Can anyone tell me, what has happened to @anav and "The DEFACTO DEFAULT FIREWALL Setup"?

He decided to delete all of his posts.
Check the section here and the next sections of the manual about building a firewall https://help.mikrotik.com/docs/display/ ... our+router

It's so thoroughly done. In my user settings I didn't see an option to do this. Maybe I overlooked it, but I think you need the help of an admin. Let me now if I'm wrong.

Lumpy: What exactly are you interested in? Maybe we can help?

Not everything is gone search.php?author_id=115581&sr=posts

@normis
Thank you for the clarification.

@johnson73
Nothing in particular. The thread itself was like a "bible (insert different religious believe here)" and very useful. I can take a look at web.archive.org, but the information there is outdated. I thought maybe I'm to stupid to find the correct thread, I'm not a big "fan" of phpBB.

@Mikrotik-Staff
I would really appreciate some more basic information in your own documentation regarding a safe and secure soho firewall setup. Yes, I know, that there are trainings and courses and stuff, but sometimes this isn't feasable for a home user. I don't want to cut short the importance of understanding what you are doing etc., don't get me wrong on that. But let's take a look at

https://help.mikrotik.com/docs/display/ ... t+Firewall

The information itself is valuable and valid to some extend, but why is there a different syntax betwen IPv4 firewall and IPv6 firewall setup (e.g. interface names)? I can certainly make the mental transfer, but that's something that bothers me and makes it hard(er) for a novice user to get this right the first time... In my opinion sane and secure defaults should be priority #1. And firewall is a part, where this dogma stands above all.

I don't want to diminish the effort you invest in the documentation, it covers almost everything, but firewall setup is something you could improve, imho.

Sorry I don't understand your point. The manual is there, also read the other sections, that go in deeper with more advanced things.

Why is syntax different? This question I don't understand

In the IPv4 firewall setup the public interface is ether1, in the IPv6 firewall setup it is sit1. I understand, that there can't be an "one fits all solution", but this can be confusing for a novice user. To make an educated guess, I would say both paragraphs were copied from different devices.

My suggestion to improve would be a short paragraph about interface lists (e.g. LAN & WAN, which are present on some devices) and use these lists instead of the interfaces. But I can also understand why to not make use of the interface lists. But then keep at least the syntax in line, please.

Afaik, on Mikrotik x86, there aren't any default rules present to which one could refer to.

@normis

what do u mean that he has removed all the posts?

What do you mean by "what do you mean"? Anyone can edit their own posts. You can do it too.

In the IPv4 firewall setup the public interface is ether1, in the IPv6 firewall setup it is sit1. I understand, that there can't be an "one fits all solution", but this can be confusing for a novice user.

No, that is incorrect. Manual is explaining CONCEPTS. You should never just blindly copy stuff from the manual, if you have not read the surrounding text and understood which rules do what. It is not important what interface name is used in the example, because you will be adapting the rules to your device, not just copying them.

The docs are improving, being kept more up to date, and with more detail but they are not a specific 'your' scenario solutions based.
There are many excellent videos out there ( Network Berg, Network Trip etc.. ), including MT videos, to help with more detail on some scenarios.

Can anyone tell me, what has happened to @anav and "The DEFACTO DEFAULT FIREWALL Setup"?

A couple of new posters didnt like tough love.
In any case they were not that wrong as my tone at times was not exemplary. However, any exasperation was due
to the continual day in day out, month in month out, year in year out, barrage of first posts by new posters that had no structure, no discipline and no effort.
I proposed a first post process that would eliminate much of the noise first posts create and overall make the experience for a new poster much better, and
provide those assisting, quality first posts with which to work with. However, MT in their vacuum of wisdom decided that the status quo was fine and thus we keep repeating history with crappy first posts and wasted time of those assisting. It is amazing to me that a company that requires good engineering fails miserably when it comes to forum processes.
In any case, seeing as my work was not appreciated, and especially efforts to improve the forum, there was no point to have threads not being looked after.................. Firmware moves on and rules change etc.........

I know that this is the mikrotik philosophy, and I'm absolutely ok with that, just to be clear. BUT: if the examples in the documentation would work out of the box, there would be no need for such discussions in the first place. The idea of concepts is certainly the right approach in theory, but the reality, as I understand it, is different. In the end, the question remains as to what is more important to me: a secure device that can navigate the Internet reasonably safely, with a user who may not have fully understood the firewall rules, or a user who, despite all the warnings, simply copy/pastes the rules and thinks he/she is safe.

Seeing that anav also chimed in on the discussion (thanks a lot for your effort!) I will leave it at rest. All questions answered and I don't want to start or restart a discussion that already took place in the past. I can understand and accept, that the mikrotik approach is different to my own.

