Prevent clients from accessing your router

It is common for administrators to think that their routers are safe because they have used a secure password. This may be true partially, “prevention is usually better than cure”, so it is important to prevent user from accessing your routers logon prompt. If your router gets compromised then your entire network is vulnerable and they could use the router to sniff packet or even a man in the middle attack. There are many way of blocking users but this is simple way of doing it.

The script below will allow only specific IP addresses to access the router configuration logon screens.

/ip firewall address-list 
add address=192.168.88.254 disabled=no list=support
add address=192.168.88.1 disabled=no list=Routers

/ip firewall filter
add action=drop chain=input\
protocol=tcp dst-port=21,22,23,80,8291 dst-address-list=Routers  src-address-list=!support comment="Block Client Router Access" disabled=yes 

/tool mac-server
set [ find default=yes ] disabled=yes
add disabled=yes interface=bridge

/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add disabled=yes interface=bridge

/tool mac-server ping
set enabled=no