Hey Guys, Are there any other things that you think a person should do that would be considered "Best Practice" when securing your MikroTik device? Feel free to let me know. Below is a list of reference material that you can use with this video to better understand certain topics: MT Getting Started: ruclips.net/video/rwjtRLQjMjA/видео.html MT Firewall Chains: ruclips.net/video/NXvHdZbAuTI/видео.html MT IP Services: ruclips.net/video/4ukLECgehzY/видео.html MT RSA Keys: ruclips.net/video/8tt7fSvdFRM/видео.html MT VPN Options: ruclips.net/video/BABdoECvP1I/видео.html MT Wireguard: ruclips.net/video/P6f8Qc4EItc/видео.html MT Zerotier: ruclips.net/video/eFI59jJ2MM8/видео.html
I have a script that converts firehol level 1 and 2 IP block lists into Mikrotik IP lists. They are automatically updated each night. Then I use those lists to block from WAN. I have also segmented my network into different VLANs depending on what the users/servers/devices they serve. The router have explicit allow rules for the usage each VLAN requires, blocking the rest. My management network is only accessible physically from the locked server room or by a VPN tunnel from selected VLANs. Password manager for passwords. Always password protect keys. Each month I have a reminder to go thru and update the software/firmware on relevant devices.
As a general rule, use REJECT when you want the other end to know the port is unreachable' use DROP for connections to hosts you don't want people to see. Usually, all rules for connections inside your LAN should use REJECT. For the Internet, with the exception of ident on certain servers, connections from the Internet are usually DROPPED. Using DROP makes the connection appear to be to an unoccupied IP address. Scanners may choose not to continue scanning addresses which appear unoccupied.
while true, scanners being automated may also choose to keep trying, which essential can turn into a DoS attack or DDoS if multiple scanners keep trying.
Thank you, as always for another good tutorial. Re: Hardening, you could also consider setting up progressively longer timeouts for failed SSH connection attempts (see mikrotik blog - basically compile failed connection attempt IPs and ban them for longer and longer). That reduces opportunities for brute-forcing. The blog over at Mikrotik also suggests turning off Winbox in production environments, presumably because SSH is a more secure way to administer the gateway. If using the web interface is desirable, then upgrading that to HTTPS and turning off the HTTP option is pretty much a must.
Your MikroTik content is also great Sarah you do a lot more cool "Hands-On" labs and I actually love seeing you do teardowns of the hardware and going through what's ticking inside. But thank you for the nice compliment
@@TheNetworkBerg Im no longer posting on Facebook. I hope you can fill the void & start posting your tutorials in the wisp, Fisp groups. There's a lot of new wisp operators lacking understanding. They need someone like you! I just cant operate on there anymore. Its not healthy for me.
@@thefixitgal I'm not active on any facebook or reddit groups either. I only post on my own page now. What I found when using groups was that my posts would either not get approved or just be seen as spam and receive the most random messages critiquing stuff like my accent.
Good video. Have a question… how about physical port security-like if you have security cameras or other fixed hardware you don’t want someone to just unplug a port and plug into just anywhere. Generally I’ve seen MAC binding as something basic even though it can be spoofed it’s at least something… if there are other more secure suggestions that’d be cool to go over as well.
You can also accept all input from the IPs of MGMT-range, then set another rule to finally drop all remaining packets, without designating any in/out interface.
Hlo, I was wondering if you could help me to understand what is split tunneling and how to configure it. Please create one video. I really like your video. And it is very easy for me to understand. Your explaining is very unique.
There are 2 better ways to copy your ssh public key to remote host. 1. A Linux command "ssh-copy-id". I haven't tested it with Mikrotik, but it's the correct way to install ssh key to remote hosts ~/.ssh/authorized_keys file. 2. A Linux command "scp" what is also bundled with "ssh" command on every Linux distro. It works the same way as "ssh" command (most parameters match the parameters of "ssh" command), so you won't have to expose your password on videos.
Nice tip for reject ICMP, how to enable ping from Mikrotik, now this rulle ist only allowed to ping from Lan > to internet, but Mikrotik router not allowed to ping from terminal?
If you plan on creating an access list with wireguard(BTH) being a part of that management list it makes sense to restrict access based off of that it makes complete sense, it does however not invalidate many of the best practices described in this video like upgrading your firmware etc.
