So I recently bought a Mikrotik RB5009 router to replace the router provided by my provider. They always are far too limited and can't handle large amounts of traffic very well without bottlenecking.
I've discovered the fun thing about Mikrotik routers is that it doesn't come with much configuration at all unlike routers from Fortigate for example.
These configs are actually listed on Mikrotik's site itself, but I like to keep record of it for myself as well. Just in case when for some reason my config backup is corrupted and I have no internet.
These can be copy pasted into the shell with no problem. You can access it using the WebGUI, Winbox or SSH.
Can you do this using the interface without shell? Yes you can, but are you really that bored you want to enter all these lines one by one?
Protecting LAN devices:
/ip firewall address-listadd address=0.0.0.0/8 comment=RFC6890 list=not_in_internetadd address=172.16.0.0/12 comment=RFC6890 list=not_in_internetadd address=192.168.0.0/16 comment=RFC6890 list=not_in_internetadd address=10.0.0.0/8 comment=RFC6890 list=not_in_internetadd address=169.254.0.0/16 comment=RFC6890 list=not_in_internetadd address=127.0.0.0/8 comment=RFC6890 list=not_in_internetadd address=224.0.0.0/4 comment=Multicast list=not_in_internetadd address=198.18.0.0/15 comment=RFC6890 list=not_in_internetadd address=192.0.0.0/24 comment=RFC6890 list=not_in_internetadd address=192.0.2.0/24 comment=RFC6890 list=not_in_internetadd address=198.51.100.0/24 comment=RFC6890 list=not_in_internetadd address=203.0.113.0/24 comment=RFC6890 list=not_in_internetadd address=100.64.0.0/10 comment=RFC6890 list=not_in_internetadd address=240.0.0.0/4 comment=RFC6890 list=not_in_internetadd address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet |
Firewall rules:
Replace any IP addresses and interfaces with your own
/ip firewall filteradd action=accept chain=input comment="default configuration" connection-state=established,relatedadd action=accept chain=input src-address-list=allowed_to_routeradd action=accept chain=input protocol=icmpadd action=drop chain=inputadd address=192.168.88.2-192.168.88.254 list=allowed_to_routeradd action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,relatedadd action=accept chain=forward comment="Established, Related" connection-state=established,relatedadd action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalidadd action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge log=yes log-prefix=!public_from_LAN out-interface=!bridge add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NATadd action=jump chain=forward protocol=icmp jump-target=icmp comment="jump to ICMP filters"add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internetadd action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge log=yes log-prefix=LAN_!LAN src-address=!192.168.88.0/24 |
I find these basic configuration protect your network well enough. Like any router, it will block all traffic incoming that have no destination.
If you need ports open for a webserver for example, then you need to open the ports in both NAT and the firewall filter. This is very common with non-consumer grade routers as far as I can tell.
It make sense right? You allow the port to enter from the WAN, but you still need to tell the router it's allowed to route to your internal webserver.