Ready to start my custom firewall rules journey

I have a hex RB750Gr3 with version 6.49.18 OS. Currently running the default firewall rules.
I used to have, and was familiar with, a Zyxel USG40 router that had my own custom rules (that Anav helped me write a long long time ago in place far far away). So I know a bit about basic firewall rules and how they work, although since they were pretty good and my needs are minimal I had no need to edit them for a long time, so I probably have forgotten a bit.
So I’ll start with a few questions to make sure I understand how the mikrotik does firewall rules.

Question 1. input rules.
As I understand it these rules/chain is for traffic that originates on the WAN (outside) and is directed to the WAN facing side of the router itself. An example might be if I wanted to make a rule that allowed me to admin the router from the internet, like my office or something.

Forward chain/rules are for traffic on my LAN (intranet traffic) and/or for traffic coming from the WAN to and devices on my LAN.

Do I have that right so far before I even start asking real questions?

Input - Traffic to the router itself - can be from the LAN or WAN or any interface on the router.
Forward - Traffic passing through the router from one network to another. Can be LAN to WAN, VLAN to VLAN etc.

You should consider that everything IN from WAN should be dropped. That is to say traffic to the router itself. Unless you expressly want to open a port.

If you want to admin your router from external you should use a VPN or if you upgrade your router to the latest v7 release you could use Mikrotik’s BTH feature or roll your own wireguard connection.

Thank you. That’s what I thought. I don’t want to admin my router from outside, I was just using that as an example of something that would use that kind of rule.

Question 2.
So traffic coming in goes though the rules as they are laid out in order on my screen right? Regardless of “chain”? In other words since my input rules are listed first then traffic would go through input rules first and then to the forward chain rules next right? And so on until it reaches the end of all rules, and if no rule applies to it then it would be accepted, correct?

So lets say I have the input rule I was using as an example, which would allow traffic from say my office IP address to the device itself. So traffic coming in that is from that src address would pertain to that rule so it wold then forward that traffic to the device (accept) and that would be the end of processing because the traffic was accepted. Traffic that does not pertain to that rule, I assume, would then go to the next rule in order, regardless of chain, until it goes through all rules. That traffic, reaching the end, if no rule applied to it, would then be accepted, correct?

No traffic doesnt go from input to forward,
Traffic to the router ( using router services) only goes thru input and is either matched or not matched
Traffic through the router ( LAN to LAN, LAN to WAN, WAN to LAN) never sees the input chain.

Get familiar with:
https://help.mikrotik.com/docs/spaces/ROS/pages/328227/Packet+Flow+in+RouterOS

This is a nice starting jpeg, to print and look at while looking at the specific diagrams and discussion on the link.
http://forum.mikrotik.com/t/only-allowed-one-nat/183855/10

Very little customization is needed from default…
Basically the change most make is change from drop some accept everything else TO: identify known traffic needs drop everything else.

Not exactly, from what I understand traffic is categorized, then it goes only through the appropriate chain rules.

Traffic belongs EITHER to chain=input OR to something else.
Traffic belongs EITHER to chain=forward OR to something else.
Traffic belongs EITHER to chain=x OR to something else …

There is not a predetermined order among different chains, but the order of rules is strictly respected within a SAME chain.

It is good practice to group (for readability) all rules belonging to a same chain together (and traditionally the input chain is the first one), but a packet that needs to go through the device (forward) will never hit any input rule and viceversa traffic targeted to the device (input) will never hit a forward rule.

Ah, OK got it. So traffic comes in and the router sends the traffic to the appropriate chain. That traffic then gets processed in that chain and is either accepted or dropped by that chains rules and that’s the end of it for that particular traffic. So traffic coming that is designated for a device on the LAN like a PC goes to the forward chain and is processed and never goes through the input chain.

Yes Anav. Since you were my mentor all those years ago my default is to allow what I want and drop everything else. It appears that this is not set that way by default, but I’m looking at the topic you posted where you’re default rules are and I think I’ll get there. But first a few more things so I get a more complete grasp…

Question 3.
What is untracked?
I know what established and related are but I don’t know what untracked traffic is.

I will leave that to experts, but dont be concerned having that in the rules.

Only as a side note the (nicely looking and colourful) flowchart posted by chechito and linked to by anav is seemingly wrong/incomplete.

The rhombus/diamond shape (purple in the mentioned diagram) is a “decision” so it MUST have two exits.

In the diagram the top left “Routing decision” (with input coming from pre-routing) is correct (choice between input and forward) but the other two have only one exit:

The one with input coming from Local Process leads to EITHER Output connection tracking OR to a suffusion of yellow.

As well the “Routing adjustment” one leads to EITHER Mangle postrouting OR to a (same or different) suffusion of yellow.

Packets that are not tracked by connection tracking machinery. ROS supports tracking IPv4 and IPv6, in theory there could be other protocols routed … but not in practice as ROS doesn’t support any other L3 protocols for routing either.
So these days it’s more probable that certain traffic is explicitly excluded from connection tracking by setting appropriate rule in /ip/firewall/raw section. There’s at least one, slightly rarely happening, scenario where “untracking” certain traffic makes sense because one traffic direction bypasses firewall and for TCP traffic this upsets firewall to the point it considers such traffic invalid.