Did you cover how to disable any sort of ssh login if the keys don't match? You mentioned that as a possibility, but I don't think it was covered. I love using keys so I don't have to type my password, but keeping people out who don't have the keys would be nice.
The method I demonstrated should do this automatically. If anyone without the SSH key tries to SSH onto the router they will not be able to connect. They can type in the username & password (Even with it being correct) and access will be denied.
como puedo hacer para q funcione el hotspot con esta configuracion en mikrotik no puedo hacerlo funcionar amigo me sale red no disponible en la señal wifi
Hi, Nice video. Can you make a video about further securing your router with management vrf and dedicated management interface? Lot's of bigger mikrotik's have a dedicated management port but are part of the same vrf.
thank you for your easy explanation. may I ask ? if I want to put ids/ips such as pfsense/opnsense should I put it infront of the mikrotik or after the mikrotik? thanks
Great video - I disabled all IP Service except Winbox 8291. I allowed only internal LANs to access. However, after doing an NMAP scan externally, I noticed that port 8291 is open externally. Is there a way to shut this off externally but have it accessible internally for Inbox admin? Thanks.
I can understand when you say management range 172.16.0.0/24 which is your LAN is yuour management network but what does it mean when you say management network 192.168.149.0/24 ? does this mean that if you aree also sitting on this network you will be able to access the router? which is probabaly the WAN interface IP LAN?
very well explained - as always! got to share it to two friends to get a basic grasp of security on MTs thanks for the curl tip btw! much appreciated PS: could you make an updated video on VRRP on rOS7 maybe?
@@TheNetworkBerg yeah i would love to do it myself but i cannot seem to get eve-ng to run properly. nodes are not starting or when they start they turn off after ~1s
So many mentions in this video of "in the pinned comment", except there are no pinned comments. ☹ By sorting the comments by date and then scrolling all the way to the bottom I found the intended comment... could you pin it for easier access? ♥
Decent start but you left out all the tools still enabled by default, like bandwidth server. Also, stuff like neighbor discovery, it needs to be killed. Or even mac-server, kill it, much cleaner to dedicate one interface to management and bind the associated subnet under services for https-only access (and for that, you need to show how to create a certificate). And so on… Security is only as strong as the weakest link
Great video, I have a question though about the firewall rules. in Pfsense you make outbound and inbound rules like RouterOS, but for ICMP you need to make a inbound ICMP rule (for response of echo). On the video you only made a outbound ACL, but the client received a inbound ICMP. how is this possible? only TCP connections are connection oriented, so that would be a statefull firewall, UDP and ICMP doesn't keep track of a connection, it just shoots packets and hope something returns back . For that packet to come back a inbound rule for the ICMP should be made right ? Or is all inbound traffic for ICMP default allowed on Mikrotik ? Thanks again.
The MikroTik is a stateful firewall, the ICMP Out rule was for traffic leaving from the LAN to the internet which is how I was able to make pings stop and also make them work because the return traffic is automatically being allowed. The Deny rule I added is for traffic from the outside like the internet trying to initiate a connection to the MikroTik on it's "WAN" port.
Great video as always 🙂 Just one small problem I'm no savvy when it comes to computers. so excuse my lack of knowledge in resolving this problem, I just got the Mikro tik a few days ago and I have a few updates but when I watch and try to apply the updates as you explain it come up with this message (Couldn't perform action - not permitted (9) . How do I remove this message so I can update my rooter/WIFI. awesome
@@TheNetworkBerg Hi Mr. Berg 😁 I have Administrative access only. yip I guess I cant really do much, but I do see that there is upgrades available for my Rooter that has not automatically upgraded as of yet. Not sure how to change this know. Keep up with the awesome job you doing
Either factory reset by holding down the reset button physically on your MikroTik or use the netinstall tool to completely reload ROS with the default configuration. You will have to reconfigure everything...
I guess you could do that, I just prefer having a separate object ID for a user should something weird happen in the event of a firmware upgrade/downgrade.
I have multi-wan videos, however, I don't think I explicitly have it setup in a way where gaming traffic uses one link and all other normal traffic uses another link. Will add this to my todo list :)!
