I have used mikrotik for a long time but I always found the most difficult part to configure is the firewall tab. I am a home user with some experience of small home networks, LAN.
I wish there was some basic guide for what a default configurations for the firewall rules should look like for a home network. I noticed that on relative new products from mikrotik there is the basic configuration script. But why not have a http page dedicated with pictures and information on how a “default” configurations should look like etc. For me it is hard understanding the different chains and the logic behind how the firewall functions work. I have looked at plenty of videos, reading some books on mikrotik but this has not made things any better for me. And I find that a lot of information is missing in the books or skip over. Just like most videos out there skip important parts or do not explain the entire process in depth.
I have not had any major issues with watchguard, zyxel and other brands. But the reason I do like mikrotik is the cheap price for the hardware and all the functions even though I only use it for a basic firewall. If I can not get my basic configuration sorted or the port forwarding to work I think I might move away from mikrotik hardware, sad because it has great functionality and is rock solid stable. But the configuration nightmare is not fun any more. Anyway this is why I hope you people can help me that are “experts” or do know how to configure the firewall the right way compared to the conflicting information out there in the jungle that is the Internet.
Note, that I had problems for some time with the SNTP function, checked the forums and a lot of other sources. I gave up and checked my firewall configuration and it looked like it was not correct. Re-configured the firewall and noticed some errors, once the errors was gone from the configuration the SNPT worked like it should. So the issue was not SNTP but rather a incorrect configuration of the firewall.
To get information about how the firewall works, what the chains are, what the different types are (filter, nat, raw, mangle) etc you can consult a manual/introduction of the Linux iptables firewall.
The RouterOS firewall is the same thing, just with an extra configuration layer on top of it. However, most names and functions are exactly the same.
There also is the “packet flow diagram” in the wiki that explains what happens where when handling a packet. https://wiki.mikrotik.com/wiki/Manual:Packet_Flow
I did use notepad++ if that helps. The best thing is is you could post the configuration with colors and that
but does this forum support that.
So I did find books on Linux IP tables perhaps that will help when and if I can read up on it, if I understand
it.. I think I never manage to get the port forwarding working even on my older mikrotik 433AH device.
As of now I am using software VPN to fix that port forwarding problem.
Is your ISP using CGNAT? If they are, obviously you can’t port forward. If they are not, then something like this will work:
add action=dst-nat chain=dstnat comment="Port Forwarding for Local Web Server to WAN" dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.8.9 to-ports=80
#If you deploy QUIC on your web server
add action=dst-nat chain=dstnat comment="Port Forwarding for Local Web Server to WAN" dst-port=80 in-interface-list=WAN protocol=UDP to-addresses=192.168.8.9 to-ports=80
Removed my configuration and changed the my original post.
I found the problem or issue. After checking some YT videos again and other sources it sure looked like my configuration was correct.
I then checked my “filter rules” and found what was wrong. So there was nothing wrong with the NAT rules, it was the fact that the firewall was
dropping all packets from the Internet that was “unknown”. As for now it is working.
In general it can be said that the current default configuration of the RouterOS firewall is good. Previous ones were not.
“instructional videos” on Youtube are often even worse: clueless operators who have just unpacked their box provide methods that are completely wrong.
It is always best to do this:
enable IPv6 on the router when you plan to use it
update RouterOS to the latest long-term or stable version
reset everything to factory defaults
work from here, do not blindly delete rules or move them around but only add rules for things like open ports
Unfortunately what happens in practice is this:
router resets itself to defaults using factory firmware at first powerup
user enables IPv6 but it has no firewall configuration because it is off by default and so was not present during initial reset
update is not done now, maybe never
firewall config is not updated at RouterOS updates
Everything you said is what I often do. You need to understand what you are doing and why.
I will need to look more at the filter rules and check that everything is configured the right way.
Even though I could switch to another brand, I would rather stay with mikrotik because the hardware is
cheap and the RouterOS it self has lots of advanced functions and is rock solid stable. Even though
I am a simple home user.