The “WHY” is important… For example, maybe using the “interface-list” (which is what default one does) is too limiting… but perhaps modifying defaults to use “address-list” might be all that’s needed. Another example be that @anav/others often suggest allowing what traffic you need, and having a drop all at end (while default use the !LAN to do it one line) – but this really just a few changed lines from default FW.

My recommendation to try to understand EVERYTHING in the default firewall BEFORE trying to create your own. There is a LOT of subtle things going on there…

And, if you want to “play” around with default first… you can use log=yes on some of the default rules as this shows WHAT “matched” what rules. This might give you a better sense of how it works since logs would show the IPs involved and what happened.

Most of your questions on input can be answered by MikroTik excellent “Packet Flow” diagrams: https://help.mikrotik.com/docs/spaces/ROS/pages/328227/Packet+Flow+in+RouterOS
But… some tacit understanding of those packet flows should be a prerequisite to “custom” rules — since it VERY easy to leave the routing unprotected as many rules depend on other rules.

And it is also Rule #8 of the Mikrotik Club:
http://forum.mikrotik.com/t/the-twelve-rules-of-mikrotik-club/182164/1

Thank you mkx. I don’t understand but it would seem that what we’re saying here is that there is certain traffic that is not tracked by connection tracking (which is what I assume we’re talking about here) and that that traffic is generally not a threat. I will defer to the engineers here and say good enough for me. So untracked traffic is not specifically something to worry about. I hate not knowing things but to stay on topic I’ll leave that question for another day since it doesn’t seem important to the topic of my general firewall rules.
That said onto the next question…

Question 4
I think default rule #4 for CAPsMAN is not needed for me since I don’t use that?
And, for that matter, rules # 6 & 7 for ipsec policy since I don’t believe I use them either?

Correct if just starting out IPSEC is advanced and capsman only if using MT wifi, which is a recipe for hair graying or hair loss and wasted time.

Amm0,
yes, when I say that I want to make “my rules” I don’t mean trash everything and create my own rules. I would like to stay as close to default as possible and adjust to what I need. But as I said before I’m not completely new to firewall rules, just how mikrotik implements them. I just want to make sure that I am as secure as possible with the configuration that I have created. Default rules seem almost there but I do think I would like a few changes. For example getting rid of the ipsec and CAPsMAN. Not important probably but would make things easier to see and keep track of. And , after all, trying to understand before I screw things up is exactly what I’m doing now by asking all these questions. So far I have not changed anything, but I think I’m starting to get close.
So …
Question 5
There is an input rule that allows traffic that is established/related. I assume this means that by default it allows traffic that originated from the router/device and goes out to either the WAN or LAN. I assume that this is necessary for LAN so that it can do it’s job as a server. I also assume that this is needed on the WAN side for the same thing but as a client to my ISP?

established related and fastrack are ways the router handles following packets after dealing with the original packets, for efficiency purposes.
Again details best left to experts.

Fair enough. The reason for the question was that, at first thought, I was thinking why would the device itself have to initiate any communication? But after thinking about it I thought that it is probably what I said above; in order to it’s routing job and on the WAN side to do its client job.
Last question before I start propose a few rules.

Question 6
There is a rule on the input chain that drops everything NOT coming from the LAN. So I assume that this would block any traffic (not already dealt with by a previous rule) that comes from the WAN then? So it would block anyone trying to access the device itself from the internet?
And, as I think about it, it should also allow any traffic from the LAN to the router itself, right?

Dear OP.

you’ve been given sound advice by the Esteemed Forumers. This is just my take on answering your questions; it might be easier to follow, or not

When you want to do firewalling, there are certain things you have to be aware of. In no particular order.

In the networking stack, the packets follow a path described by the packet flow diagram. There are many versions of it, my favorite is this one
https://stuffphilwrites.com/2014/09/iptables-processing-flowchart/
The only difficulty you may have with this, is that it’s labeled based on iptables (so general linux) terminology, but it’s actually accurate and useful. Mikrotik exposes this system through it’s configuration almost exactly, so it’s only a matter of translating some names. (You should just disregard the boxes labeled “security” - these are not available and were thought up for a quite specific purpose. These not existing doesn’t in any way imply any security risk.)

The firewall is consulted at many different points during a packet’s journey. These involve the execution o a specific chain. So to answer one part of your series of questions: the order in which the rules from different chains are placed or interspersed have no bearing on their execution. It is customary to keep the rules for a given chain together, but that’s just for us humans.

In a given chain, the rules are evaluated in strict order. This means that within a given chain, the order of the rules matters, and is actually very important. The rules always have a “match” part, that is: for what packets should this rule be triggered. And the rules have an “action” part, that is, when a match occurs, what should be done. The fate of the packet is decided by the first rule that contains a “final” action; that action is then taken and no further rules (in that chain) are executed, nor even consulted. What exact actions are “final” is documented in the Mikrotik help pages, but it’s kind of obvious based on what they do: “accept”, “deny” - the ones most routinely used in filter rules are final. Some actions (such as “add source address to address list”, do what they say, but basically only as a side effect - the packet’s fate yet undecided, processing continues.