@@TheNetworkBerg Mooi man! Thought I couldn’t miss the accent. Great channel, btw. 👍🏻 I’ve just started getting into Mikrotik devices and found your content easy to understand, very helpful, thanks.
The most stupid attack vector is to have the Mikrotik webfig username already filled out with "admin". :facepalm: :facepalm: :facepalm: :facepalm: :facepalm: How on earth haven't they removed that by now .... ffs
I reject (pun intended) your approach on the input chain. Why add the confusion of negative symbol. The best advice, especially for new users, is to state adopt most of the default rules, they are good for many reasons, then add the traffic that should be allowed ( easy to discern ) and then drop all else. So in this case, add chain=input action=accept src-address-list=Management where the firewall address list could be comprised of admin IP on any subnet desired, admin IP for the devices on the lans used, could be desktop, laptop, ipad and finally admin IPs for any VPN remote warrior connections coming in. Thus only the admin has full access to the router, heck one could even limit that just to the winbox port........ As for the rest of the lan users ( interface-list=LAN) they need normally simply DNS services (tcp,udp) and perhaps NTP and the last rule should block all else. SImple clean neat, easy conceptually. So forget about complex negatives ( and the use of the ! symbol is not trivial and can have unintended consequences ). I should add if applicable one also adds the ability for any incoming vpn connections to connect to the router services coming in from the WAN side.
I am not sure I understand the concept or context of what you are doing for forward chain firewall rules. FIrst I dont like any rules that dont have a clear ( from where and going to where ). Ambiguity is NOT a good thing. It also tends to mix up purposes and intent so that the reader is left in the dark and the originator may not understand consequences of open ended rules. For example your intent to only allow 80, 443 and 53 makes sense For 80,443 ( LAN TO WAN ) and for 53 ( WHY). THis in effect allows users to use the DNS server of their choice and in terms of security in hardening, its much better to provide that FOR them etc... be it on router services, set in DHCP servers, redirect etc.. DNS is a whole other topic anyway. Finally, you have effectively blocked email and telephone services by restricting to the above ports.......... Once again a clear consistent easy to follow approach leads to good security and understanding of the config. keep the good default rules, add user required traffic, drop all else. Nothing wrong with attempting to limit what ports are used outbound but one has to really know what they are doing. Also your open ended rules block users from accessing any servers on other local subnets for example.........
Rooter, rowter, same shit different pronunciations:^) I actually pronounce it both ways depending on my audience, which for the most part on RUclips are based in the US.
Hey Guys,
Are there any other things that you think a person should do that would be considered "Best Practice" when securing your MikroTik device? Feel free to let me know. Below is a list of reference material that you can use with this video to better understand certain topics:
MT Getting Started:
ruclips.net/video/rwjtRLQjMjA/видео.html
MT Firewall Chains:
ruclips.net/video/NXvHdZbAuTI/видео.html
MT IP Services:
ruclips.net/video/4ukLECgehzY/видео.html
MT RSA Keys:
ruclips.net/video/8tt7fSvdFRM/видео.html
MT VPN Options:
ruclips.net/video/BABdoECvP1I/видео.html
MT Wireguard:
ruclips.net/video/P6f8Qc4EItc/видео.html
MT Zerotier:
ruclips.net/video/eFI59jJ2MM8/видео.html
For us novices would you be able to do a video that works on the default firewall rules that you get and builds on that?
@@tonygoddard4977 that's a great idea Tony, I'll add that to my list of videos that I want to make.
I have a script that converts firehol level 1 and 2 IP block lists into Mikrotik IP lists. They are automatically updated each night. Then I use those lists to block from WAN. I have also segmented my network into different VLANs depending on what the users/servers/devices they serve. The router have explicit allow rules for the usage each VLAN requires, blocking the rest. My management network is only accessible physically from the locked server room or by a VPN tunnel from selected VLANs. Password manager for passwords. Always password protect keys. Each month I have a reminder to go thru and update the software/firmware on relevant devices.
As a general rule, use REJECT when you want the other end to know the port is unreachable' use DROP for connections to hosts you don't want people to see.
Usually, all rules for connections inside your LAN should use REJECT. For the Internet, with the exception of ident on certain servers, connections from the Internet are usually DROPPED.
