Why do you allow winbox access (TCP port 8291) from WAN? Winbox is not a very secure protocol.
The implicit action of firewall is to accept packets which were not dropped due to explicit rules. Your rules only deal with some specific packets, so they will slip some traffic.
So your firewall is not as bullet-proof as you wish it would be. But I agree that default could be better as well by having explicit drop all rule as the last rule instead of having a combined "dtop everything which is not dst-nated coming from WAN". Using two rules instead would make it more readable and more versatile for additions such as you need.
Regarding the error message: where does the http client run? You have to check that host because 127.0.0.1 is always "localhost" and if host's networking is not totaly fubar, that traffic never leaves that nachine. So nothing to do with Mikrotik and its firewall.
The implicit action of firewall is to accept packets which were not dropped due to explicit rules. Your rules only deal with some specific packets, so they will slip some traffic.
So your firewall is not as bullet-proof as you wish it would be. But I agree that default could be better as well by having explicit drop all rule as the last rule instead of having a combined "dtop everything which is not dst-nated coming from WAN". Using two rules instead would make it more readable and more versatile for additions such as you need.
Regarding the error message: where does the http client run? You have to check that host because 127.0.0.1 is always "localhost" and if host's networking is not totaly fubar, that traffic never leaves that nachine. So nothing to do with Mikrotik and its firewall.
Statistics: Posted by mkx — Mon Dec 25, 2023 9:46 pm