Securing your router

indesit nf lenci bambole scansoft preferred ragazze in pericolo uno sconosciuto in casa www totolotek pl www roccaravindola it accessori ipod nano multifunzione fax www mamamedia com eisner calendario laetitia casta ups t700 auto noleggio cervia imper rome mms pronti sex macchina rav4 d rex rk 65 sambame de upa dance jetdirect 500x de andre piero magda femme extremalnie nikon 80-200 2 8 conto banca milo ventimiglia confessionale wish you were here myst v acer pc athlon 64 t140 ricetta secondi veloci jeep cherokee 3.7 v6 limited fotos privadas orchestra bagutti franco grabi tv 16 9 sony s doradi i want more faithless fotocamere reflex leica vendita barche a vela sher up bachata caserta ma il cielo piu blu vogliose di cazzo www frimm com vacanza giappone www chiare com br notebook acer travelmate 4100 si tu te vas paulina rubio boble giochi da strip congiuntivite ma non per sempre cinema display dragon tin tei birdy corsaro arredo bagno donne porche buster keaton nella luna new york minute blus brothers soundtrack mp3 nortek lettori sexo grati wdw happy campers katja kissin ferrari immagini tele soligor nevelsk kazaalite 2 1 in italiano una bambolina che fa no no no michel p cavern raid coppie piemonte bmw usato un ange tiziano tardes negras mp3 ipopotamo thuban golf 2005 vertigo testo ruspina volo grecia nikon 35 70 2 8 san agostino leolo nec dvd asciugatrici whirlpool imponente componenti automodelli gretchen nua cramen electra ronaway palante budda bar iv serial ata il cinema dazione del futuro ragazze x sesso gratis demo multiplayer per vietcong foto di gessica rizzo e mercedes ambrus i will alwys love you holz santorini hotel viacess 007c00 linguaggio di programmazione per la creazione di pagine web. dewey, melvil funeral song opel tigra nuova hp phone edition webcam creative live ultra for notebook office edu sms gratis senza registrazione nuovo amore brigitte nielsen profumi donna dior www bugatti ram corsair 3200 fernando alonso www lagodi como it portafogli redwall nanni moretti box hd 3 5 shoshon il cervello che non voleva morire jeans cafe liberi tutti foto pinocchio puntocom snc fiat punto km 0 an luogo viaggi portogallo daniela cicarelli nuda benassi bros feat sandy caffe americana timer fax software free non mi dire mai mp3 gecube 9600xt polo fred perry manica corta la noit knuck if you buck annunci privati bergamo tv lcd - plasma punti semaforo fosamax 70 70 mg 4 cpr videp porno anita blond gratis leggi regionali sexy stories incasso lavastoviglie tubi prolunga timer sonoro zlatan ibrahimovic attorneys eltax italia portina usb2 0 adattatore bublegum el alamein - deserto di gloria pudelsi dawna seat toledo 2 serie need for speed psp montalbano dvd cofanetto matematica 2004 soluzioni amsterdarm lonely regi foto baldoni iraq altek plasma francesco libero it tenuta le viste pene di morte guglielmo scacchisti it hotel lago maggiore fotocamera mpx zaino trekking kingston compactflash 1gb razmataz pda wi-fi comune verona aficio toner you toutch my ta la la dino merlin joksimovic supermen sirtaki grecia bluetooth motorola lemmen pdf converter professional 2 www genialloyd it turion ml-37 casse acustiche audience villa ada medley biglietti supercoppa gli immigrati in europa www vimercati com everio gz mc200ex scaricare unzip lc l arte della camicia cover paola turci digitale sony dsc www milan it problemi per il signore degli anelli su xbox e gba o zone crystal mix lettore dvd- divx philips To protect your MikroTik RouterOS™, you should do following things:

Change admin's password

Just select the Password menu within the winbox GUI, for example:

Or, type the following command in the CLI:

[admin@MikroTik] > / password 
old password: 
new password: ******
retype new password: ******

This will change your current admin's password to what you have entered twice. Make sure you remember the password! If you forget it, there is no recovery. You need to reinstall the router!

Add users to the system

You should add each user that is going to log on to the router as a separate user and specify group of privileges. Add yourself as user of group full (same as for admin), for example:

You may create new groups for users with specific tasks.

Set up packet filtering

All packets with destination to the router are processed against the ip firewall filter's input chain. Note, that the input chain does not affect packets which are being transferred through the router!

You can add following rules to the input chain under /ip firewall filter (just 'copy and paste' to the router using Terminal Console or configure the relevant arguments in WinBox):

/ ip firewall filter
add chain=input connection-state=established comment="Accept established connections"
add chain=input connection-state=related comment="Accept related connections"
add chain=input connection-state=invalid action=drop comment="Drop invalid connections" 
add chain=input protocol=udp action=accept comment="UDP" disabled=no 
add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings" 
add chain=input protocol=icmp action=drop comment="Drop excess pings" 
add chain=input protocol=tcp dst-port=22 comment="SSH for secure shell"
add chain=input protocol=tcp dst-port=8291 comment="winbox" 
# Edit these rules to reflect your actual IP addresses! # 
add chain=input src-address=159.148.172.192/28 comment="From Mikrotikls network" 
add chain=input src-address=10.0.0.0/8 comment="From our private LAN"
# End of Edit #
add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else"
add chain=input action=drop comment="Drop everything else"

Use /ip firewall filter print input stats command to see how many packets have been processed against these rules. Use reset-counters-all command to reset the counters. Examine the system log file /log print to see the packets which have been dropped.

You may need to include additional rules to allow access from certain hosts, etc. Remember that firewall rules are processed in the order they appear on the list! After a rule matches the packet, no more rules are processed for it. After adding new rules, move them up using the move command.

Note, if you mis-configured the firewall and have locked yourselves out from the router, you may use MAC telnet from another router or workstation on the same LAN to connect to your router and correct the problem.