One of the major features of the firewall is connection tracking. IP is - by its design - a connectionless protocol. However we find it extremely useful to associate packets with a connection they “seem” to be part of. “Seem” if written, because this connection and its state only exist in the “mind” of the router, and are based on observation of the headers of packets passing through it, and therefore might not match what the actual endpoints of the connection think of the connection.

Connection tracking (very roughly) enabled two major things, which we like very much:

• Allowing connections based on where (on which side, network, etc.) they were initiated from. A typical example is that we want to allow internal (LAN) devices to be able to initiate connections to the outside world (WAN), however we want to deny initiating connections in the opposite direction. The key word I keep using here is “initiated”, because of course WAN->LAN traffic should be allow if (and only if) it is a response to something initiated from the LAN side - this is where connection tracking comes in: we have to remember that there was an outgoing packet, and be able to associate the reply with that connection.
• Allowing the usual NAT. WAN-side outgoing messages have to have their source address altered to (the usually single) routable IP address provided by the ISP. Response traffic will then be addressed to the external address, and so has to be translated to the address of the device who sent the outgoing packet - thus again we have tot make note of these connections to be able to do this correctly.

Mikrotik allows you to turn of connection tracking altogether. This is done only is special cases. The firewall also allows you to specifically instruct it not to apply connection tracking to certain packets - this is done in the “prerouting” chain, with the not so creatively names “notrack” action. Again, this is special configuration. I am only writing these things down because you ask; I’ve known people who have configured firewalls for decades (and did so in an appropriate and secure way,) who didn’t have to deal with any of this. I suggest that you leave these for later.

A packet that has gone though connection tracking has a “connection state” assigned. It is assigned exactly one of these: new, established, related, untracked. In order:

• new: we tried looking up this packet, but see no connection we can associate it with; if this packet is accepted, a new conntrack entry will be created
• established: we have a conntrack entry for this packet (so basically it isn’t the first packet of the connection)
• related: this is special one; sometimes there are packets that can be associated with a connection, but don’t match the signature; a typical example is that one of the routers forwarding your packet sends an ICMP error or advisory, such as: Destination unreachable, No route to host, Fragmentation required, Lifetime exceeded, etc. Generally these are treated the same as established.
• invalid: we have a conntrack entry, but something is off with the flow of packets (this is the assigned state e.g. when one side has sent a message closing a TCP connection, and there is further sent from either side.) - these packets are usually dropped
• untracked: the firewall was explicitly instructed not to engage the conntrack machinery either for lookup or possibly to introduce a new entry

Regarding Mikrotik’s default firewall ruleset. These are well written and provide the recommended basic level of protection that’s considered adequate. (Most consumer type routers apply a very similar set of rules, just most don’t expose the configuration.)

However, I think that Mikrotik’s rules are written a bit too cleverly. I must state again that the rules are absolutely correct as written, the following is just a bit of philosophical nit-pickink:

• Some of the rules do “too much” in one go. For example the fasttrack rule has an exception for ipsec. This is fine and correct, because you want to exempt ipsec traffic from fasttrack, however this can be more clearly written in two rules. The same goes for others.
• The firewall system allows you to “program it” in many different ways to achieve the exact same behavior. I think that the rules generally reflect the thinking of the one creating them. I generally like organized thought. This is why I usually filter based not on what to block, but describe/list specifically what I want to allow, and drop all else. I think this is the correct way of thinking about things.

As to your last remark, filtering basically involves three chains:

• input - traffic addressing the router itself
• forward - traffic forwarded by the router (generally between two networks)
• output - traffic that is generated by the router itself

So what you are referring to in your last post (if I understand correctly) is traffic initiated by the router itself, let’s say for example a DNS request. The outgoing packet traverses the output chain. (The output chain is usually left empty, and by default it is therefore accepted.) Together with accepting the packet, a conntrack entry is created. The reply packets traverse the input chain and because they have an associated valid onntrack entry, their connection state is established.

Regarding your question 6: You understand correctly, this rules blocks all connection not from the LAN, so it block connection from WAN, etc.

You are also correct that this allows all types of connections from any device in the LAN. Whether this is correct is a matter of perspective: Is this what you want?

I generally like to list any sort of access to the router and specifically allow it, and drop all others. This means that I usually only enable access to the admin interfaces that I actually intend on using. However the “allow everything from inside” is a usual base configuration, and would probably not get you into (much) trouble. Ultimately you decide: having finer grained control is always better, but it also requires that you think about your exact needs and implement the solution.

I think I understand enough now. Below is a pic of the way I set up my rules. Everything seems to be working fine so as long as no one sees anything wrong with it I think I’m good.
Thank you all very much for your help. Very much appreciated. Now on to my less important but more interesting questions

It’s much easier on all of us if you post your configs in text form from
/ip/firewall/filter export

(and there are parameters that are not shown in the GUI by default.)

Please use code tags (the button resembling </>)

Your firewall rules look roughly good. I would really suggest the allow-what-I-want-and-drop-everything-else mindset. It’s much easier to do correctly and later maintain it.