If it doesn't meet any rules that are true, the packet is accepted, you should therefore end the list with a drop rule with in-interface set to your internet interface. In a very basic server environment, on the forward chain you will want to accept ports like 80+443 (web) for everyone, accept 22+3389 (ssh/rdp) for yourself, and drop the rest of the packets.Ī MikroTik router processes rules from the top to the bottom and stops processing more rules, whenever it finds a rule that is true for the packet.
In a server environment, the forward chain is therefore what you use the most. The forward chain is for all packets going through the router - being forwarded to a public IP either inside or outside of the router. The output chain is for packets with a source IP on the router, meaning all packets originating on the router will be checked with the output chain. If you are using the router as DNS server for your local network, it's DNS requests will be using the output chain. Packets with a destination ip on the router (see /ip addresses for a list) will be checked with the input chain, so for the router itself or if you have local devices where public IPs are port forwarded to a NATed IP, you need to use the input chain. Table below shows the list of protocols and ports used by RouterOS.Your MikroTik router have 3 main chains for rules: Input, Output and Forward. sip-timeout allows adjust TTL of SIP UDP connections.sip-direct-media allows redirect the RTP media stream to go directly from the caller to the callee.Note: If connection tracking is not enabled then firewall service ports will be shown as inactive To overcome these limitations RouterOS includes a number of NAT helpers, that enable NAT traversal for various protocols. Therefore some Internet protocols might not work in scenarios with NAT. Hosts behind a NAT-enabled router do not have true end-to-end connectivity. Applicable only for services that depends on certificates ( www-ssl, api-ssl)įor example allow telnet only from specific IPv6 address /ip service> set api /ip service> print The name of the certificate used by particular service. List of IP/IPv6 prefixes from which the service is accessible. Note that it is not possible to add new services, only existing service modifications are allowed.Īddress ( IP address/netmask | IPv6/0.128 Default: ) Responsible for Winbox tool access, as well as Tik-App smartphone app and Dude probe
/shutterstock_639963214-firewall-59c5498b0d327a0011ecae0d.png "winbox firewall")
Please see the relevant sections of the Manual for more explanations. It helps you to determine why your MikroTik router listens to certain ports, and what you need to block/allow in case you want to prevent or grant access to the certain services. This document lists protocols and ports used by various MikroTik RouterOS services.
0 kommentar(er)
