Buying - RB1100AHx4 Dude Edition - Questions about Firewall

So i will be buying RB1100AHx4 Dude Edition https://mikrotik.com/product/RB1100Dx4 .
It is probably a bit overkill for my SOHO, but better safe than sorry and make sure it will last a few years ahead.

The thing I have been pondering the most is the ability to control the Firewall and I have read some of the relevant articles for this: https://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall but i am also curious as to if any of the community members have exported firewalls with pre defined rules one might look in to? Perhaps saving some work by using a tried and tested configuration?

Best thing is to accept the default firewalls as they work out of the box quite safely.
Then work to understand all the default rules.
Then state your requirements and folks will likely chime in to give some advice.
Do not use quickset.
Do use the safe mode button at all times.
Clear requirements with a network diagram = useful assistance.

SOHO-line of Mikrotik routers comes with very decent default firewall rule set. RB1100AHx4, however, is not from that line and comes with pretty plain defaults, hence it’s wise to get some decent starting setttings elsewhere.

@SecCon: you can either wait for somebody to publish default settings and risk (probably low risk though) that it won’t really be complete or not really MT default. Or you can get yourself cheapest possible MT device (that would likely be hEX lite with suggested price of $40) and use that both as playground and as trustworthy source of default settings.

search tag # rextended default firewall rules

WARNING: default WAN and LAN interface list must be defined

WARNING: if you do not know what you are doing, you probably lose control of your device

The difference between v6.49.18 and 7.18 are on RED

MikroTik RouterOS 6.49.18 default firewall rules
for IPv4 must be also created interface lists, remember to correct assign interfaces inside lists and bridge.
/interface list
add name=WAN comment=defconf
add name=LAN comment=defconf

/interface list member
add list=WAN interface=ether1 comment=defconf
add list=LAN interface=bridge comment=defconf

/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment=“defconf: accept established,related,untracked”
add chain=input action=drop connection-state=invalid comment=“defconf: drop invalid”
add chain=input action=accept protocol=icmp comment=“defconf: accept ICMP”
add chain=input action=accept dst-address=127.0.0.1 comment=“defconf: accept to local loopback (for CAPsMAN)”
add chain=input action=drop in-interface-list=!LAN comment=“defconf: drop all not coming from LAN”
add chain=forward action=accept ipsec-policy=in,ipsec comment=“defconf: accept in ipsec policy”
add chain=forward action=accept ipsec-policy=out,ipsec comment=“defconf: accept out ipsec policy”
add chain=forward action=fasttrack-connection connection-state=established,related comment=“defconf: fasttrack”
add chain=forward action=accept connection-state=established,related,untracked comment=“defconf: accept established,related, untracked”
add chain=forward action=drop connection-state=invalid comment=“defconf: drop invalid”
add chain=forward action=drop in-interface-list=WAN connection-nat-state=!dstnat connection-state=new comment=“defconf: drop all from WAN not DSTNATed”

/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none comment=“defconf: masquerade”
for IPv6 is also created address-list bad_ipv6 before creating firewall rules
must be also created interface lists like IPv4, remember to correct assign interfaces inside lists and bridge.
/interface list
add name=WAN comment=defconf
add name=LAN comment=defconf

/interface list member
add list=WAN interface=ether1 comment=defconf
add list=LAN interface=bridge comment=defconf

/ipv6 firewall address-list
add list=bad_ipv6 address=::/128 comment=“defconf: unspecified address”
add list=bad_ipv6 address=::1/128 comment=“defconf: lo”
add list=bad_ipv6 address=fec0::/10 comment=“defconf: site-local”
add list=bad_ipv6 address=::ffff:0.0.0.0/96 comment=“defconf: ipv4-mapped”
add list=bad_ipv6 address=::/96 comment=“defconf: ipv4 compat”
add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
add list=bad_ipv6 address=2001:db8::/32 comment=“defconf: documentation”
add list=bad_ipv6 address=2001:10::/28 comment=“defconf: ORCHID”
add list=bad_ipv6 address=3ffe::/16 comment=“defconf: 6bone”

