IP Services in RouterOS: A Complete Guide

IP Services in RouterOS: A Complete Guide

RouterOS Version: 7.x+ Difficulty: Beginner Estimated Time: 20 minutes

Overview

IP Services controls access to your router’s management interfaces—SSH, WinBox, WebFig, API, and more. Properly configuring these services is one of the most important security measures you can take.

Key concepts:

• Disable services you don’t use
• Restrict remaining services to trusted networks
• Never use unencrypted services (telnet, FTP) over untrusted networks
• Combine with firewall rules for defense in depth

Critical: IP Services only controls IP-based access. MAC-based access (MAC-WinBox, MAC-Telnet) is controlled separately and bypasses IP firewall rules entirely.

Available Services

Service	Port	Protocol	Description	Default
telnet	23	TCP	Unencrypted CLI	Enabled
ftp	21	TCP	File transfer	Enabled
www	80	TCP	WebFig (HTTP)	Enabled
ssh	22	TCP	Secure shell	Enabled
www-ssl	443	TCP	WebFig (HTTPS)	Disabled
api	8728	TCP	RouterOS API	Disabled
winbox	8291	TCP	WinBox application	Enabled
api-ssl	8729	TCP	RouterOS API (TLS)	Disabled

Security recommendations:

Service	Recommendation
telnet	Disable - Sends passwords in cleartext
ftp	Disable - Sends passwords in cleartext
www	Disable - Use www-ssl instead
ssh	Keep, restrict by address
www-ssl	Enable with certificate
api	Keep disabled unless needed
winbox	Keep, restrict by address
api-ssl	Enable if API needed

Menu Reference

Command	Purpose
/ip service print	Show all services
/ip service set	Modify service settings
/ip service enable	Enable service(s)
/ip service disable	Disable service(s)

Service Properties

Property	Type	Description
name	string	Service identifier (read-only)
port	integer	TCP port (1-65535)
address	IP/prefix list	Allowed source addresses
certificate	string	TLS certificate (www-ssl, api-ssl)
tls-version	enum	Minimum TLS version
disabled	yes/no	Whether service is disabled
vrf	string	VRF for service binding (v7+)

Configuration Examples

Example 1: Basic Security Hardening

Disable insecure services and restrict the rest:

# Disable insecure and unused services
/ip service disable telnet,ftp,www,api

# Restrict SSH and WinBox to LAN
/ip service set ssh address=192.168.88.0/24
/ip service set winbox address=192.168.88.0/24

# Verify
/ip service print

Expected output:

Flags: X - disabled, I - invalid
 #   NAME       PORT ADDRESS           CERTIFICATE
 0 X telnet       23
 1 X ftp          21
 2 X www          80
 3   ssh          22 192.168.88.0/24
 4 X www-ssl     443
 5 X api        8728
 6   winbox     8291 192.168.88.0/24
 7 X api-ssl    8729

Example 2: Enable HTTPS (WebFig with SSL)

# Create self-signed certificate
/certificate add name=webfig-cert common-name=router.local \
    key-size=2048 days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
/certificate sign webfig-cert

# Enable www-ssl with certificate
/ip service set www-ssl certificate=webfig-cert disabled=no

# Restrict to management network
/ip service set www-ssl address=192.168.88.0/24

# Disable HTTP
/ip service disable www

Example 3: Change Default Ports

Reduce automated scanning attacks:

# Change SSH to non-standard port
/ip service set ssh port=2222

# Change WinBox port
/ip service set winbox port=18291

Connect with new ports:

• SSH: ssh [email protected] -p 2222
• WinBox: Enter 192.168.88.1:18291 in connection field

Example 4: Multiple Allowed Networks

Allow access from LAN and VPN:

/ip service set ssh address=192.168.88.0/24,10.0.0.0/8
/ip service set winbox address=192.168.88.0/24,10.0.0.0/8

Example 5: Enable API with SSL

For automation tools:

# Create certificate
/certificate add name=api-cert common-name=api.local key-size=2048 days-valid=3650
/certificate sign api-cert

# Enable API-SSL only
/ip service set api-ssl certificate=api-cert address=192.168.88.0/24 disabled=no

# Keep plaintext API disabled
/ip service set api disabled=yes

Example 6: VRF-Specific Binding (v7+)

Bind services to management VRF:

/ip service set ssh vrf=management-vrf
/ip service set winbox vrf=management-vrf

MAC Server Configuration (Critical!)

IP Services only controls IP-based access. MAC-based access is completely separate and bypasses IP firewall rules.

Disable MAC-Based Access Entirely

/tool mac-server set allowed-interface-list=none
/tool mac-server mac-winbox set allowed-interface-list=none

Restrict MAC Access to Specific Interfaces

# Create interface list
/interface list add name=mgmt-interfaces
/interface list member add list=mgmt-interfaces interface=ether1

# Apply to MAC servers
/tool mac-server set allowed-interface-list=mgmt-interfaces
/tool mac-server mac-winbox set allowed-interface-list=mgmt-interfaces

Complete Secure Configuration

Combine IP Services with MAC Server and firewall:

# 1. Disable insecure services
/ip service disable telnet,ftp,www,api

# 2. Restrict remaining services to LAN
/ip service set ssh address=192.168.88.0/24 port=2222
/ip service set winbox address=192.168.88.0/24

# 3. Enable HTTPS if web management needed
/certificate add name=webfig common-name=router.local key-size=2048 days-valid=3650
/certificate sign webfig
/ip service set www-ssl certificate=webfig address=192.168.88.0/24 disabled=no

# 4. Restrict MAC access to management interface only
/interface list add name=mgmt-list
/interface list member add list=mgmt-list interface=ether1
/tool mac-server set allowed-interface-list=mgmt-list
/tool mac-server mac-winbox set allowed-interface-list=mgmt-list

# 5. Add firewall rules for defense in depth
/ip firewall filter add chain=input in-interface-list=WAN protocol=tcp \
    dst-port=22,2222,8291,80,443,8728,8729 action=drop \
    comment="Block management from WAN"

Common Problems and Solutions

Problem 1: Locked Out After Address Restriction

Symptom: Cannot connect after setting address restriction.

