+44 74 1835 1231

How To Block A Port In Mikrotik Winbox

Mikrotik Tutorials

May 28, 2020 by Harry

How To Block A Port In Mikrotik Winbox

There are two ways to block a port in Mikrotik Winbox. The first is to block it through IP > Firewall inside Winbox and the second one is to block a port in Winbox through the terminal line. which we will check both of the methods on this post to prevent unexpected login attempts.

To prevent hackers to hack your Mikrotik or stop your users to illegally use some services, it is important to close some ports in your Mikrotik server. Hackers use DDOS and Brutus Force attacks to infiltrate your Mikrotik. They first get enough information from your Mikrotik VPS to select the type of attack.

Ways to block a port in Mikrotik

  • Block port through the user interface
  • Block port using the terminal

In this tutorial, we will check how to block the port 25 which is the port of SMTP to stop users spamming.

How to change Winbox port

Block Mikrotik port using the user interface

Step1: Login to winbox

First, try to login to your Mikrotik VPS through Winbox.
You can download Winbox through the Mikrotik website.

Download Wibox

Step2: Block The mentioned port

Once you downloaded it, enter your login details such as server IP, username, and password.

Login to Winbox

Now you have successfully logged in to the Winbox. From the left panel choose IP and then Firewall.

In this section, there are some tabs and we will use the Filter Rules tab to block the SMTP port 25 on our Mikrotik VPS server.

Click on the blue plus sign. On the General tab, choose the Chain as Input.

Definition of Chains in Mikrotik firewall

Input Chain: It means incoming packets to routers. In fact, when the destination of a packet is the router itself, the packet is in the input chain. Like when you use Mikrotik as a DNS server, DNS packets are in the input chain.

Output Chain: It means packets that come out of the router. In fact, packages whose source address is the router itself. Like the NTP package that the router sends to the Internet to set its clock.

Forward Chain: It means packages that intend to cross the router. Like when the router only routes packets. And the closed source and destination addresses are not any of the router board addresses.

new firewall rule in mikrotik

After setting the chain as Input, Choose the Protocol which can be TCP or UDP. And set the destination port as 25.

Note: Instead of 25, you should put your own port number that you wish to block.

Now in the Action tab, choose drop to drop the incoming packages. Click Apply and OK to complete the process.

drop a port in winbox

Congratulation, now you have successfully blocked the port.

Now in the IP > Firewall and in the Filter Rules tab, you can see that the port is blocked.

block port in winbox

Block a port in Mikrotik using terminal

Sometimes we do not have access to the Mikrotik Server remotely. As a result, we will have to add our rules through the command line in Console or VNC. We use the terminal inside the Winbox but if still you do not have access to the Winbox, you can use the below commands to add rules to the router.

Like the last time log in to the Winbox and open the new terminal.
Then type the below command one by one and press Enter.

ip firewall filter
add chain=input protocol=tcp dst-port=25 action=drop

block a port in Mikrotik terminal

In this way, you successfully change the port and you can type the below command to see the rules inside firewall:

print

print firewall rules in Mikrotik

I hope you have enjoyed this post and you find it useful.
I will be happy to get your opinions regarding this article.

Was this post helpful?

About the Author Harry

I like to learn and to teach to make things easier

Leave a Reply

Your email address will not be published. Required fields are marked *