to use winbox from the outside you do not have many option.

1. VPN (best option)

2. Open Winbox but:
a. change to other port than 8291
b. set an access list to reduce who can access it
c. use port knocking
d. setup some monitoring. example getting email every time some logs inn.
Hi, i am using l2tp through ipsec and S2S to connect to distant locations. Can I put only public ip in address list? I added it and from another public IP I can connect to router.
In address list i put my public ip and local lan from office /24
 
tomislav91
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 76
Joined: Fri May 26, 2017 12:47 pm

Re: secure winbox port access only by wan ip

Mon Nov 12, 2018 11:55 pm

What about this?
https://rickfreyconsulting.com/basic-mi ... e-version/

I found basic firewall settings.
Can I add this to my routers?
 
User avatar
Jotne
Long time Member
Long time Member
Posts: 590
Joined: Sat Dec 24, 2016 11:17 am

Re: secure winbox port access only by wan ip

Tue Nov 13, 2018 8:01 am

You may, but anyway you need to adopt your config to work with it.
It would be better to reset your router to default config, and then adopt your config to work with it.
 
User avatar
lopar
just joined
Posts: 14
Joined: Mon Jan 30, 2017 5:47 pm

Re: secure winbox port access only by wan ip

Tue Nov 13, 2018 2:46 pm

Winbox is to control the router and the router setup.
It should not be done via WAN connection (direct), it should be done with a VPN or at the very minimum the Port Knocking technique.
Theese are okay if you are using just a few mikrotiks. But when you get plenty of them in different places around the world sometimes in extra small places/networks making a VPN on each one and having tons of VPN connections on your workplace become great problem, as all of this is hard to maintain.
Same thing with port knocking, whick should be unique in different separated networks. But as number of devices grow...

Is there any wise solution for that, except opening winbox port an securing it with firewall?
 
nescafe2002
Member
Member
Posts: 448
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: secure winbox port access only by wan ip

Tue Nov 13, 2018 2:59 pm

You could set up a DNS [A] record for your management server with a suitable TTL (> 4 hours, to limit continuous stream of DNS lookups).

Then use address list feature in client devices to permit access to Winbox based on A record.
 
tomislav91
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 76
Joined: Fri May 26, 2017 12:47 pm

Re: secure winbox port access only by wan ip

Tue Nov 13, 2018 11:38 pm

Winbox is to control the router and the router setup.
It should not be done via WAN connection (direct), it should be done with a VPN or at the very minimum the Port Knocking technique.
Theese are okay if you are using just a few mikrotiks. But when you get plenty of them in different places around the world sometimes in extra small places/networks making a VPN on each one and having tons of VPN connections on your workplace become great problem, as all of this is hard to maintain.
Same thing with port knocking, whick should be unique in different separated networks. But as number of devices grow...

Is there any wise solution for that, except opening winbox port an securing it with firewall?
maybe just to permit a login from one public IP and/or local subnet. But when I added to ip-services or/in firewall rules, only local subnet is working, but public ip even if it changes, i can enter it.
Why? Does it have some another solution for that or?
 
User avatar
AlainCasault
Trainer
Trainer
Posts: 438
Joined: Fri Apr 30, 2010 3:25 pm
Location: Laval, QC, Canada
Contact:

Re: secure winbox port access only by wan ip

Wed Nov 14, 2018 2:59 pm

Winbox is to control the router and the router setup.
It should not be done via WAN connection (direct), it should be done with a VPN or at the very minimum the Port Knocking technique.
Theese are okay if you are using just a few mikrotiks. But when you get plenty of them in different places around the world sometimes in extra small places/networks making a VPN on each one and having tons of VPN connections on your workplace become great problem, as all of this is hard to maintain.
Same thing with port knocking, whick should be unique in different separated networks. But as number of devices grow...

Is there any wise solution for that, except opening winbox port an securing it with firewall?
Hello,

Security is never about convenience, it's about... well, security ;)

Your port knocking can be the same everywhere, why not? You don't have to leave you VPNs up all the time. Bring them up when needed. You can even allow the chosen solution from a specific IP address only.

We have to stop thinking about shortcuts and deploy what's best for our networks / clients.

Best regards,



Sent from Tapatalk

___________________________
Alain Casault, Eng.
If I helped you, let me know!

Who is online

Users browsing this forum: Frostbyte, Kindis, TurboCow and 35 guests