Thanks again to everyone here trying to get stuff done and helping, even with supposedly stupid questions.

....In the end, the question remains as to what is more important to me: a secure device that can navigate the Internet reasonably safely..............

Hi,

Not to belittle Anav's merits but the main word in the quote is reasonably ... default rules are resonable enough.

No, that is incorrect. Manual is explaining CONCEPTS. You should never just blindly copy stuff from the manual, if you have not read the surrounding text and understood which rules do what. It is not important what interface name is used in the example, because you will be adapting the rules to your device, not just copying them.

Normis, with all due respect, the manual (the Capital letter you used must mean something) is (IMHO) attempting to explain concepts, BUT in many if not most cases it largely fails at it.

Of course we can pretend that by reading the manual, and re-reading, and re-reading it the concepts will become clear and everyone will be able to translate them to the practical problem/issue they have at hand, but the reality is that there are objectively way too many threads on this forum revolving around some of these concepts and the inability of the posters to implement them.

The reason could be (as someone believes or likes to assume) that new members of the forum are dumb, or lazy or both, and this is possibly true for some of them, but not for all of them.

A possible explanation for the number of people (few or many as they may be) that actually want to learn and diligently read the available official documentation is that this documentation is unclear, or misses explanations, or misses examples, etc..

Much better than nothing, of course, still susceptible of being bettered/expanded.

Of course this can be done only if besides Mikrotik having the resources to revise it, they (you) will start considering the possibility that it is often incomplete, vague or contradicting, at least in the eyes of the non-expert reader.

Specifically to the narrow (when compared to the amount of settings or not settings that can be done in RouterOS) sub-topic of "firewall" or even just of "firewall filter", in which BTW Anav's contributions stand out for both quantity and quality, it seems clear to me that the amount of small and big issues that are posted on the forum show that this part (objectively particularlly complex) is evidently commonly misunderstood and/or poorly implemented.

So, maybe, the manual is not perfect.

+1

This is exactly what I meant, thank you.

Mikrotik drops the ball on the docs. It's not a new problem. But how to change the default firewall for a particular use case is totally missing. e.g. default firewall uses the interface-list concept, but "Your First Firewall" docs all describe using address-list. While @pcunite + @anav scheme explains well using "interface list" to control the firewall – which IMO is the right approach – the docs hide this knowledge in the /interface/list docs. And the firewall config need may be as simple as a new interface to LAN interface list.

And, I'm ignoring the very good recommendation to updating your router/firemwall/modem/etc and doing a /system/reset-configuration BEFORE even starting...which is also not advised in the Quick Start/etc guides. Finding old V7 bugs & not being familiar with RouterOS to know it's bug, not config, is potential double-whammy. And @anav etc request for configs helps since the version it at top of them helps to know to suggest an upgrade.

But @anav had all the details if someone buys a home router & wants to have some isolated VLANs/tagged ports... My guess is using help.mikrotik.com alone be dozens of long pages of reading — to only have a broad understanding, not steps. e.g. even after much reading, still not find the perhaps 5-10+ lines of config to adapt the default firewall for SOHO things like hairpin NATs or blocking inter-VLAN routing. And that's if you figured out VLAN bridging first.

A SOHO user may lack networking knowledge, but may be good at following directions. But there are FAQ or step-by-step guides in formal docs. While RouterOS generally works great for my use cases... I'm still amazed at how many home users run this gauntlet. Now if someone has a desire to learn networking... no better way than a Mikrotik since it forces understanding networking principles first (even for basic things like VLAN and ports).

Speaking of the Mikrotik manual... Yes, it is good that there is a lot of information available, examples are available, etc., but that is not enough. The very basis for creating only the firewall section, for example, is described on the link help.mikrotik.com.. but this description is also not enough. For quality operation, safety, etc. the configuration is completely different. What? Always described by @Anav as a very good example. Everything is really understandable, the main things are written perfectly. Even for a user who doesn't understand anything about mikrotik but has bought it and wants to prepare it for work, after reading this @Anav description, 90% of the questions are clear.
Reading "help. mikrotik'', a new user of mikrotik will have a lot of questions, because from what is described there, it is not completely clear what the firewall section should look like, for example.

I know many cases when a user buys a mikrotik router, but he has no knowledge about it. Okay, he tries to configure everything using help.mikrotik'', also for example wiki.mikrotik'' and the result is very sad. In the final, the router is thrown into the trash and replaced by Tp-link or Asus. It sounds crazy, I didn't think it up myself, it happened in reality.

I myself really like mikrotik, I've been using mikrotik routers for quite some time and it would be very nice to see, for example, a more understandable description of configuring mikrotik in the same help.mikrotik, so that even SOHO users can understand what is written there and how they should act. Let's hope for the best