Using DROP makes the connection appear to be to an unoccupied IP address. Scanners may choose not to continue scanning addresses which appear unoccupied.
while true, scanners being automated may also choose to keep trying, which essential can turn into a DoS attack or DDoS if multiple scanners keep trying.
I also like to use DROP on Internet facing firewalls because there is a noticeable performance impact otherwise.
I usually route the port to the unreal IP. I route the port 22, 80, 21,... to 10.0.0.1, which doesn't exist in my network 😂
Thank you, as always for another good tutorial. Re: Hardening, you could also consider setting up progressively longer timeouts for failed SSH connection attempts (see mikrotik blog - basically compile failed connection attempt IPs and ban them for longer and longer). That reduces opportunities for brute-forcing. The blog over at Mikrotik also suggests turning off Winbox in production environments, presumably because SSH is a more secure way to administer the gateway. If using the web interface is desirable, then upgrading that to HTTPS and turning off the HTTP option is pretty much a must.
Good rule of thumb is block everything and allow explicitly only what you need. That way it's visible what has access to what.
Thank you
Your MikroTik content is also great Sarah you do a lot more cool "Hands-On" labs and I actually love seeing you do teardowns of the hardware and going through what's ticking inside. But thank you for the nice compliment
haha definitely TNB just rocks with his MT videos.
@@TheNetworkBerg Im no longer posting on Facebook. I hope you can fill the void & start posting your tutorials in the wisp, Fisp groups. There's a lot of new wisp operators lacking understanding. They need someone like you! I just cant operate on there anymore. Its not healthy for me.
@@thefixitgal I'm not active on any facebook or reddit groups either. I only post on my own page now. What I found when using groups was that my posts would either not get approved or just be seen as spam and receive the most random messages critiquing stuff like my accent.
Thanks again buddy, thanks to you i discover version 7, unreal man, thanks very much for all your tips.
Thanks for the many videos, certainly making my adventure into Mikrotik a lot easier.
Awesome demo and tips! Your channel and your presentation skills about networking stuff rocks man! Thanks!
I really appreciate that, thanks for the nice feedback :D!
Awesome! Super helpful for home users on a budget...
Grazie.
Good video. Have a question… how about physical port security-like if you have security cameras or other fixed hardware you don’t want someone to just unplug a port and plug into just anywhere. Generally I’ve seen MAC binding as something basic even though it can be spoofed it’s at least something… if there are other more secure suggestions that’d be cool to go over as well.
Good review
Only one comment - I generally drop the packet, because a reject gives a response which is information.
Greetings from Kazakhstan👍
Nice video, you should make some comments about default mikrotik firewall rules.
Thanks for the idea!
love from India.....
You can also accept all input from the IPs of MGMT-range, then set another rule to finally drop all remaining packets, without designating any in/out interface.
Hlo, I was wondering if you could help me to understand what is split tunneling and how to configure it. Please create one video. I really like your video. And it is very easy for me to understand. Your explaining is very unique.
Thanks!
Thank you kindly for the support
Good job
Duplicate mac address "phones" for mikrotik active What is the solution, please?
Tend to add port knock security to my device for management logins
You are great. Thanks
We want how to firewall in details. Ty for awesome vids
I will definitely deep dive specifically more into the Firewall itself and other security features we have available on MikroTik.
There are 2 better ways to copy your ssh public key to remote host.
1. A Linux command "ssh-copy-id". I haven't tested it with Mikrotik, but it's the correct way to install ssh key to remote hosts ~/.ssh/authorized_keys file.
2. A Linux command "scp" what is also bundled with "ssh" command on every Linux distro. It works the same way as "ssh" command (most parameters match the parameters of "ssh" command), so you won't have to expose your password on videos.
Nice vid thanks Mate
Thank you for all this information that you share. I appreciate this! Can you show how to upgrade packages automatically with some script?
Nice tip for reject ICMP, how to enable ping from Mikrotik, now this rulle ist only allowed to ping from Lan > to internet, but Mikrotik router not allowed to ping from terminal?
Since MTik deplyed Back-To-Home feature (based on Wireguard) there is no reasonable option use another secure access to your Mikrotik
Wireguard is absolute secure VPN for remote access to the MTik
If you plan on creating an access list with wireguard(BTH) being a part of that management list it makes sense to restrict access based off of that it makes complete sense, it does however not invalidate many of the best practices described in this video like upgrading your firmware etc.
