Community discussions

 
craigreilly
newbie
Topic Author
Posts: 42
Joined: Mon Jan 26, 2015 7:04 pm

Web Proxy Restrict

Thu Jun 13, 2019 8:30 pm

I have Web Proxy enabled.
src address is simply :: (as defaulted)

I have a NAT rule to redirect outbound 80 to 8080 for transparent.

When I goto a device not on the network and open browser address <external ip>:8080 it opens a proxy page saying error.

Is adding a filter rule the proper way here? Or should I be adding security to the WebProxy?
 
Sob
Forum Guru
Forum Guru
Posts: 4631
Joined: Mon Apr 20, 2009 9:11 pm

Re: Web Proxy Restrict

Fri Jun 14, 2019 1:02 am

Filter rule sounds right, you probably don't want anything external connecting to your proxy. Even more, you probably don't want anything external connecting to your router at all, so it's usually better to block everything and only add exceptions for what you want to have open, which shouldn't be much (for example ports for VPN server, if you have one).
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
craigreilly
newbie
Topic Author
Posts: 42
Joined: Mon Jan 26, 2015 7:04 pm

Re: Web Proxy Restrict

Fri Jun 14, 2019 9:58 pm

Phone Server...
Web Server that feeds data from our Oracle Server...
-- client connections to check our live inventory

And yep - thats it.

So - I have these in NAT rules - but I should put in Filter Rules as well?
Sorry - I did not configure this initially and not well versed in Mikrotik.
 
Sob
Forum Guru
Forum Guru
Posts: 4631
Joined: Mon Apr 20, 2009 9:11 pm

Re: Web Proxy Restrict

Fri Jun 14, 2019 10:51 pm

Traffic to router itself goes in chain=input. Traffic through router (both outgoing and incoming, forwarded ports included) goes in chain=forward.

I don't know what you have now, but simple firewall that only allows access from internet to forwarded ports can look like this:
/ip firewall filter
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface-list=LAN
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward

add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input in-interface-list=LAN
add action=accept chain=input protocol=icmp
add action=drop chain=input
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: MSN [Bot] and 88 guests