Configuring MikroTik Router Firewall: From Beginner to Advanced

By YenchhingUncategorized

MikroTik routers are widely used due to their affordability, flexibility, and powerful RouterOS software. One of the most important tasks when setting up a MikroTik router is configuring its firewall to ensure security and efficient network management. This guide takes you from the basics of configuring a firewall to advanced techniques.

1. Understanding MikroTik Firewall

The MikroTik firewall is based on the iptables framework and operates on chains, rules, and filters. It primarily consists of three chains:

  • Input Chain: Manages packets destined for the router itself.
  • Forward Chain: Handles traffic passing through the router.
  • Output Chain: Manages traffic generated by the router.

2. Getting Started: Accessing the Router

To configure the firewall, you need to access the router:

  1. Connect to the router via Ethernet.
  2. Open WinBox or use SSH to access the router.
  3. Navigate to IP > Firewall in WinBox.

3. Configuring Internet Access from ISP to Clients

a. Setting Up WAN (Internet) Connection

  1. Identify which port is connected to your ISP (e.g., ether1).
  2. Assign an IP address to the WAN interface:/ip address add address=192.168.1.2/24 interface=ether1
  3. Set the default gateway (ISP’s gateway IP):/ip route add gateway=192.168.1.1
  4. Configure DNS to allow clients to resolve domain names:/ip dns set servers=8.8.8.8,8.8.4.4 allow-remote-requests=yes

b. Setting Up LAN (Local Network for Clients)

  1. Assign an IP address to the LAN interface (e.g., ether2):/ip address add address=192.168.100.1/24 interface=ether2
  2. Enable DHCP Server for LAN clients:/ip dhcp-server add interface=ether2 address-pool=dhcp_pool disabled=no
  3. Define the DHCP address pool:/ip pool add name=dhcp_pool ranges=192.168.100.10-192.168.100.100
  4. Set up DHCP network settings:/ip dhcp-server network add address=192.168.100.0/24 gateway=192.168.100.1 dns-server=8.8.8.8,8.8.4.4

c. Enabling NAT for Internet Sharing

To allow LAN clients to access the internet:

/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade

This ensures that private IPs from the LAN can communicate with the internet.

4. Basic Firewall Configuration

a. Blocking Unwanted Traffic

To block all incoming traffic except allowed services:

/ip firewall filter add chain=input action=drop connection-state=new in-interface=ether1

This rule ensures that new connections from the WAN are blocked unless explicitly allowed.

b. Allowing Specific Services (e.g., SSH, WinBox)

/ip firewall filter add chain=input protocol=tcp dst-port=22,8291 action=accept

This rule allows SSH (22) and WinBox (8291) connections.

c. Protecting Against Ping Flood (ICMP Limit)

/ip firewall filter add chain=input protocol=icmp action=accept limit=1,5:packet

This rule prevents ICMP (ping) abuse while allowing legitimate pings.

5. Intermediate Firewall Rules

a. Port Forwarding (NAT Rules for Services)

To allow external access to an internal web server (192.168.1.100):

/ip firewall nat add chain=dstnat protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.1.100 to-ports=80

This rule forwards HTTP requests from WAN to the internal web server.

b. Blocking Access to Malicious Websites

/ip firewall filter add chain=forward content=malicious-site.com action=drop

This rule blocks access to a known malicious site.

6. Advanced Firewall Techniques

a. Address List for Blocking Attackers

To block repeated failed SSH login attempts:

/ip firewall filter add chain=input protocol=tcp dst-port=22 src-address-list=blocked-ssh action=drop
/ip firewall address-list add list=blocked-ssh address=192.168.1.200 timeout=1d

This rule blocks an IP if it repeatedly attempts to access SSH.

b. Connection Tracking & Stateful Firewall

To ensure only established connections are allowed:

/ip firewall filter add chain=forward connection-state=established,related action=accept
/ip firewall filter add chain=forward connection-state=invalid action=drop

This improves security by blocking invalid connections.

c. Enabling DDOS Protection

To limit excessive new connections:

/ip firewall filter add chain=input connection-limit=100,32 action=drop

This helps mitigate DDoS attacks.

7. Logging and Monitoring Firewall

a. Enabling Logging

/ip firewall filter add chain=input action=log log-prefix="Firewall-Blocked"

This logs dropped packets for analysis.

b. Viewing Firewall Logs

Go to Log in WinBox or use:

/log print where message~"Firewall-Blocked"

c. Regular Firewall Rule Updates

It is essential to review and update firewall rules periodically to maintain security. Outdated rules may create vulnerabilities, so it is recommended to check logs, monitor network activity, and adjust firewall settings accordingly.

A properly configured MikroTik firewall is crucial for network security and performance. Start with basic rules, implement NAT, and move towards advanced security techniques to protect your network effectively. Regularly monitor logs and update firewall rules to stay ahead of potential threats. Understanding how the firewall interacts with both inbound and outbound traffic will ensure that your network remains secure from unauthorized access while maintaining high performance for connected devices.

Leave a Reply

Your email address will not be published. Required fields are marked *