Hey Guys, Are there any other things that you think a person should do that would be considered "Best Practice" when securing your MikroTik device? Feel free to let me know. Below is a list of reference material that you can use with this video to better understand certain topics: MT Getting Started: kzread.info/dash/bejne/pKue1rSFgc2zmqQ.html MT Firewall Chains: kzread.info/dash/bejne/gIyqqsaTkqTbhKw.html MT IP Services: kzread.info/dash/bejne/Zqmfrqd8l8jOqrw.html MT RSA Keys: kzread.info/dash/bejne/aqiomciMpsesgrA.html MT VPN Options: kzread.info/dash/bejne/dHV2xtF-c9m2Yaw.html MT Wireguard: kzread.info/dash/bejne/gmqamrOcZKivpMY.html MT Zerotier: kzread.info/dash/bejne/l3p9l5ujepWzfZs.html

@tonygoddard4977

Жыл бұрын

For us novices would you be able to do a video that works on the default firewall rules that you get and builds on that?

@TheNetworkBerg

Жыл бұрын

@@tonygoddard4977 that's a great idea Tony, I'll add that to my list of videos that I want to make.

I have a script that converts firehol level 1 and 2 IP block lists into Mikrotik IP lists. They are automatically updated each night. Then I use those lists to block from WAN. I have also segmented my network into different VLANs depending on what the users/servers/devices they serve. The router have explicit allow rules for the usage each VLAN requires, blocking the rest. My management network is only accessible physically from the locked server room or by a VPN tunnel from selected VLANs. Password manager for passwords. Always password protect keys. Each month I have a reminder to go thru and update the software/firmware on relevant devices.

As a general rule, use REJECT when you want the other end to know the port is unreachable' use DROP for connections to hosts you don't want people to see. Usually, all rules for connections inside your LAN should use REJECT. For the Internet, with the exception of ident on certain servers, connections from the Internet are usually DROPPED. Using DROP makes the connection appear to be to an unoccupied IP address. Scanners may choose not to continue scanning addresses which appear unoccupied.

@xenonbart5526

10 ай бұрын

while true, scanners being automated may also choose to keep trying, which essential can turn into a DoS attack or DDoS if multiple scanners keep trying.

@AlexanderNecheff

6 ай бұрын

I also like to use DROP on Internet facing firewalls because there is a noticeable performance impact otherwise.

Thank you, as always for another good tutorial. Re: Hardening, you could also consider setting up progressively longer timeouts for failed SSH connection attempts (see mikrotik blog - basically compile failed connection attempt IPs and ban them for longer and longer). That reduces opportunities for brute-forcing. The blog over at Mikrotik also suggests turning off Winbox in production environments, presumably because SSH is a more secure way to administer the gateway. If using the web interface is desirable, then upgrading that to HTTPS and turning off the HTTP option is pretty much a must.

Awesome demo and tips! Your channel and your presentation skills about networking stuff rocks man! Thanks!

@TheNetworkBerg

Жыл бұрын

I really appreciate that, thanks for the nice feedback :D!

Awesome! Super helpful for home users on a budget...

Thanks for the many videos, certainly making my adventure into Mikrotik a lot easier.

Thanks again buddy, thanks to you i discover version 7, unreal man, thanks very much for all your tips.

Nice vid thanks Mate

You are great. Thanks

Good video. Have a question… how about physical port security-like if you have security cameras or other fixed hardware you don’t want someone to just unplug a port and plug into just anywhere. Generally I’ve seen MAC binding as something basic even though it can be spoofed it’s at least something… if there are other more secure suggestions that’d be cool to go over as well.

Thank you

@TheNetworkBerg

Жыл бұрын

Your MikroTik content is also great Sarah you do a lot more cool "Hands-On" labs and I actually love seeing you do teardowns of the hardware and going through what's ticking inside. But thank you for the nice compliment

@drumaddict89

Жыл бұрын

haha definitely TNB just rocks with his MT videos.

