Secure Remote Management Guide

RouterOS v7+ secure remote access via VPN, allowed interfaces, and firewall filtering.

Prerequisite: Ensure you have completed VPN Tunnels and Firewall Best Practices before proceeding.

Prerequisites

• RouterOS: v7 or later.
• Hardware: Supported RouterOS-based device.
• Access: WinBox, SSH, or serial console. VPN tunnel or management interface already configured.

Lockout Prevention (Required)

Before restricting services or firewall rules, establish a lockout-proof management path. If you lose access, recovery requires Netinstall.

• Local bridge: Ensure at least one physical port (e.g., ether1) is in a bridge or interface list that will remain allowed. Do not restrict the interface you are currently using.
• Allowed address list: When setting /ip service set ... address=, include your current management IP or subnet. Verify with /ip address print before applying.
• Firewall order: Input chain must allow your management interface before the final drop. Add the allow rule, test from another session, then apply service restrictions.

Configuration Flow

Allowed Interface

Restrict WinBox, SSH, and API to specific interfaces. Default allows all. Use interface lists (e.g., LAN, VPN) to limit management access.

/ip service set winbox address=192.168.88.0/24,10.0.0.0/24
/ip service set ssh address=192.168.88.0/24,10.0.0.0/24
/ip service set www-ssl address=""

Firewall Filter

Input chain must allow management traffic from allowed interfaces before the final drop. Place VPN interface or LAN in an interface list and allow that list.

/ip firewall filter add chain=input in-interface-list=LAN action=accept place-before=0
/ip firewall filter add chain=input in-interface-list=VPN action=accept place-before=1

RouterOS Services

Disable unused services. Enable only WinBox, SSH, or API as required. Use /ip service print to verify.

/ip service disable telnet,ftp,www,api,api-ssl

Related

VPN Tunnels — required for remote VPN-based management. Firewall Best Practices — Input chain order and established/related rules.

Common Pitfalls

• Locked out: Restricting services or firewall without a lockout-proof path drops management. Always include your current connection in the allowed address list or ensure a local bridge/interface is allowed in the Input chain before applying restrictions.
• Wrong interface: VPN tunnel interface must be in the allowed-address list for services. Verify with /ip service print and /interface print.
• VPN tunnel down: If management is VPN-only and the tunnel is down, access is lost. Maintain console or serial access, or allow a fallback interface.
• Firewall rule order: Allow VPN/LAN interfaces before established,related or ensure they are not overridden by a later drop. Verify with /ip firewall filter print.