Hackers need to discover IP address and they do not have peer Public Key. And WG presence is not scanable until public key being sent to the peer....
Did you cover how to disable any sort of ssh login if the keys don't match? You mentioned that as a possibility, but I don't think it was covered. I love using keys so I don't have to type my password, but keeping people out who don't have the keys would be nice.
The method I demonstrated should do this automatically. If anyone without the SSH key tries to SSH onto the router they will not be able to connect. They can type in the username & password (Even with it being correct) and access will be denied.
@@TheNetworkBerg Oh ok cool. I'll test it out. Thanks.
como puedo hacer para q funcione el hotspot con esta configuracion en mikrotik no puedo hacerlo funcionar amigo me sale red no disponible en la señal wifi
Hi, Nice video. Can you make a video about further securing your router with management vrf and dedicated management interface? Lot's of bigger mikrotik's have a dedicated management port but are part of the same vrf.
thank you for your easy explanation.
may I ask ? if I want to put ids/ips such as pfsense/opnsense should I put it infront of the mikrotik or after the mikrotik? thanks
Great video - I disabled all IP Service except Winbox 8291. I allowed only internal LANs to access. However, after doing an NMAP scan externally, I noticed that port 8291 is open externally. Is there a way to shut this off externally but have it accessible internally for Inbox admin? Thanks.
You could use an input firewall filter rule to drop port 8291 traffic on the incoming WAN port
@@TheNetworkBerg Thanks!!!
I can understand when you say management range 172.16.0.0/24 which is your LAN is yuour management network but what does it mean when you say management network 192.168.149.0/24 ? does this mean that if you aree also sitting on this network you will be able to access the router? which is probabaly the WAN interface IP LAN?
very well explained - as always! got to share it to two friends to get a basic grasp of security on MTs
thanks for the curl tip btw! much appreciated
PS: could you make an updated video on VRRP on rOS7 maybe?
Much appreciated! Will probably revisit VRRP as well :D
@@TheNetworkBerg yeah i would love to do it myself but i cannot seem to get eve-ng to run properly. nodes are not starting or when they start they turn off after ~1s
awesome video, very easy to follow, thanks
So many mentions in this video of "in the pinned comment", except there are no pinned comments. ☹
By sorting the comments by date and then scrolling all the way to the bottom I found the intended comment... could you pin it for easier access? ♥
Was sure I did pin the comment, might have unpinned it by accident will definitely update it
Decent start but you left out all the tools still enabled by default, like bandwidth server. Also, stuff like neighbor discovery, it needs to be killed. Or even mac-server, kill it, much cleaner to dedicate one interface to management and bind the associated subnet under services for https-only access (and for that, you need to show how to create a certificate). And so on…
Security is only as strong as the weakest link
Great video, I have a question though about the firewall rules. in Pfsense you make outbound and inbound rules like RouterOS, but for ICMP you need to make a inbound ICMP rule (for response of echo). On the video you only made a outbound ACL, but the client received a inbound ICMP. how is this possible? only TCP connections are connection oriented, so that would be a statefull firewall, UDP and ICMP doesn't keep track of a connection, it just shoots packets and hope something returns back . For that packet to come back a inbound rule for the ICMP should be made right ? Or is all inbound traffic for ICMP default allowed on Mikrotik ? Thanks again.
The MikroTik is a stateful firewall, the ICMP Out rule was for traffic leaving from the LAN to the internet which is how I was able to make pings stop and also make them work because the return traffic is automatically being allowed. The Deny rule I added is for traffic from the outside like the internet trying to initiate a connection to the MikroTik on it's "WAN" port.
From the change log of ver 7.7:
ssh - added support for Ed25519 key exchange;
:O
Need to test it out, but would be great if it works.
just works with ROS 7 ??? NOT FOR PREVIOUS VERSIONS?
Great video as always 🙂
Just one small problem I'm no savvy when it comes to computers.
so excuse my lack of knowledge in resolving this problem, I just got the Mikro tik a few days ago and I have a few updates but when I watch and try to apply the updates as you explain it come up with this message (Couldn't perform action - not permitted (9) .
