To hide your mikrotik from being appearing in WINBOX scan neighbor list, & to limit WINBOX access from your specific IP address or admin PC only,
Use the Following.
To disable winbox access using mac address you have to disable mac-server on the NIC
Go to Tools -> MAC Server
Click on the WinBox Interfaces Tab
By default this is set to all
You can add specific interfaces, and disable the all entry
OR using CLI, use the following command
1
2
3
4
| /tool mac-server add disabled=yes interface=all /tool mac-server ping set enabled=no |
1
2
3
4
| /ip firewall filter add action=drop chain=input comment="Block mikrotik discovery/zaib" disabled=no dst-port=5678 protocol=udp add action=drop chain=input comment="DROP ALL WINBOX REQUEST By MAC Address" disabled=no dst-port=20561 protocol=udp add
action=drop chain=input comment="DROP ALL WINBOX REQUEST EXCEPT FROM MY
PC" disabled=no dst-port=8291 protocol=tcp src-address=!192.168.2.6 |
You can also disable Network Neighbor Discovery on the interface to which your network users are connected
Example:
1
| /ip neighbor discovery set ether1 discover=no |
TIP:Regard’s
I recommend to block all UN-necessary services like www , ftp, ssh. Also do change the WINBOX Default port via IP > Services console just to make mikrotik more secure and allow only specific IP Address to be able to connect to Mikrotik via winbox
Naveed Ahmad
nice for info... i use mikrotik for my server
ReplyDeletewww.omheker.com