MikroTik CHR: Basic system protection (+ video)

Guide for essential system protection.

First to consider! If You leave service ports standard and don’t change the username and password as soon as possible, the chance to be compromised is enormous.

Here You will find the essential steps to protect your MikroTik CHR from intrusion.

Here's a small video explaining the process:

Be careful while placing restrictive (drop) rules, it is possible to limit your own access to the router.

Use "Safe Mode" button while you are not sure what the changes may cause.

In CLI "Safe Mode" is enabled/disabled with [Ctrl]+[X] combination.

Remember to release "Safe mode" after all changes are confirmed as working properly, otherwise they will be reverted once You log-out.

MikroTik - safe mode

1. First and most important:

Create new username and password with Full privileges

[admin@mikrotik] > user add group=full name=newadmini password=H@rDt0Gu3SsP@sSw0Rd

RouterOS - Uers

RouterOS - user list window

Delete the default one

2. Modify service ports so that unused services are disabled, and those who will be used is not on it’s default ports. It is very useful against bots. Use ports of your choice, but not overlapping reserved system ports.


For example:

Disable API, API-SSL, Telnet, FTP, WWW and WWW-SSL.

[newadmini@mikrotik] > ip service disable api,api-ssl,ftp,telnet,www,www-ssl

routeros - ip Service List window

Change port for SSH from 22 to 22221

[newadmini@mikrotik] > ip service set ssh port=22221

routeros - service ports

WinBox port should NOT be changed because the Windows App doesn’t support specifying destination port.

3. Add firewall/filter rules:
Chain INPUT:

[newadmini@mikrotik] > ip firewall filter add action=accept chain=input comment="Allow ICMP ping" protocol=icmp

[newadmini@mikrotik] > ip firewall filter add action=accept chain=input comment="Allow WinBox" dst-port=8291 protocol=tcp

[newadmini@mikrotik] > ip firewall filter add action=accept chain=input comment="Allow SSH" dst-port=22221 protocol=tcp

[newadmini@mikrotik] > ip firewall filter add action=accept chain=input comment="Accept established connections" connection-state=established

[newadmini@mikrotik] > ip firewall filter add action=accept chain=input comment="Accept related connections" connection-state=related

[newadmini@mikrotik] > ip firewall filter add action=accept chain=input comment="Allow DNS for trusted network" dst-port=53 protocol=udp src-address=

[newadmini@mikrotik] > ip firewall filter add action=drop chain=input comment="Drop everything else"

routeros - add firewall rule

routeros - firewall rule window


In Cloud Hosted Router, forwarding table might be very different depending on the particular use scenario.

[newadmini@mikrotik] > ip firewall filter add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid

routeros - new firewall rule window

firewall rules window - routeros

4. Optional: For better security, You can easily restrict the access to the router, by accepting only your home or office IP address from which you will modify router’s configuration:

This should be done for all rules that accepts connection on service ports (SSH and WinBox).

firewall src. address - routeros

Please, be noted that the above firewall rules are NOT complete protection! It is only the very basic rules, and they should be appended or modified according to the real set-up!

Purchase the most appropriate MikroTik CHR VPS plan for your project & take advantage of up to 30% off.

Get Started!
icon knowledge

Related Articles

MikroTik CHR Licensing

The CHR has 4 license levels: free p1 perpetual-1($45) p10 perpetual-10($95) p-unlimited...

MikroTik CHR How to set-up L2TP VPN Server. VPN server for Apple devices - Iphone, MacBook. (+ video)

As we know, Apple does not support PPTP VPN protocol on its own devices. One of the protocols...

Set up L2TP over IPSec / PPTP VPN client on Windows 10 (+ video)

In this article, we will show you how to set up your VPN client in Windows with PPTP/L2TP over...

How-To: Configuring WireGuard in MikroTik CHR - Faster and secure VPN protocol

WireGuard is a new and actively developed VPN protocol. It provides more advantages over the...