How I Secure My MikroTik RouterOS Router When Using a Public IP

How I Secure My MikroTik RouterOS Router When Using a Public IP

When a router is assigned a public IP address, it means the device is directly reachable from the internet. This also means it can be discovered, scanned, or targeted by anyone online.

In this article, I want to share my experience securing a MikroTik router that has a public IP attached to it. These are simple steps that I usually apply to reduce unnecessary exposure and improve the router's security.

1. Change the Default Admin User

One of the first things I recommend is not using the default admin user.

Instead:

  1. Go to System → Users
  2. Create a new username
  3. Assign it administrator privileges
  4. Delete the default admin user

This helps prevent basic brute-force login attempts that commonly target the default account.

You can also add additional security by configuring:

  • Allowed Address – restrict login access to specific IP addresses or subnets
  • Inactivity Timeout – automatically log out idle sessions faster

Restricting login access by IP address can significantly reduce the risk of unauthorized access.

2. Review and Disable Unused Services

Another important step is checking which services are running on your router.

You can find this in:

IP → Services

Some users are not aware that if services such as DNS Server or NTP Server are enabled, they may also be reachable from the public internet.

For services that must remain enabled, you can limit access using the “Available From” field. This allows you to specify which IP addresses or subnets are allowed to access the service.

3. Use Firewall Rules to Block WAN Access

In some cases, restricting access through the Available From field may not be enough or may not fit your setup.

In these situations, you can use the MikroTik firewall.

A common practice is to block management ports from the WAN interface using the input chain.

Why the input chain?

Because the input chain processes traffic that is destined for the router itself.

For example, if you want to block Winbox access from the internet, you can create a firewall rule like this:

  • chain = input
  • in-interface = WAN interface
  • dst-port = Winbox port
  • action = drop

This prevents external users from attempting to access router management services.

4. Check Your Public IP from the Internet

Finally, it is always a good idea to see how your network appears from the internet.

You can use tools such as:

  • Shodan
  • Censys

By entering your public IP address, you can check which ports are visible externally.

Ideally, there should be no open ports, unless they are intentionally exposed for a specific service.

Final Thoughts

Securing a router with a public IP does not have to be complicated. Based on my experience, these simple practices already improve security significantly:

  • Change the default admin user
  • Disable unused services
  • Use firewall rules to block access from the WAN side
  • Periodically scan your public IP

Even small configuration changes can help reduce the risk of unauthorized access to your router.