/ipv6 firewall filter
add chain=input action=accept connection-state=established,related,untracked comment=“defconf: accept established,related,untracked”
add chain=input action=drop connection-state=invalid comment=“defconf: drop invalid”
add chain=input action=accept protocol=icmpv6 comment=“defconf: accept ICMPv6”
add chain=input action=accept protocol=udp dst-port=33434-33534 comment=“defconf: accept UDP traceroute”
add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment=“defconf: accept DHCPv6-Client prefix delegation.”
add chain=input action=accept protocol=udp dst-port=500,4500 comment=“defconf: accept IKE”
add chain=input action=accept protocol=ipsec-ah comment=“defconf: accept ipsec AH”
add chain=input action=accept protocol=ipsec-esp comment=“defconf: accept ipsec ESP”
add chain=input action=accept ipsec-policy=in,ipsec comment=“defconf: accept all that matches ipsec policy”
add chain=input action=drop in-interface-list=!LAN comment=“defconf: drop everything else not coming from LAN”
add chain=forward action=accept connection-state=established,related,untracked comment=“defconf: accept established,related,untracked”
add chain=forward action=drop connection-state=invalid comment=“defconf: drop invalid”
add chain=forward action=drop src-address-list=bad_ipv6 comment=“defconf: drop packets with bad src ipv6”
add chain=forward action=drop dst-address-list=bad_ipv6 comment=“defconf: drop packets with bad dst ipv6”
add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment=“defconf: rfc4890 drop hop-limit=1”
add chain=forward action=accept protocol=icmpv6 comment=“defconf: accept ICMPv6”
add chain=forward action=accept protocol=139 comment=“defconf: accept HIP”
add chain=forward action=accept protocol=udp dst-port=500,4500 comment=“defconf: accept IKE”
add chain=forward action=accept protocol=ipsec-ah comment=“defconf: accept ipsec AH”
add chain=forward action=accept protocol=ipsec-esp comment=“defconf: accept ipsec ESP”
add chain=forward action=accept ipsec-policy=in,ipsec comment=“defconf: accept all that matches ipsec policy”
add chain=forward action=drop in-interface-list=!LAN comment=“defconf: drop everything else not coming from LAN”


MikroTik RouterOS 7.18 default firewall rules
for IPv4 must be also created interface lists, remember to correct assign interfaces inside lists and bridge.
/interface list
add name=WAN comment=defconf
add name=LAN comment=defconf

/interface list member
add list=WAN interface=ether1 comment=defconf
add list=LAN interface=bridge comment=defconf

/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment=“defconf: accept established,related,untracked”
add chain=input action=drop connection-state=invalid comment=“defconf: drop invalid”
add chain=input action=accept protocol=icmp comment=“defconf: accept ICMP”
add chain=input action=accept dst-address=127.0.0.1 comment=“defconf: accept to local loopback (for CAPsMAN)”
add chain=input action=drop in-interface-list=!LAN comment=“defconf: drop all not coming from LAN”
add chain=forward action=accept ipsec-policy=in,ipsec comment=“defconf: accept in ipsec policy”
add chain=forward action=accept ipsec-policy=out,ipsec comment=“defconf: accept out ipsec policy”
add chain=forward action=fasttrack-connection connection-state=established,related hw-offload=yes comment=“defconf: fasttrack”
add chain=forward action=accept connection-state=established,related,untracked comment=“defconf: accept established,related, untracked”
add chain=forward action=drop connection-state=invalid comment=“defconf: drop invalid”
add chain=forward action=drop in-interface-list=WAN connection-nat-state=!dstnat connection-state=new comment=“defconf: drop all from WAN not DSTNATed”

/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none comment=“defconf: masquerade”
for IPv6 is also created address-list bad_ipv6 before creating firewall rules
must be also created interface lists like IPv4, remember to correct assign interfaces inside lists and bridge.
/interface list
add name=WAN comment=defconf
add name=LAN comment=defconf

/interface list member
add list=WAN interface=ether1 comment=defconf
add list=LAN interface=bridge comment=defconf

/ipv6 firewall address-list
add list=bad_ipv6 address=::/128 comment=“defconf: unspecified address”
add list=bad_ipv6 address=::1/128 comment=“defconf: lo”
add list=bad_ipv6 address=fec0::/10 comment=“defconf: site-local”
add list=bad_ipv6 address=::ffff:0.0.0.0/96 comment=“defconf: ipv4-mapped”
add list=bad_ipv6 address=::/96 comment=“defconf: ipv4 compat”
add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
add list=bad_ipv6 address=2001:db8::/32 comment=“defconf: documentation”
add list=bad_ipv6 address=2001:10::/28 comment=“defconf: ORCHID”
add list=bad_ipv6 address=3ffe::/16 comment=“defconf: 6bone”