How do I remove this message so I can update my rooter/WIFI.
awesome
It sounds like the account you use to administrate the device doesn't have sufficient admin privileges, is your account a read/write admin?
@@TheNetworkBerg Hi Mr. Berg 😁 I have Administrative access only.
yip I guess I cant really do much, but I do see that there is upgrades available for my Rooter that has not automatically upgraded as of yet.
Not sure how to change this know.
Keep up with the awesome job you doing
Nice tutorial. Then a wifi user shares the wifi password with a QR code. How do we stop that?
My Mikrotik has been hacked by someone, they create new user and put my user to read only. They disable all reset. Do you know how to solve.?
Either factory reset by holding down the reset button physically on your MikroTik or use the netinstall tool to completely reload ROS with the default configuration. You will have to reconfigure everything...
What the sense of creating a new account and disabling the old one when you may just RENAME it?
I guess you could do that, I just prefer having a separate object ID for a user should something weird happen in the event of a firmware upgrade/downgrade.
Do you have a video on dual isp?
Load balancing, sperate gaming, browsing and downloading?
I have multi-wan videos, however, I don't think I explicitly have it setup in a way where gaming traffic uses one link and all other normal traffic uses another link. Will add this to my todo list :)!
@@TheNetworkBerg Thank you ^_^
Excuse me sir, wine is not an emulator 😂
😂
"legacy IP" sounds funny, considering that 99.9% of internet is still ipv4
Like
Are you South African by any chance?
Yes I'm South African
@@TheNetworkBerg Mooi man! Thought I couldn’t miss the accent. Great channel, btw. 👍🏻 I’ve just started getting into Mikrotik devices and found your content easy to understand, very helpful, thanks.
Hello.. How can I know the PIN WPS code of Mikrotik router please
The most stupid attack vector is to have the Mikrotik webfig username already filled out with "admin". :facepalm: :facepalm: :facepalm: :facepalm: :facepalm: How on earth haven't they removed that by now .... ffs
I reject (pun intended) your approach on the input chain. Why add the confusion of negative symbol. The best advice, especially for new users, is to state adopt most of the default rules, they are good for many reasons, then add the traffic that should be allowed ( easy to discern ) and then drop all else. So in this case,
add chain=input action=accept src-address-list=Management where the firewall address list could be comprised of admin IP on any subnet desired, admin IP for the devices on the lans used, could be desktop, laptop, ipad and finally admin IPs for any VPN remote warrior connections coming in. Thus only the admin has full access to the router, heck one could even limit that just to the winbox port........ As for the rest of the lan users ( interface-list=LAN) they need normally simply DNS services (tcp,udp) and perhaps NTP and the last rule should block all else. SImple clean neat, easy conceptually. So forget about complex negatives ( and the use of the ! symbol is not trivial and can have unintended consequences ). I should add if applicable one also adds the ability for any incoming vpn connections to connect to the router services coming in from the WAN side.
I am not sure I understand the concept or context of what you are doing for forward chain firewall rules. FIrst I dont like any rules that dont have a clear ( from where and going to where ). Ambiguity is NOT a good thing. It also tends to mix up purposes and intent so that the reader is left in the dark and the originator may not understand consequences of open ended rules.
For example your intent to only allow 80, 443 and 53 makes sense For 80,443 ( LAN TO WAN ) and for 53 ( WHY). THis in effect allows users to use the DNS server of their choice and in terms of security in hardening, its much better to provide that FOR them etc... be it on router services, set in DHCP servers, redirect etc.. DNS is a whole other topic anyway.
Finally, you have effectively blocked email and telephone services by restricting to the above ports..........
Once again a clear consistent easy to follow approach leads to good security and understanding of the config. keep the good default rules, add user required traffic, drop all else.
Nothing wrong with attempting to limit what ports are used outbound but one has to really know what they are doing. Also your open ended rules block users from accessing any servers on other local subnets for example.........
A network router is pronounced roo-ter, not row-ter, thats a woodworking tool.
Rooter, rowter, same shit different pronunciations:^) I actually pronounce it both ways depending on my audience, which for the most part on RUclips are based in the US.
A horse trained for distance races is also called a "roo-ter" you piece of $***!
Ерунда!
No? These are pretty much industry standard things to do whenever it comes to security, in most cases the human element is the main culprit :)