Excellent focused practical video. Besides the user list (not always in your face) I always use the input filter for security access. Every firewall input chain should migrate too: add chain=input action=accept in-interface-list=trusted dst-port=winboxport src-address-list=authorized [ where one has added a trusted interface list and have a firewall address list - an admin approved/authorized list of devices (the admin pC, laptop, ipad, smartphone from wireguard etc..) ] Note for mac address --> ensure TOOLS mac server mac winbox interface list = "trusted" In terms of the input chain, ensure other router services are available to LAN users (in-interface-list=LAN) as applicable dst-ports= (DNS, NTP etc...) Then Drop all else. (note - ensure change winbox port from default) (note - did you ever explain the open cisco port, i missed it if you did)
Mr. Maher I was commented on your vrrp configuration video. Be patient, Mr. Maher plz explain ... if R1 or R2 router uplink down what happens ??? how redundant this issue ?
For this you need a script. I explained it and did a LAB about it on this course: mynetworktraining.com/p/vrrp-on-mikrotik-with-load-balancing-failover
Changing standard port to something else won't help you with security. It will only make it harder to yourself. Close all but necessary ports, use port knocking, use complex passwords...
Hi there, please make a tutorial video about how to disable or block unnecessary port on Mikrotik firewall for more sequrity, ??!! how do we can have mikrotik with a minimum port on it, and in future if we need a special port we open it manually . thnx
There is no need to block ports. None are open unless you enable them to be open, by the Services Menu which Maher showed how to limit and if you require some ports for VPN, not an issue normally and further any ports you open for dst-nat (port forwarding). The first two are not an issue but the latter one can be problematic, especially because any such ports are visible on scans, they appear CLOSED but VISIBLE! Your best bet is for users to VPN to your router to gain access to services/devices. Barring that, limit access to known public IPs or dyndns names that your users can get for free, and thus dst-nat is limited by source-address list. A key unknown fact is that with source address in the dst-nat rule, ports are NOT visible on scans. Any port forwarding access should only be done encrypted by some means (https ftps) to protect username and password and preferably a layer on top of that by some means of 2F authentication (could be radius server). Even better if the server software can handle successive incorrect logins, and if not I think this is one area where the MT may be able to assist but beyond my scope.
Excellent focused practical video. Besides the user list (not always in your face) I always use the input filter for security access. Every firewall input chain should migrate too:
add chain=input action=accept in-interface-list=trusted dst-port=winboxport src-address-list=authorized
[ where one has added a trusted interface list and have a firewall address list - an admin approved/authorized list of devices (the admin pC, laptop, ipad, smartphone from wireguard etc..) ]
Note for mac address --> ensure TOOLS mac server mac winbox interface list = "trusted"
In terms of the input chain, ensure other router services are available to LAN users (in-interface-list=LAN) as applicable dst-ports= (DNS, NTP etc...)
Then Drop all else.
(note - ensure change winbox port from default)
(note - did you ever explain the open cisco port, i missed it if you did)
The video you made is very good to understand for knowledge
Thank you very much, good luck
Mr. Maher
I was commented on your vrrp configuration video. Be patient,
Mr. Maher plz explain ...
if R1 or R2 router uplink down what happens ???
how redundant this issue ?
For this you need a script. I explained it and did a LAB about it on this course: mynetworktraining.com/p/vrrp-on-mikrotik-with-load-balancing-failover
Changing standard port to something else won't help you with security. It will only make it harder to yourself.
Close all but necessary ports, use port knocking, use complex passwords...
Hi there, please make a tutorial video about how to disable or block unnecessary port on Mikrotik firewall for more sequrity, ??!! how do we can have mikrotik with a minimum port on it, and in future if we need a special port we open it manually . thnx
There is no need to block ports. None are open unless you enable them to be open, by the Services Menu which Maher showed how to limit and if you require some ports for VPN, not an issue normally and further any ports you open for dst-nat (port forwarding). The first two are not an issue but the latter one can be problematic, especially because any such ports are visible on scans, they appear CLOSED but VISIBLE! Your best bet is for users to VPN to your router to gain access to services/devices. Barring that, limit access to known public IPs or dyndns names that your users can get for free, and thus dst-nat is limited by source-address list. A key unknown fact is that with source address in the dst-nat rule, ports are NOT visible on scans. Any port forwarding access should only be done encrypted by some means (https ftps) to protect username and password and preferably a layer on top of that by some means of 2F authentication (could be radius server). Even better if the server software can handle successive incorrect logins, and if not I think this is one area where the MT may be able to assist but beyond my scope.
سلام عليكم اخي انا عندي 12 خط اشتي ادمج نعو برديج
What about port 53 for DNS? Thanks
if your router needs to connect to the internet and provide DNS to internal users, you need to keep the DNS port open.
Hello Sir, how can we disable dude access to mikrotik?
You mean the dude accessing the router? Limit access to port 8291
سلام عليكم
اخوك من السعوديه ممكن رقمك
عندي مشكله في سيرفر 1036 و topology
info@mynetworktraining.com