Mikrotik Howto block Winbox Discovery + Limit Winbox Access

To hide your mikrotik from being appearing in WINBOX scan neighbor list, & to limit WINBOX access from your specific IP address or admin PC only,
Use the Following.
To disable winbox access using mac address you have to disable mac-server on the NIC
Go to Tools -> MAC Server
Click on the WinBox Interfaces Tab
By default this is set to all
You can add specific interfaces, and disable the all entry
OR using CLI, use the following command

1 2 3 4

/tool mac-server add disabled=yes interface=all /tool mac-server ping set enabled=no

Or disable MAC Discovery for all interfaces by using following

1 2 3 4

/ip firewall filter add action=drop chain=input comment="Block mikrotik discovery/zaib" disabled=no dst-port=5678 protocol=udp add action=drop chain=input comment="DROP ALL WINBOX REQUEST By MAC Address" disabled=no dst-port=20561 protocol=udp add action=drop chain=input comment="DROP ALL WINBOX REQUEST EXCEPT FROM MY PC" disabled=no dst-port=8291 protocol=tcp src-address=!192.168.2.6

The above rules will disable Mikrotik discovery via winbox, and also it will allow 192.168.2.6 to access Mikrotik. Make sure to change this ip address to match your management pc ip.
You can also disable Network Neighbor Discovery on the interface to which your network users are connected
Example:

1	/ip neighbor discovery set ether1 discover=no

TIP:
I recommend to block all UN-necessary services like www , ftp, ssh. Also do change the WINBOX Default port via IP > Services console just to make mikrotik more secure and allow only specific IP Address to be able to connect to Mikrotik via winbox

Regard’s
Naveed Ahmad

Please Give Us Your 1 Minute In Sharing This Post!

SOCIALIZE IT → ,

Tweet

,

FOLLOW US →

SHARE IT →