@thefixitgal

Жыл бұрын

@@TheNetworkBerg Im no longer posting on Facebook. I hope you can fill the void & start posting your tutorials in the wisp, Fisp groups. There's a lot of new wisp operators lacking understanding. They need someone like you! I just cant operate on there anymore. Its not healthy for me.

@TheNetworkBerg

Жыл бұрын

​@@thefixitgal I'm not active on any facebook or reddit groups either. I only post on my own page now. What I found when using groups was that my posts would either not get approved or just be seen as spam and receive the most random messages critiquing stuff like my accent.

thank you for your easy explanation. may I ask ? if I want to put ids/ips such as pfsense/opnsense should I put it infront of the mikrotik or after the mikrotik? thanks

Greetings from Kazakhstan👍

Good rule of thumb is block everything and allow explicitly only what you need. That way it's visible what has access to what.

Nice video, you should make some comments about default mikrotik firewall rules.

@TheNetworkBerg

Жыл бұрын

Thanks for the idea!

Hi, Nice video. Can you make a video about further securing your router with management vrf and dedicated management interface? Lot's of bigger mikrotik's have a dedicated management port but are part of the same vrf.

Good job

Thank you for all this information that you share. I appreciate this! Can you show how to upgrade packages automatically with some script?

Thanks!

@TheNetworkBerg

2 ай бұрын

Thank you kindly for the support

awesome video, very easy to follow, thanks

Grazie.

Tend to add port knock security to my device for management logins

Duplicate mac address "phones" for mikrotik active What is the solution, please?

Good review Only one comment - I generally drop the packet, because a reject gives a response which is information.

Great video, I have a question though about the firewall rules. in Pfsense you make outbound and inbound rules like RouterOS, but for ICMP you need to make a inbound ICMP rule (for response of echo). On the video you only made a outbound ACL, but the client received a inbound ICMP. how is this possible? only TCP connections are connection oriented, so that would be a statefull firewall, UDP and ICMP doesn't keep track of a connection, it just shoots packets and hope something returns back . For that packet to come back a inbound rule for the ICMP should be made right ? Or is all inbound traffic for ICMP default allowed on Mikrotik ? Thanks again.

@TheNetworkBerg

Жыл бұрын

The MikroTik is a stateful firewall, the ICMP Out rule was for traffic leaving from the LAN to the internet which is how I was able to make pings stop and also make them work because the return traffic is automatically being allowed. The Deny rule I added is for traffic from the outside like the internet trying to initiate a connection to the MikroTik on it's "WAN" port.

love from India.....

very well explained - as always! got to share it to two friends to get a basic grasp of security on MTs thanks for the curl tip btw! much appreciated PS: could you make an updated video on VRRP on rOS7 maybe?

@TheNetworkBerg

Жыл бұрын

Much appreciated! Will probably revisit VRRP as well :D

@drumaddict89

Жыл бұрын

@@TheNetworkBerg yeah i would love to do it myself but i cannot seem to get eve-ng to run properly. nodes are not starting or when they start they turn off after ~1s

You can also accept all input from the IPs of MGMT-range, then set another rule to finally drop all remaining packets, without designating any in/out interface.

Hlo, I was wondering if you could help me to understand what is split tunneling and how to configure it. Please create one video. I really like your video. And it is very easy for me to understand. Your explaining is very unique.

Nice tip for reject ICMP, how to enable ping from Mikrotik, now this rulle ist only allowed to ping from Lan > to internet, but Mikrotik router not allowed to ping from terminal?

I can understand when you say management range 172.16.0.0/24 which is your LAN is yuour management network but what does it mean when you say management network 192.168.149.0/24 ? does this mean that if you aree also sitting on this network you will be able to access the router? which is probabaly the WAN interface IP LAN?

como puedo hacer para q funcione el hotspot con esta configuracion en mikrotik no puedo hacerlo funcionar amigo me sale red no disponible en la señal wifi

We want how to firewall in details. Ty for awesome vids

@TheNetworkBerg

Жыл бұрын

I will definitely deep dive specifically more into the Firewall itself and other security features we have available on MikroTik.

