0

Ok,

here's the deal.

Let's say that my public facing IP is 10.0.01. I can't webfig into 10.0.01 from external and can't SSH into mikrotik router from external IP.

I can do it if I am physically connected to the router (on the same lan). It allows me to webfig and SSH both either by using 10.0.0.1 or using 192.168.88.1.

However, if I'm on diferent LAN, can't connect.

BTW, I set my IP > Services > ports for webfig is 64291 and SSH is 23.

Here's my firewall rules and NAT.

RULES

0 ;;; ALLOW ALL TO LAN
chain=input action=accept connection-state=established,related,new in-interface=bridge-local log=no log-prefix=""

1 ;;; ALLOW ICMP (Ping) ON ALL
chain=input action=accept protocol=icmp log=no log-prefix=""

2 ;;; Drop Everything Else
chain=input action=drop log=no log-prefix=""

3 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway log=no log-prefix=""

4 ;;; default configuration
chain=forward action=accept connection-state=established,related,new in-interface=bridge-local log=no log-prefix=""

5 ;;; default configuration
chain=forward action=drop connection-state=invalid log=no log-prefix=""

6 ;;; default configuration
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1-gateway log=no log-prefix=""

NAT

0 ;;; default configuration
chain=srcnat action=masquerade to-addresses=X.X.X.X out-interface=ether1-gateway     log=no log-prefix=""

1 chain=dstnat action=dst-nat to-addresses=192.168.88.200 protocol=tcp dst-address=X.X.X.X dst-port=80 log=no log-prefix=""

2 chain=srcnat action=src-nat to-addresses=X.X.X.X protocol=tcp src-address=192.168.88.0/24 log=no log-prefix=""

3 chain=dstnat action=dst-nat to-addresses=192.168.88.200 to-ports=22 protocol=tcp dst-address=X.X.X.X dst-port=22 log=no log-prefix=""

4 chain=srcnat action=src-nat to-addresses=192.168.88.200 to-ports=22 protocol=tcp src-address=192.168.88.0/24 log=no log-prefix=""

5 chain=dstnat action=dst-nat to-addresses=192.168.88.1 protocol=tcp dst-address=X.X.X.X dst-port=23 log=no log-prefix=""
fizzy drink
  • 375
  • 4
  • 8
  • 22

1 Answers1

3

Disable rule #2 + #3 and test again. Or you can make an exception for your ssh+www ports

You are dropping all in traffic from ether1-gateway.

Rules #2 + #3 are practically the same. I recommend you to remove #2

UPDATED REPLY

For making a secure Router isn't a best practice to change ports, creating a false sense of security. However is an easy implemantation.

How to secure open/redirect ports

/ip firewall filter add chain=input dst-port=22,80,443 in-interface=ether1-gateway protocol=tcp
/ip firewall filter add action=drop chain=input in-interface=ether1-gateway

PD: ether1-gateway is WAN port, dst-port are the ports that you would like leave opened. Move these filters relpacing number #2 ad #3 of your Mikrotik, and preserve this order!

And then , securize your passwords + connections and make a active analisy-control of you fail/bruteforce attemt connections:

  1. Using fail-to-ban in linux systems, or anti-bruteforce attack scripts -> Bruteforce login prevention
  2. Use long passwords, upper+lowercases mixed with numbers
  3. Use secure connections like https ssh nor telnet or http
gilito
  • 146
  • 4
  • Ok, that works. How can I now open only ports 23,80,443, and 64291 on that interface? Because right now, it is open to all? – fizzy drink Mar 17 '15 at 13:47