/ipv6 firewall filter
add chain=input action=accept connection-state=established,related,untracked comment=“defconf: accept established,related,untracked”
add chain=input action=drop connection-state=invalid comment=“defconf: drop invalid”
add chain=input action=accept protocol=icmpv6 comment=“defconf: accept ICMPv6”
add chain=input action=accept protocol=udp dst-port=33434-33534 comment=“defconf: accept UDP traceroute”
add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment=“defconf: accept DHCPv6-Client prefix delegation.”
add chain=input action=accept protocol=udp dst-port=500,4500 comment=“defconf: accept IKE”
add chain=input action=accept protocol=ipsec-ah comment=“defconf: accept ipsec AH”
add chain=input action=accept protocol=ipsec-esp comment=“defconf: accept ipsec ESP”
add chain=input action=accept ipsec-policy=in,ipsec comment=“defconf: accept all that matches ipsec policy”
add chain=input action=drop in-interface-list=!LAN comment=“defconf: drop everything else not coming from LAN”
**add chain=forward action=fasttrack-connection connection-state=established,related comment=“defconf: fasttrack6”**add chain=forward action=accept connection-state=established,related,untracked comment=“defconf: accept established,related,untracked”
add chain=forward action=drop connection-state=invalid comment=“defconf: drop invalid”
add chain=forward action=drop src-address-list=bad_ipv6 comment=“defconf: drop packets with bad src ipv6”
add chain=forward action=drop dst-address-list=bad_ipv6 comment=“defconf: drop packets with bad dst ipv6”
add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment=“defconf: rfc4890 drop hop-limit=1”
add chain=forward action=accept protocol=icmpv6 comment=“defconf: accept ICMPv6”
add chain=forward action=accept protocol=139 comment=“defconf: accept HIP”
add chain=forward action=accept protocol=udp dst-port=500,4500 comment=“defconf: accept IKE”
add chain=forward action=accept protocol=ipsec-ah comment=“defconf: accept ipsec AH”
add chain=forward action=accept protocol=ipsec-esp comment=“defconf: accept ipsec ESP”
add chain=forward action=accept ipsec-policy=in,ipsec comment=“defconf: accept all that matches ipsec policy”
add chain=forward action=drop in-interface-list=!LAN comment=“defconf: drop everything else not coming from LAN”

Nice!

I would accept the default of course but i guess there is room for improvement if you know your network and what can be blocked/allowed.

What would be the SOHO line of routers in your opinion? Mikrotik sure doesn’t list any…

I have a Xeon server standing by for custom solutions and plenty of server power for virtual solutions that I can connect anyhow I like, but I am going with this for now.

BTW, also got this switch: https://mikrotik.com/product/CRS326-24G-2SplusRM

Weird this is at it apperas both as Router and as Switch on many shop sites… very confusing. Fortunately Mikrotik has it listed as “switch”.

Delivery May 20.

THe RB4011 would be the router of choice if looking at current or future 1gig ISP connections.
But not familiar with the 1100 that may be a step down in terms of number of ports and throughput

The CRS switches can run both SwOS and ROS. When running ROS they may be used as routers and/or switches: they will route packages, and have all the possibilities of a Mikrotik router.

BUT

They have a VERY weak CPU. So, they would route - but quite slowly. This CRS326, as an example, can pass L2 traffic at wirespeed, in all ports at the same time. As a router it would barely get as high as 750Mbps.

The 1100AxH4 is just the 4011 with 3 switches, 13 gigabit ports and no SFP+. Same RAM, and I think one has 128MB of flash and the other 512MB. The 1100 Dude edition has two SATA ports.

All devices apart from: CHR, CRS line, CCR line, RB1100 line and possibly RB3011 (not sure about this one).

I’m not talking about SwOS devices here.

@mkx can you send me an email please.

I would certainly wish for that being clearly stated when looking at product purchase.The again, we look mostly at port speed, cpu power and ram when choosing I guess.

In any case, the more you can clearly define your current and likely future requirements the better advice can be provided.

where to?

The email address when you click on my icon…
Just below where it says I am a Mikrotik slow learner!

No kidding, one can actually click on icon? Who ever came up with that great idea must be a genious

and a genius!!
Normis je genije.

You meant to write “Normis ir ģēnijs”?