Everything About Mikrotik Firewall Rules You Should Know
Содержание
- Mikrotik Firewall Rules
- Mikrotik Firewall Rules: Accessing a Router
- Mikrotik Firewall rules: IPv4 firewall to a router
- Mikrotik Firewall rules: IPv4 firewall for clients
- Mikrotik Firewall rules: IPv6 firewall to a router
- Mikrotik Firewall rules: IPv6 firewall for clients
- Significant Mikrotik Firewall Rules
Since the introduction of the recent FastTrack feature and the release of Router OS 6.29.1, there is a confusion among users about how they can implement the FastTrack rules in the Mikrotik Firewall. With the recent Router OS releases, the FastTrack feature begins working on various interfaces, such as VLANs. Therefore, it becomes very important for users to learn more about this feature and how to implement this feature properly. We like forwarded traffic to be patent for FastTrack across the router in the firewall. However, we still need to accept that very same traffic too. It would not work without these rules, and also would not reap any performance benefits.
Users who are not aware of the Mikrotik Firewall rules and chain basics should read this article. FastTrack is known to decrease CPU utilization a little bit. In several cases, it falls down to more than 10% when the traffic volume remains high. It functions on the principle that if users have already examined one packet in the stream against the firewall and also, allowed it, then why there’s a need to examine all the other packs in the rest of that stream.
When it comes to overall efficiency, it is something quite big, especially when if users have more than just some firewalls for evaluating traffic against. So, let’s begin with Mikrotik Firewall rules.
Within the menu ‘IP settings‘ in Winbox, users can see a set of the whole packets, which have been marked for FastTrack.
Here are some firewall rules that are presently in use on SOHO devices, which take benefits of FastTrack. The following steps will help you in protecting your router. We suggest you keep the default firewall, which can be patched with other rules for fulfilling the setup requirements.
Also, if you don’t know how to turn off Firewall, here you are, and also the stateful vs. stateless firewall full comparison.
Mikrotik Firewall Rules
We recommend you keep on the default firewall. Here are some adjustments for making it more secure. Before you apply these rules, you must understand what they do.
By the way, here you will find out how to fix Your DNS Server Might Be Unavailable easily and know more about packet filtering firewall.
Mikrotik Firewall Rules: Accessing a Router
Accessing Username
Modify default username admin to a custom or different name that helps in protecting the access to the router, if anybody accesses the router directly.
/user add name=myname password=mypassword group=full
/user remove admin
Accessing Password
Accessing password is one of the significant Mikrotik Firewall rules. These routers need password configuration. Here, we suggest you using pwgen or other passcode generator tool for creating non-repeating and secure passwords.
The other option for setting a password is:
/password
It is best to employ the second method for applying a new password for the router in order to keep it secure from unauthorized access.
PS: to read more about the SMB Ports Firewall, and the Raspberry Pi Firewall, as well as all Types of Firewall, just click them.
Accessing through IP addresses
The default Mikrotik firewall rules protect the router from unauthorized access from another network. Along with that, it restricts username access for particular IP addresses.
/user set 0 allowed-address=x.x.x.x./yy
(x.x.x.x/yy is the network subnet or IP enabled for accessing the router)
Mikrotik Firewall rules: IPv4 firewall to a router
- Works with original connections for decreasing load on the router
- Creates an address-list for IP addresses, which are enabled for accessing the router
- Enables ICMP addresses
- Drops everything else, where log=yes hits particular rules by adding to record packets
/ip firewall filter
add action=accept chain=input comment=”default configuration’
connection-state=established, related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
/ip firewall address-list
Add address=192.168.88.2-192.168.88.254 list=allowed_to_router
Mikrotik Firewall rules: IPv4 firewall for clients
- For quicker data, related/established packets are being stacked to FastTrack, where firewall works with just new connections
- Drops invalid connection and logs them with invalid prefix
- Drops incoming packets from internet
- Drops incoming packets that are not NATed, log attempts having !NAT prefix
- Drops packets from LAN, which doesn’t have LAN IP
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established, related
add action=accept chain=forward comment=”Established, Related” connection-state=established, related
add action=drop chain=forward comment=”Drop invalid” connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment=”Drop tries to reach not public addresses from LAN” dst-address-list =not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN out-interface=!bridge1
add action=drop chain=forward comment=”Drop incoming packets that are not NATted” connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=”Drop incoming from internet which is not public IP” in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=”Drop packets from LAN that do not have LAN IP” in-internet=bridge1 log=yes log-prefix=LAN_!LAN src-address=!192.168.88.0/24
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0.8/ comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address 240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment=”6to4 relay Anycast [RFC 3068]” list=not_in_internet
Mikrotik Firewall rules: IPv6 firewall to a router
Presently, IPv6 package is restricted by default. RouterOS would not produce any default Mikrotik firewall rules for IPv6 as of now.
