Community discussions

MikroTik App
 
johann75
just joined
Topic Author
Posts: 6
Joined: Fri Jan 27, 2023 7:25 am

Limit access to the Management interface

Sun May 14, 2023 8:30 am

Hello, I am new in Mikrotik and in routing and maybe do not understand something, but I thought, the below filter should allow access to my CCR2116 only from the interface ether13, but I can access it with WinBox from all ports. I have tried different orders and with additional multiple lines and with lists for the same, but all the same. Whereby the same filter works on my RB750Gr3. Does anyone maybe know what my mistake is?
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=drop chain=input in-interface=!ether13
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Limit access to the Management interface

Sun May 14, 2023 12:10 pm

Probably the order of the rules.
If it gets accepted before being dropped. that rule will never hit.
Clear all counters and see which rule gets activated.

Since you only show part of the config:
if playing with those rules (order or config), use Safe Mode or you may lock yourself out.

You could also turn things around (which is considered best practice around here):
Allow explicitly what's needed, drop all the rest.
So input from TCP/8291 (if that's the port you use for winbox) on ether13 -> allow
Drop all other input on TCP/8291 (since ether13 will then already have been accepted).
Put those 2 rules first.
Last edited by holvoetn on Sun May 14, 2023 12:21 pm, edited 1 time in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10185
Joined: Mon Jun 08, 2015 12:09 pm

Re: Limit access to the Management interface

Sun May 14, 2023 12:21 pm

Is ether13 a member of a bridge of which all other ports are a member too?
In that case you cannot limit access this way. The rule would need the name of the bridge as the in-interface, and it would match all bridge member ports.
Of course it is possible to implement a bridge filter, but I'm not sure that is the way you would want to go...
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Limit access to the Management interface

Sun May 14, 2023 12:22 pm

Good remark.
A proper management interface should not be part of a bridge.

But we only see a very small part of the config so who knows if that's the case or not ...
 
johann75
just joined
Topic Author
Posts: 6
Joined: Fri Jan 27, 2023 7:25 am

Re: Limit access to the Management interface

Sun May 14, 2023 3:43 pm

No it is not a part of any bridge and the access from wan is dropped, but not from lan.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Limit access to the Management interface

Sun May 14, 2023 5:53 pm

If you want help in the future, provide the complete config, (minus router serial#, any public WANIP info, keys etc.) many parts work in conjunction so showing a snippet is often useless.

As for input chain, its quite simple what you need to do..

ROUTER Device
/ip firewall filter
{Input Chain}
(default rules)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
(admin rules)
add action=accept chain=input src-address-list=Admin
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \ {and NTP *** services if required etc}
dst-port=53,123*** in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"


Where the firewall address list is comprised of all IPs the admin may be coming from: wired PC, wifi laptop, wifi ipad etc... plus remoting in lets say wireguard.
Only the admin needs complete access, users only need specific services.

If its a switch behind a router............. no firewall rules are needed, but you should have a management LAN or VLAN, and all smart devices get their IP from this Subnet.
Lets say the management subnet is 192.168.88.0/24 vlan88 and the switch has an IP of 192.168.88.88

Sorry I only speak ROS
SWITCH Device
/interface bridge
add ingress-filtering=no name=bridgegym vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=emergaccess
/interface vlan
add interface=bridgegym name=homeVlan vlan-id=88 { mandatory, management vlan must be identified in /interface vlan - do not put any other vlans here!! }
/interface list
add name=management
/interface bridge port
add bridge=bridgegym ingress-filtering=yes interface=ether1
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=homeWLan pvid=12
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=HVAC_WLAN pvid=49
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=mediaWlan pvid=40
/ip neighbor discovery-settings
set discover-interface-list=management
/interface bridge vlan
add bridge=bridgegym tagged=ether1,bridgegym untagged=homeWLan vlan-ids=12
add bridge=bridgegym tagged=ether1 untagged=mediaWlan vlan-ids=40
add bridge=bridgegym tagged=ether1 untagged=HVAC_WLAN vlan-ids=49
/interface list member
add interface=homeVlan list=management
add interface=emergaccess list=management

/ip address
add address=192.168.88.88/24 interface=homeVlan network=192.168.88.0 comment="IP on trusted subnet"
add address=192.168.36.1/24 interface=emergaccess network=192.168.36.0 comment="ether2 access off bridge"
/ip dns
set allow-remote-requests=yes servers=192.168.88.1 { Note: Done so all dns requests use trusted subnet }
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.88.1 c
omment="ensures route avail through trusted subnet gateway"
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.88.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management


(ignore off bridge that is what I use to config devices when using bridges)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Limit access to the Management interface

Mon May 15, 2023 3:24 pm

No it is not a part of any bridge and the access from wan is dropped, but not from lan.
Error 1) Apparently, from your non-export, you delete the default config.
Error 2) You do not post the full export (censored) on forum.

Who is online

Users browsing this forum: Bing [Bot], blejzu, Uqbar and 58 guests