Cause: Current IP not in allowed list.

Solutions:

1. Use MAC-WinBox - Open WinBox, go to Neighbors tab, connect by MAC address
2. Serial console if available
3. Netinstall as last resort

Prevention:

# Always include your current IP before restricting
/ip service set ssh address=192.168.88.0/24,YOUR.CURRENT.IP/32

Problem 2: Can Still Connect After Disabling Service

Cause: MAC-based access (MAC-WinBox, MAC-Telnet) is still enabled.

Solution:

# Disable MAC access
/tool mac-server set allowed-interface-list=none
/tool mac-server mac-winbox set allowed-interface-list=none

Problem 3: www-ssl Shows “Invalid” Status

Causes:

• No certificate assigned
• Certificate not signed
• Certificate expired

Solution:

# Check certificate status
/certificate print

# Create and sign new certificate
/certificate add name=new-cert common-name=router.local key-size=2048
/certificate sign new-cert

# Assign to service
/ip service set www-ssl certificate=new-cert

Problem 4: SSH Brute Force Attacks

Symptom: Logs show thousands of failed SSH login attempts.

Solutions:

1. Change port and restrict address:

   /ip service set ssh port=2222 address=192.168.88.0/24

2. Add firewall rate limiting:

   /ip firewall filter
   add chain=input protocol=tcp dst-port=22 connection-state=new \
       src-address-list=ssh_blocklist action=drop
   add chain=input protocol=tcp dst-port=22 connection-state=new \
       src-address-list=ssh_stage2 action=add-src-to-address-list \
       address-list=ssh_blocklist address-list-timeout=1w
   add chain=input protocol=tcp dst-port=22 connection-state=new \
       src-address-list=ssh_stage1 action=add-src-to-address-list \
       address-list=ssh_stage2 address-list-timeout=1m
   add chain=input protocol=tcp dst-port=22 connection-state=new \
       action=add-src-to-address-list address-list=ssh_stage1 \
       address-list-timeout=1m

Problem 5: WinBox Won’t Connect After Port Change

Cause: WinBox defaults to port 8291.

Solution: Specify port in connection: 192.168.88.1:18291

Problem 6: API Connection Hangs

Cause: API client not reading complete responses before sending new commands.

Solution: Ensure API client properly handles multi-word responses. API ignores new commands until previous response is fully read.

Security Best Practices

1. Disable telnet and FTP immediately - Both transmit credentials in cleartext
2. Restrict by source address - More effective than port changes
3. Change default ports - Reduces automated scanning (secondary measure)
4. Use SSL/TLS versions - www-ssl and api-ssl over plaintext
5. Disable MAC access on untrusted interfaces - Often overlooked security hole
6. Combine with firewall rules - Service address restriction is last defense
7. Keep RouterOS updated - Security vulnerabilities are patched regularly

Defense in Depth

┌────────────────────────────────────────┐
│           Firewall Rules               │  ◄── First line of defense
│  (Drop management ports from WAN)      │
└────────────────────────────────────────┘
                    │
                    ▼
┌────────────────────────────────────────┐
│        IP Service Restrictions         │  ◄── Second line
│  (address=192.168.88.0/24)             │
└────────────────────────────────────────┘
                    │
                    ▼
┌────────────────────────────────────────┐
│       MAC Server Restrictions          │  ◄── Third line
│  (allowed-interface-list=mgmt)         │
└────────────────────────────────────────┘
                    │
                    ▼
┌────────────────────────────────────────┐
│         User Authentication            │  ◄── Final line
│  (Strong passwords, limited users)     │
└────────────────────────────────────────┘

Verification Commands

# List all services with status
/ip service print

# Show only enabled services
/ip service print where disabled=no

# Check MAC server settings
/tool mac-server print
/tool mac-server mac-winbox print

# Test from external device
# ssh [email protected] -p 22
# curl http://192.168.88.1/

REST API (RouterOS 7+)

RouterOS 7.1+ includes REST API via www-ssl:

# Example: Get interface list
curl -k -u admin:password https://192.168.88.1/rest/interface

Requirements:

• www-ssl enabled with certificate
• User with API permission
• HTTPS (not available via HTTP)

Related Features

• Certificates (/certificate) - Required for SSL services
• Firewall (/ip firewall filter) - Additional access control
• Users (/user) - Authentication and authorization
• MAC Server (/tool mac-server) - Layer 2 management access
• SSH (/ip ssh) - SSH-specific settings (host keys, etc.)

Summary

Securing IP Services involves three steps:

1. Disable unused services - Especially telnet and FTP
2. Restrict remaining services - By source address and port
3. Control MAC access - Often forgotten but critical

Key points:

• IP Services and MAC Server are separate - configure both
• Address restriction is more effective than port changes
• Combine with firewall rules for defense in depth
• Always verify you can still connect before disconnecting
• Keep RouterOS updated for security patches

Related Topics

Security

• Certificates - required for SSL services
• Firewall Basics - additional access control
• User Management - authentication

Remote Access

• SSH - SSH-specific settings
• IP Cloud - DDNS for remote access
• WireGuard VPN - secure tunnel access

Related Topics

• IP Neighbors - network discovery security
• Logging - audit access attempts