Hiding a MikroTik device from an Internet Service Provider (ISP) or concealing it from a Wide Area Network (WAN) is a crucial consideration for MikroTik users. Outside the network, numerous bots engage in WAN scanning to target unprotected devices.
It is imperative to employ a firewall on your MikroTik device. However, if you have compelling reasons to expose the MikroTik device to the external world, ensure that you have a robust username and password. Avoid using default usernames on your MikroTik device.
Key measures include:
- Avoiding default usernames and passwords.
- Utilizing a strong password.
- Implementing and enhancing firewall rules.
- Disabling unused services.
- Regularly updating the operating system and firmware.
To further enhance the security of your MikroTik device, you can also hide it from the Internet source to prevent detection during WAN scanning. Here are steps you can take to conceal your RouterBoard from the ISP:
To Hide MikroTik from ISP
Before starting, in this tutorial, I am using ether1 as the internet source. PLEASE ADJUST ACCORDING TO YOUR INTERNET SOURCE INTERFACE (WAN)!
For the initial steps, you can add an interface list for the internet source first using the following script;
/interface list add name=WAN-PROTECT
/interface list member add interface=”ether1″ list=WAN-PROTECT
Change Identity & Mac Address
Used to change your MikroTik device’s name and MAC Address.
/system identity set name=”YourDeviceName”
/interface ethernet set “ether1″ mac-address=”36:F5:EE:27:9D:DA”
Block IP Cloud
/ip cloud set ddns-enabled=no
/ip cloud advanced set use-local-address=no
/ip cloud set update-time=no
Block The Dude
/ip firewall filter add action=drop chain=input dst-port=2210,2211 in-interface-list=WAN-PROTECT protocol=tcp comment=”Block The Dude”
/ip firewall filter add action=drop chain=input dst-port=2210,2211 in-interface-list=WAN-PROTECT protocol=udp
Block SNMP
/snmp set enabled=no
/ip firewall filter add action=drop chain=input dst-port=161,162 in-interface-list=WAN-PROTECT protocol=tcp comment=”Block SNMP”
/ip firewall filter add action=drop chain=input dst-port=161,162 in-interface-list=WAN-PROTECT protocol=udp
Block BTest Server
/tool bandwidth-server set enabled=no authenticate=yes
/ip firewall filter add action=drop chain=input dst-port=2000 in-interface-list=WAN-PROTECT protocol=tcp comment=”Block BTest Server”
/ip firewall filter add action=drop chain=input dst-port=2000 in-interface-list=WAN-PROTECT protocol=udp
Block Open PROXY
/ip proxy set enabled=no
/ip firewall filter add action=drop chain=input dst-port=3128,8080 in-interface-list=WAN-PROTECT protocol=tcp comment=”Block Open PROXY”
/ip firewall filter add action=drop chain=input dst-port=3128,8080 in-interface-list=WAN-PROTECT protocol=udp
Block DNS Poisoning
/ip firewall filter add chain=input dst-port=53 in-interface-list=WAN-PROTECT protocol=tcp action=drop comment=”Block Open Recursive DNS”
/ip firewall filter add chain=input dst-port=53 in-interface-list=WAN-PROTECT protocol=udp action=drop
Block RoMon
/tool romon port add disabled=no forbid=yes comment=”Block RoMON” interface=”ether1″
Block Traceroute
Used to stop Traceroute searches.
/ip firewall filter add action=drop chain=input comment=”Block Traceroute” in-interface-list=WAN-PROTECT dst-port=33434-33534 protocol=tcp
/ip firewall filter add action=drop chain=input in-interface-list=WAN-PROTECT dst-port=33434-33534 protocol=udp
Block MAC Address Discovery
Blocks MAC Address searches and device access.
/ip firewall filter add action=drop chain=input comment=”Block MAC Address” in-interface-list=WAN-PROTECT dst-port=20561 protocol=tcp
/ip firewall filter add action=drop chain=input in-interface-list=WAN-PROTECT dst-port=20561 protocol=udp
/tool mac-server mac-winbox set allowed-interface-list=none
/tool mac-server set allowed-interface-list=none
/tool mac-server ping set enabled=no
Block Neighbor Discovery
So that the MikroTik device does not provide information when someone on the WAN checks neighbors.
/ip firewall filter add action=drop chain=input comment=”Block Neighbor Discovery” in-interface-list=WAN-PROTECT dst-port=5678 protocol=tcp
/ip firewall filter add action=drop chain=input in-interface-list=WAN-PROTECT dst-port=5678 protocol=udp
/ip neighbor discovery-settings set discover-interface-list=!WAN-PROTECT
Block Winbox Scan
Used to block default MikroTik service ports from WAN.
/ip firewall filter add action=drop chain=input dst-port=21,22,23,8291,80,443,8728,8729 comment=”Block Winbox Scan” in-interface-list=WAN-PROTECT protocol=tcp
/ip firewall filter add action=drop chain=input dst-port=21,22,23,8291,80,443,8728,8729 in-interface-list=WAN-PROTECT protocol=udp
Please make sure to pay attention to your internet source interface to avoid errors!