Firewall – how to port RDP to Mikrotik RB750r2

Please read my advice before implementing this.

/ip firewall nat
add action=dst-nat chain=dstnat comment="RDP" disabled=no dst-port=3389 protocol=tcp to-addresses=(PRIVATE IP of RDPhost) to-ports=3389

It is a common security method not to use port forwarding for RDP as you are most likely to be hacked.

Read here how you can save with a source address. If you read and see that you are prompted to switch to a non-standard port to secure RDP, it only increases security by 1%.

Firewall – What can I do about unwanted talent access attempts on a MikroTik router?

I recently received the following messages in the log of my MikroTik router:

echo: system,error,critical login failure for user root from 2.180.243.165 via telnet
echo: system,error,critical login failure for user user from 81.213.76.177 via telnet
echo: system,error,critical login failure for user root from 2.180.31.232 via telnet
echo: system,error,critical login failure for user root from 2.180.243.165 via telnet
echo: system,error,critical login failure for user user from 2.180.31.232 via telnet
echo: system,error,critical login failure for user root from 31.211.69.5 via telnet
echo: system,error,critical login failure for user mother from 81.213.76.177 via telnet
echo: system,error,critical login failure for user root from 2.180.31.232 via telnet
echo: system,error,critical login failure for user root from 31.211.69.5 via telnet
echo: system,error,critical login failure for user supervisor from 2.180.243.165 via telnet
echo: system,error,critical login failure for user root from 2.180.31.232 via telnet
echo: system,error,critical login failure for user root from 81.213.76.177 via telnet
echo: system,error,critical login failure for user guest from 2.180.243.165 via telnet
echo: system,error,critical login failure for user admin from 31.211.69.5 via telnet
echo: system,error,critical login failure for user Admin from 81.213.76.177 via telnet
echo: system,error,critical login failure for user admin from 2.180.31.232 via telnet

Seems like someone tried to access my router. So I've added the following firewall rule:

/ip firewall filter
add action=drop chain=input src-address=!192.193.194.1-192.193.195.255

The address of my internal network is 192.193.195.0/24 and ADSL usage 192.193.194.0/24 Network address; So I block all other incoming traffic for now, but The problem is:

  1. I need to set up port forwarding to use RDP.
  2. I need to set up WOL over WAN (Internet)

Questions are:

  1. How can I do that if I block all traffic?
  2. I should just deactivate it telnet?
  3. any better solution?

Configure mikrotik so that communication between WIFI clients and LAN clients is possible

I have a client connected via LAN interface with mikrotik hap lite
and mikrotik is connected to wifi access point
and my laptop is also connected to wifi access point I would like to configure mikrotik so that the communication between laptop and lan client is possible

I've tried Bridge, but the laptop can see the Mikrotik using the access point's DHCP server, but the client is not displayed. Here is the scheme of my setup:

Lan Client —- LAN —> Mikrotik —- WIFI —-> Intertnet Access Point <—- WIFI —- Laptop

Networking – How to configure ipv6 with BGP on a mikrotik router

I'm trying to configure IPv6's public IP address on the Mikrotik router. I'm done with the public IPv4 address with BGP. Now I'm trying to set up IPV6 the way I configured it. I have activated the IPv6 packet and restarted this router Enter the WAN IP as specified by my ISP and add my public IP / 48 block as before. but it does not work, what i have missed. Everyone has a solution on how to configure the IPv6 public area with BGP.

Linux – Network interface difference between Mikrotik and OpenWRT

I started using OpenWRT on an old DSL modem, and I'm a little confused about how interfaces are defined.

On Mikrotik:
There are one or more switches that contain multiple interfaces. I can do whatever I want with them: assign them to the bridge, leave them alone and add their own address, etc. And most importantly, I do not create a VLAN to manage the bridge!

On the other hand, in OpenWRT:
Apparently, the whole idea of ​​Bridge is based on VLAN. There is only one physical interface for the switch. I do not understand how I can manipulate any port without VLAN tagging.

Let's say I have 4 ports in the switch. I would like to make bridge from 1-3 ethernet ports plus wlan and add own address on 4th port to be wan interface. How can I do the same as Mikrotik without VLAN?

I understand that there are two different approaches to the same function, but which one is better and more native to the Linux environment?

Firewalls – How do routers like Mikrotik decide if port is WAN?

Mikrotik RouterOS can set firewall rules like:

and so on

So I have some questions:

1) How does it decide that, for example, SFP1 or Ether1 is WAN and not LAN?

I found the following link:

https://wiki.mikrotik.com/wiki/Manual:Detect_internet

I am not sure how it relates to it.

2) If it decides to access the Internet, assign the address via DHCP, or the like, it is strange for security reasons.
So, if someone can disable the Internet on the other side or cut the wire, does that mean that Mikrotik now thinks it's LAN? And all! LAN-based rules are broken?

3) If my assumptions are correct and it is a security problem, how can I manually tell the Mikrotik router to consider all ports as WAN ports, except for certain ports?

Mobile Programming – My mikrotik does not let me share my internet connection via hotspot

Hello, I'd like to know if anyone who configured their internet connection via PPTP with a microtip and a router board has had the problem that the connection is not working or the Wi-Fi creates the hotspot that connects the phone but no Internet or login gets or no service This would usually happen if in the mikrotik firewall mangrove a rule blocks the connection and the bluetooth anchor. The strangest thing is that without this rule, the mobile phones are created that I want to connect via Conectify or a similar program the service does not come