- Works with fresh packets, accepts established/related packets
- Drops link-local addresses from the internet interface
- Accepts access to routers from link-local addresses, accepts multicast addresses, and accepts the address for the router access
- Drops anything else
/ipv6 firewall filter
add action=accept chain=input comment=”allow established and related”
connection-state=established, related
add chain=input action=accept protocol=icmpv6 comment=”accept ICMPv6″
add chain=input action=accept protocol=udp port=33434-33534
comment=”defconf: accept UDP traceroute”
add chain=input action=accept protocol=udp dst-port=546 src-
address=fe80::/16 comment=”accept DHCPv6-Client prefix delegation.”
add action=drop chain=input in-interface=sit1 log=yes log-
prefix=dropLL_from_public src-address=fe80::/16
add action=accept chain=input comment=”allow allowed addresses” src-
address-list=allowed
add action=drop chain=input
/ipv6 firewall address-list
add address=fe80::/16 list=allowed
add address=xxxx::/48 list=allowed
add address=ff02::/16 comment=multicast list=allowed
Mikrotik Firewall rules: IPv6 firewall for clients
Aided IPv6 puts the clients present to public networks and set complete firewall for protecting the customers.
- Accepts related/established and works with new packets
- Drops invalid packets and puts prefix for rules
- Accepts new connection from the clients to the internet
- Accepts ICMP packets
- Drops everything else
/ipv6 firewall filter
add action=accept chain=forward comment=established, related
connection-state=established, related
add action=drop chain=forward comment=invalid connection-state=invalid
log=yes log-prefix=ipv6, invalid
add action=accept chain=forward comment=icmpv6 in-interface=!sit1
protocol=icmpv6
add action=accept chain=forward comment=”local network” in-
interface=!sit1 src-address-list=allowed
add action=drop chain=forward log-prefix=IPV6
Significant Mikrotik Firewall Rules
/ip firewall address-list
add address=192.168.0.0/16 list=Bogon
add address=10.0.0.0/8 list=Bogon
add address=172.16.0.0/12 list=Bogon
add address=0.0.0.0/8 list=Bogon
add address=169.254.0.0/16 list=Bogon
/ip firewall filter
add chain=input comment=”Accept Established/Related Input” connection-state=established, related
add chain=input comment=”Allow Management Input – 192.168.88.0/24″
src-address=192.168.88.0/24
add action=drop chain=input comment=”Drop Input” log prefix=”Input Drop”
add action=fasttrack-connection chain=forward comment=\
“FastTrack Established / Related Forward” connection-state=\
established, related
add chain=forward comment=”Accept Established / Related Forward” \
connection-state=established, related
add chain=forward comment=”Allow forward traffic LANWAN” out-
interface=ether1=gateway src-address=192.168.88.0/24
add action=drop chain=forward comment=”Drop Bogon Forward Ether1″
in-interface=ether1-gateway log=yes log-prefix=”Bogon Forward Drop” src-
address-list=Bogon
add action=drop chain=forward comment=”Drop Forward”
The above two rules in bold are where the gum meets the road. These rules are both required for making it work. The same rules could be applied in enterprise network environments and jerked accordingly. So, enjoy the performance boost now! Now, you know some of the useful Mikrotik firewall rules that you should employ. These rules will make the network experience more fun for you!
Parental Control, Tracking, and Remote Surveillance
Track locations, messages, calls, and apps. Do it remotely and 100% discreetly.
Источник: