How to secure access to your router: a guide for Mikrotik users

Why router security is important

A Wi-Fi router can be compared to the front door to your apartment. If it's secure, you feel safe. If it's not, the risks increase.

• access your network;
• use the Internet without your knowledge;
• intercept traffic and data;
• use your device to attack other resources.

And often, the user isn't even aware of this. That's why securing a MikroTik router isn't a one-time action, but a habit. Let's look at what you need to do step by step.

1. Update your router firmware

This is the simplest and most effective step, yet one that most users ignore for years. Manufacturers regularly release firmware updates that patch known security vulnerabilities, improve stability, and enhance compatibility with devices and services. Without timely updates, even a good router eventually becomes vulnerable to known hackers.

This is especially true for older router models. One example of a real threat is DNS ANY flood attacks, where an outdated router is used to create a load on third-party servers. The device owner is often unaware that their equipment is already being used in malicious scenarios.

Vulnerability CVE-2018-14847, which affects a wide range of RouterOS versions, deserves special attention. It allows an attacker with physical access to the device to roll back the firmware to a vulnerable version and gain access to the configuration. Therefore, it's important not only to have the latest firmware but also to restrict physical access to the device — more on that later.

What to do: check for updates at least every few months. If your router supports automatic updates, enable it. On MikroTik routers, this is done via the System → Packages → Check for Updates menu.

2. Replace the default administrator account

This is one of the most frequently overlooked, yet critically important steps. By default, most routers have an account with the username «admin» and either a blank password or a password like «admin», «1234», or «password». Brute-force attacks on these passwords are the starting point for any attack.

What to do: disable or delete the default «admin» account and create a new one with a unique username and a strong password. Avoid common names like «user», «guest», or «administrator». On MikroTik routers, this can be done via System → Users. When changing the password on your router, keep in mind that it must contain uppercase and lowercase letters, numbers, and special characters, be at least 8 characters long, and not match the username or passwords for other services.

3. Close external access to router services and move them to non-standard ports.

One of the most common mistakes is allowing open access to router management services from the Internet. A router shouldn't be listening for external requests unless necessary. Particular attention should be paid to services that are most often left open accidentally: the web management interface (Winbox / web), DNS, Telnet, FTP, and SSH. If they are accessible from the Internet, they effectively leave the door open to outsiders.

Additional protection: Even if you leave a service accessible externally, move it to a non-standard port. Automated scanners primarily check standard ports; changing the port significantly reduces the number of connection attempts. For example, Winbox runs on port 8291 by default, and SSH on 22; moving it to a custom port (say, 15000 or higher) will significantly reduce the number of attacks.

What to do: on the MikroTik, go to IP → Services and disable or restrict access to services you don't use. For each active service, specify allowed IP addresses in the «Available From» field so that access is limited to your network or a specific address. Telnet, as an outdated and insecure protocol, should be disabled completely.

For external diagnostics, leaving only ICMP (Internet Control Message Protocol) open is usually sufficient. It's best to restrict everything else.

4. Disable the Neighbor Discovery Protocol (MNDP) on the WAN interface.

This is an important step that helps protect your Wi-Fi router from your neighbors. MikroTik uses MNDP (MikroTik Neighbor Discovery Protocol), a neighbor discovery protocol that allows routers to automatically find and exchange information with each other. The problem is that this protocol broadcasts the router's operating system version and a list of active features. This is essentially a ready-made «business card» for an attacker: knowing the RouterOS version, they can exploit the corresponding known vulnerabilities.

What to do: on the MikroTik router, go to IP → Neighbors and disable neighbor discovery on the WAN interface (or leave it only for the LAN).

5. Restrict router connections by MAC address

MikroTik allows you to connect to the router via Winbox and Telnet not only by IP address but also by MAC address — even without a configured IP network. If this feature is enabled for the WAN interface, an attacker on the same network can access the router bypassing IP filters.

What to do: go to Tools → MAC Server. In the Telnet Interfaces and WinBox Interfaces tabs, select only the LAN interface, delete all others, and disable the «all» option.

6. Set up a stateful firewall

Even if you've disabled unnecessary services, your router remains vulnerable without a properly configured firewall.

A stateful firewall is an approach whereby the router only allows connections initiated within your network. All unsolicited incoming requests from outside your network are simply ignored. This effectively blocks most automated scans and connection attempts.

What to do: in the IP → Firewall → Filter Rules section, there should be rules that accept established and related connections and reject invalid ones.

The basic firewall setup algorithm for MikroTik looks like this:

/ip firewall filter

# 1. Allow established connections
add chain=input connection-state=established action=accept

# 2. Allow related connections
add chain=input connection-state=related action=accept

# 3. Dropping invalid connections
add chain=input connection-state=invalid action=drop

# 4. Allow ICMP (ping)
add chain=input protocol=icmp action=accept

# 5. Allow access from local network
add chain=input src-address=192.168.0.0/24 action=accept

(In this line, you need to replace the IP address with the address of your local subnet — for example, 192.168.1.0/24.)

# 6. Everything else is a drop
add chain=input action=drop

• Input chain (protection of the router itself): allow established, related — discard invalid — allow ICMP (for diagnostics, with a limited number of requests) — discard everything else coming from the WAN interface.
• Forward chain (protection of the network behind the router): allow established, related — discard invalid — discard everything else from the WAN.

Important: MikroTik firewall rules are executed sequentially, so their order matters. Before making any changes to the firewall, back up the configuration (Files → Backup or /export in the terminal).

7. Protect your router from physical access — Protected RouterBOOT

Network security is important, but there's also a physical threat: if someone gains direct access to the device, they can reset the settings using the «Reset» button or reinstall RouterOS via Netinstall. In the first case, the configuration is lost; in the second, an attacker can access the internal memory, which may store certificates, keys, or backups with passwords.

MikroTik has a built-in protection against this — Protected RouterBOOT. Once enabled, the «Reset» button no longer resets the device in standard mode, and Netinstall is also blocked. To format the device, you need to hold the «Reset» button for a specified number of seconds — and without knowing this interval, resetting it becomes very difficult.

What to do: in the MikroTik terminal, run the command

  /system routerboard settings

  set protected-routerboot=enabled

After this, press and hold the physical button on the router for 60 seconds to confirm — this ensures that protection won't be enabled without physical access to the device. Then, be sure to change the formatting time interval to a non-standard one, for example:

  /system routerboard settings

  set reformat-hold-button=120s reformat-hold-button-max=130s

Important: remember or securely save the set time interval. If you forget it and lose administrative access to the router, it will be impossible to restore the device without a full format and time adjustment.

8. Disable everything you don't use

There's a simple principle in network security: the fewer open points, the less chance of an attack. Every service is enabled, but an unused one is a potential entry point for an attacker. Therefore, it's worth regularly checking: is remote access to the router enabled, are services you don't need running, and are there any unnecessary ports open? If in doubt, it's best to disable them.

How Maxnet helps protect your router

Not all users have the time or inclination to delve into technical details — and that's okay. That's why it's important to take care of basic security from the very beginning.

• access is restricted from outside;
• only essential services are enabled;
• the network is stable and secure.

And if you have any questions or encounter any unusual situations, you can always contact our technical support.