Great video - I disabled all IP Service except Winbox 8291. I allowed only internal LANs to access. However, after doing an NMAP scan externally, I noticed that port 8291 is open externally. Is there a way to shut this off externally but have it accessible internally for Inbox admin? Thanks.

@TheNetworkBerg

Жыл бұрын

You could use an input firewall filter rule to drop port 8291 traffic on the incoming WAN port

@johndutt1436

Жыл бұрын

@@TheNetworkBerg Thanks!!!

Great video as always 🙂 Just one small problem I'm no savvy when it comes to computers. so excuse my lack of knowledge in resolving this problem, I just got the Mikro tik a few days ago and I have a few updates but when I watch and try to apply the updates as you explain it come up with this message (Couldn't perform action - not permitted (9) . How do I remove this message so I can update my rooter/WIFI. awesome

@TheNetworkBerg

Жыл бұрын

It sounds like the account you use to administrate the device doesn't have sufficient admin privileges, is your account a read/write admin?

@yuralatala9520

Жыл бұрын

@@TheNetworkBerg Hi Mr. Berg 😁 I have Administrative access only. yip I guess I cant really do much, but I do see that there is upgrades available for my Rooter that has not automatically upgraded as of yet. Not sure how to change this know. Keep up with the awesome job you doing

So many mentions in this video of "in the pinned comment", except there are no pinned comments. ☹ By sorting the comments by date and then scrolling all the way to the bottom I found the intended comment... could you pin it for easier access? ♥

@TheNetworkBerg

10 ай бұрын

Was sure I did pin the comment, might have unpinned it by accident will definitely update it

Did you cover how to disable any sort of ssh login if the keys don't match? You mentioned that as a possibility, but I don't think it was covered. I love using keys so I don't have to type my password, but keeping people out who don't have the keys would be nice.

@TheNetworkBerg

Жыл бұрын

The method I demonstrated should do this automatically. If anyone without the SSH key tries to SSH onto the router they will not be able to connect. They can type in the username & password (Even with it being correct) and access will be denied.

@walden_

Жыл бұрын

@@TheNetworkBerg Oh ok cool. I'll test it out. Thanks.

Do you have a video on dual isp? Load balancing, sperate gaming, browsing and downloading?

@TheNetworkBerg

Жыл бұрын

I have multi-wan videos, however, I don't think I explicitly have it setup in a way where gaming traffic uses one link and all other normal traffic uses another link. Will add this to my todo list :)!

@Jorvs

Жыл бұрын

@@TheNetworkBerg Thank you ^_^

There are 2 better ways to copy your ssh public key to remote host. 1. A Linux command "ssh-copy-id". I haven't tested it with Mikrotik, but it's the correct way to install ssh key to remote hosts ~/.ssh/authorized_keys file. 2. A Linux command "scp" what is also bundled with "ssh" command on every Linux distro. It works the same way as "ssh" command (most parameters match the parameters of "ssh" command), so you won't have to expose your password on videos.

just works with ROS 7 ??? NOT FOR PREVIOUS VERSIONS?

Like

Since MTik deplyed Back-To-Home feature (based on Wireguard) there is no reasonable option use another secure access to your Mikrotik

@FunnyTukums

6 ай бұрын

Wireguard is absolute secure VPN for remote access to the MTik

@TheNetworkBerg

6 ай бұрын

If you plan on creating an access list with wireguard(BTH) being a part of that management list it makes sense to restrict access based off of that it makes complete sense, it does however not invalidate many of the best practices described in this video like upgrading your firmware etc.

@FunnyTukums

6 ай бұрын

Hackers need to discover IP address and they do not have peer Public Key. And WG presence is not scanable until public key being sent to the peer....

Decent start but you left out all the tools still enabled by default, like bandwidth server. Also, stuff like neighbor discovery, it needs to be killed. Or even mac-server, kill it, much cleaner to dedicate one interface to management and bind the associated subnet under services for https-only access (and for that, you need to show how to create a certificate). And so on… Security is only as strong as the weakest link

My Mikrotik has been hacked by someone, they create new user and put my user to read only. They disable all reset. Do you know how to solve.?

