MikroTik - can't access webfig from external / can't SSH into router from external ip
Disable rule #2 + #3 and test again. Or you can make an exception for your ssh+www ports
You are dropping all in traffic from ether1-gateway.
Rules #2 + #3 are practically the same. I recommend you to remove #2
UPDATED REPLY
For making a secure Router isn't a best practice to change ports, creating a false sense of security. However is an easy implemantation.
How to secure open/redirect ports
/ip firewall filter add chain=input dst-port=22,80,443 in-interface=ether1-gateway protocol=tcp
/ip firewall filter add action=drop chain=input in-interface=ether1-gateway
PD: ether1-gateway is WAN port, dst-port are the ports that you would like leave opened. Move these filters relpacing number #2 ad #3 of your Mikrotik, and preserve this order!
And then , securize your passwords + connections and make a active analisy-control of you fail/bruteforce attemt connections:
- Using fail-to-ban in linux systems, or anti-bruteforce attack scripts -> Bruteforce login prevention
- Use long passwords, upper+lowercases mixed with numbers
- Use secure connections like https ssh nor telnet or http
Related videos on Youtube
03 : 58
04 : 32
08 : 20
04 : 46
04 : 13
fizzy drink
Updated on September 18, 2022Comments
-
fizzy drink almost 2 years
Ok,
here's the deal.
Let's say that my public facing IP is 10.0.01. I can't webfig into 10.0.01 from external and can't SSH into mikrotik router from external IP.
I can do it if I am physically connected to the router (on the same lan). It allows me to webfig and SSH both either by using 10.0.0.1 or using 192.168.88.1.
However, if I'm on diferent LAN, can't connect.
BTW, I set my IP > Services > ports for webfig is 64291 and SSH is 23.
Here's my firewall rules and NAT.
RULES
0 ;;; ALLOW ALL TO LAN chain=input action=accept connection-state=established,related,new in-interface=bridge-local log=no log-prefix="" 1 ;;; ALLOW ICMP (Ping) ON ALL chain=input action=accept protocol=icmp log=no log-prefix="" 2 ;;; Drop Everything Else chain=input action=drop log=no log-prefix="" 3 ;;; default configuration chain=input action=drop in-interface=ether1-gateway log=no log-prefix="" 4 ;;; default configuration chain=forward action=accept connection-state=established,related,new in-interface=bridge-local log=no log-prefix="" 5 ;;; default configuration chain=forward action=drop connection-state=invalid log=no log-prefix="" 6 ;;; default configuration chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1-gateway log=no log-prefix=""NAT
0 ;;; default configuration chain=srcnat action=masquerade to-addresses=X.X.X.X out-interface=ether1-gateway log=no log-prefix="" 1 chain=dstnat action=dst-nat to-addresses=192.168.88.200 protocol=tcp dst-address=X.X.X.X dst-port=80 log=no log-prefix="" 2 chain=srcnat action=src-nat to-addresses=X.X.X.X protocol=tcp src-address=192.168.88.0/24 log=no log-prefix="" 3 chain=dstnat action=dst-nat to-addresses=192.168.88.200 to-ports=22 protocol=tcp dst-address=X.X.X.X dst-port=22 log=no log-prefix="" 4 chain=srcnat action=src-nat to-addresses=192.168.88.200 to-ports=22 protocol=tcp src-address=192.168.88.0/24 log=no log-prefix="" 5 chain=dstnat action=dst-nat to-addresses=192.168.88.1 protocol=tcp dst-address=X.X.X.X dst-port=23 log=no log-prefix="" -
fizzy drink over 9 yearsOk, that works. How can I now open only ports 23,80,443, and 64291 on that interface? Because right now, it is open to all?