Have I properly secured my Mikrotik?

D

DVoropaev2020-06-18 23:10:54

Mikrotik

DVoropaev, 2020-06-18 23:10:54

Purpose: to prohibit access to mikrotik management services from the Internet, while leaving access from the local network. Mikrotik is used as a home router, wifi is password-protected, the account also has a password, so there are no threats from the local network.
To do this, I configured the firewall as follows:

bridge-local - all LAN interfaces.
ethernet1 - through this interface there is a connection to the provider.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Alexander Karabanov, 2020-06-18
@karabanov

So yes, but if there is no experience in setting up a firewall, it is more logical to use the default ones, since they are good in recent versions of RouterOS.

C

CityCat4, 2020-06-19
@CityCat4

No.
No, the task is solved - nothing will connect from the outside. From the word at all.
That is:
- no DNS on Mikrotik
- no updates
- no VPN
well, that is, there is no traffic coming from outside to INPUT :) Something like "chopping off your hand when you find a pimple"
Disable your super-rule and do something like:

/ip service
set telnet disabled=yes
set ftp address=10.5.2.0/24 port=19701
set www disabled=yes
set ssh address=10.5.2.0/24
set www-ssl address=10.5.2.0/24 certificate="RB450G cert with key" disabled=no port=19703
set api disabled=yes
set winbox address=10.5.2.0/24
set api-ssl certificate="RB450G cert with key"

where instead of 10.5.2.0/24 it is your locale and your port numbers (although you can leave these as well). This will disable telnet and http for you, close ssh, https and winbox. In addition, ftp and https will move to ports 19701 and 19703 respectively.