Versions Compared

Old Version 60

changes.mady.by.user Artūrs C.

Saved on

compared with

New Version 61

changes.mady.by.user Artūrs C.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note

Such a rule set must not be applied on routers with asymmetric routing, because asymmetrically routed packets may be considered invalid and dropped.

Services

This section lists protocols and ports used by various MikroTik RouterOS services. It helps you to determine why your MikroTik router listens to certain ports, and what you need to block/allow in case you want to prevent or grant access to certain services.

The default services are:

PropertyDescription
telnetTelnet service
ftpFTP service
wwwWebfig http service
sshSSH service
www-sslWebfig HTTPS service
apiAPI service
winboxResponsible for Winbox tool access, as well as Tik-App smartphone app and Dude probe
api-sslAPI over SSL service

Properties

Note that it is not possible to add new services, only existing service modifications are allowed.

PropertyDescription
address (IP address/netmask | IPv6/0..128; Default: )List of IP/IPv6 prefixes from which the service is accessible.
certificate (name; default: none)The name of the certificate used by a particular service. Applicable only for services that depend on certificates (www-ssl, api-ssl)
name (name; default: none)Service name
port (integer: 1..65535; Default: )The port particular service listens on

To restrict Winbox service access to the device only from 192.168.88.0/24 subnet, we have to configure the following:

Code Block
languageros
[admin@MikroTik] > ip service set [find name~"winbox"] address=192.168.88.0/24
[admin@MikroTik] > ip service print 
Flags: X - disabled, I - invalid 
# NAME PORT ADDRESS CERTIFICATE 
0 telnet 23
1 XI ftp 21
2 XI www 80
3 ssh 22
4 XI www-ssl 443 none 
5 XI api 8728
6 winbox 8291 192.168.88.0/24 
7 XI api-ssl 8729 none


Tip

We recommend disabling unused services.

Address List

Firewall address lists allow a user to create lists of IP addresses grouped together under a common name. Firewall filter, Mangle, and NAT facilities can then use those address lists to match packets against them. The address list records can also be updated dynamically via the action=add-src-to-address-list or action=add-dst-to-address-list items found in NAT, Mangle, and Filter facilities.
Firewall rules with action add-src-to-address-list or add-dst-to-address-list works in passthrough mode, which means that the matched packets will be passed to the next firewall rules. A basic example of a dynamically created address-list:

...