@TheNetworkBerg

7 ай бұрын

Either factory reset by holding down the reset button physically on your MikroTik or use the netinstall tool to completely reload ROS with the default configuration. You will have to reconfigure everything...

What the sense of creating a new account and disabling the old one when you may just RENAME it?

@TheNetworkBerg

8 ай бұрын

I guess you could do that, I just prefer having a separate object ID for a user should something weird happen in the event of a firmware upgrade/downgrade.

Nice tutorial. Then a wifi user shares the wifi password with a QR code. How do we stop that?

Hello.. How can I know the PIN WPS code of Mikrotik router please

Excuse me sir, wine is not an emulator 😂

@TheNetworkBerg

10 ай бұрын

😂

"legacy IP" sounds funny, considering that 99.9% of internet is still ipv4

Are you South African by any chance?

@TheNetworkBerg

2 ай бұрын

Yes I'm South African

@anthonyverwey9684

2 ай бұрын

@@TheNetworkBerg Mooi man! Thought I couldn’t miss the accent. Great channel, btw. 👍🏻 I’ve just started getting into Mikrotik devices and found your content easy to understand, very helpful, thanks.

I reject (pun intended) your approach on the input chain. Why add the confusion of negative symbol. The best advice, especially for new users, is to state adopt most of the default rules, they are good for many reasons, then add the traffic that should be allowed ( easy to discern ) and then drop all else. So in this case, add chain=input action=accept src-address-list=Management where the firewall address list could be comprised of admin IP on any subnet desired, admin IP for the devices on the lans used, could be desktop, laptop, ipad and finally admin IPs for any VPN remote warrior connections coming in. Thus only the admin has full access to the router, heck one could even limit that just to the winbox port........ As for the rest of the lan users ( interface-list=LAN) they need normally simply DNS services (tcp,udp) and perhaps NTP and the last rule should block all else. SImple clean neat, easy conceptually. So forget about complex negatives ( and the use of the ! symbol is not trivial and can have unintended consequences ). I should add if applicable one also adds the ability for any incoming vpn connections to connect to the router services coming in from the WAN side.

I am not sure I understand the concept or context of what you are doing for forward chain firewall rules. FIrst I dont like any rules that dont have a clear ( from where and going to where ). Ambiguity is NOT a good thing. It also tends to mix up purposes and intent so that the reader is left in the dark and the originator may not understand consequences of open ended rules. For example your intent to only allow 80, 443 and 53 makes sense For 80,443 ( LAN TO WAN ) and for 53 ( WHY). THis in effect allows users to use the DNS server of their choice and in terms of security in hardening, its much better to provide that FOR them etc... be it on router services, set in DHCP servers, redirect etc.. DNS is a whole other topic anyway. Finally, you have effectively blocked email and telephone services by restricting to the above ports.......... Once again a clear consistent easy to follow approach leads to good security and understanding of the config. keep the good default rules, add user required traffic, drop all else. Nothing wrong with attempting to limit what ports are used outbound but one has to really know what they are doing. Also your open ended rules block users from accessing any servers on other local subnets for example.........

Ерунда!

@TheNetworkBerg

Жыл бұрын

No? These are pretty much industry standard things to do whenever it comes to security, in most cases the human element is the main culprit :)

A network router is pronounced roo-ter, not row-ter, thats a woodworking tool.

@TheNetworkBerg

Жыл бұрын

Rooter, rowter, same shit different pronunciations:^) I actually pronounce it both ways depending on my audience, which for the most part on KZread are based in the US.

@chuy8549

11 ай бұрын

A horse trained for distance races is also called a "roo-ter" you piece of $***!

From the change log of ver 7.7: ssh - added support for Ed25519 key exchange; :O

@TheNetworkBerg

Жыл бұрын

Need to test it out, but would be great if it works.