Basic setup filter rules?

RouterOS Beginner Basics
1

Hi Guys, I have had my 450G running for a few years now with no complaints and I just came across the following article:

http://mikrotik.romelsan.com/home/basic-firewall-rules

I don’t have any of these rules running and after some more googling I found that people are recommending them. Should I put these rules in place? What do they do?

  1. Make your router ping-able (I understand this one, it just allows me to ping the router from the WAN side? LAN side?)
  2. Accept Connections (not sure what this rule means because I can run a game server behind the router and the WAN side can connect to my game servers with the proper port forwarding)
  3. Drop Incoming Internet Connections (Security Rule) (does this just drop port 80 and 443 request?)
  4. Drop Invalid Connections (kind of self explanatory but is there something to this?)

My setup is a basic home setup, Cable ISP modem going to router and router has two basic subnets on it to manage my interneal network and a guest account. I also run a few game servers behind the router.

2

If you don’t have any input filters or forward filters then you effectively have no firewall functionality. Which filters do you have active right now?

3

I will post what I have when I get home today. My setup was originally posted here on the support forums and nobody batted an eye at my setup.

4

[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept src-address-list=admin-access

1 chain=input action=drop protocol=tcp dst-port=21,22,23,80,443

2 chain=forward action=drop src-address=192.168.2.0/24
dst-address=192.168.1.0/24

3 chain=forward action=drop src-address=192.168.1.0/24
dst-address=192.168.2.0/24

4 X ;;; Night disable internet
chain=forward action=drop in-interface=LAN out-interface=WAN
time=1s-17h,sun,mon,tue,wed,thu,fri,sat

6 X chain=forward action=drop in-interface=LAN3 out-interface=WAN
time=2h1s-6h,sun,mon,tue,wed,thu,fri,sat

5

And now I have added them, does that look good? I had to use the winbox gui for rule 4:

0 ;;; Ping
chain=input action=accept protocol=icmp

1 ;;; Accept Established Connections
chain=input action=accept connection-state=established

2 ;;; Accept Related Connections
chain=input action=accept connection-state=related

3 ;;; Drop Invalid Connections
chain=input action=drop connection-state=invalid protocol=tcp

4 ;;; Drop WAN Connections
chain=input action=drop in-interface=WAN

5 chain=input action=accept src-address-list=admin-access

6 chain=input action=drop protocol=tcp dst-port=21,22,23,80,443

7 ;;; VLAN rules
chain=forward action=drop src-address=192.168.2.0/24
dst-address=192.168.1.0/24

8 chain=forward action=drop src-address=192.168.1.0/24
dst-address=192.168.2.0/24

– [Q quit|D dump|down]

Just noticed my VLAN filters were turned off so I just re-enabled them.

6

I think you might be missing some rules on you second post.
For better reading do export compact on /ip firewall filter.
This give a clearer overview of all the created rules. Also keep in mind the difference between the various chains.
input chain is hit when traffic is destined for the router itself. Forward chain is hit for traffic traversing through the router.
Here is my minimal recommended set of rules
add action=drop chain=input comment=“Drop invalid connections” connection-state=invalid
add chain=input comment=“Accept established connections” connection-state=established
add chain=input comment=“Accept related connections” connection-state=related
add chain=input comment=“Allow access from local network” in-interface= src-address=
add action=log chain=input comment=“Log everything else” disabled=yes log-prefix=“IPv4 Drop input RR:”
add action=drop chain=input comment=“Drop everything else”

add action=drop chain=forward comment=“Drop invalid connections” connection-state=invalid
add chain=forward comment=“Accept established connections” connection-state=established
add chain=forward comment=“Accept related connections” connection-state=related
add chain=forward comment=“Allow traffic from Local network” in-interface= src-address=
add action=log chain=forward comment=“Log everything else” disabled=yes log-prefix=“IPv4 Drop forward RR:”
add action=drop chain=forward comment="Drop everything else"Since you seem to have 2 LAN networks (VLAN’s) create some more rules for those networks.
Your rules could look like this:
add action=drop chain=input comment=“Drop invalid connections” connection-state=invalid
add chain=input comment=“Accept established connections” connection-state=established
add chain=input comment=“Accept related connections” connection-state=related
add chain=input comment=“Allow access from local network” in-interface= src-address=
add chain=input comment=“Allow access from local network 3” in-interface= src-address=
add action=log chain=input comment=“Log everything else” disabled=yes log-prefix=“IPv4 Drop input RR:”
add action=drop chain=input comment=“Drop everything else”

add action=drop chain=forward comment=“Drop invalid connections” connection-state=invalid
add chain=forward comment=“Accept established connections” connection-state=established
add chain=forward comment=“Accept related connections” connection-state=related
add chain=forward comment=“Allow traffic from Local network to go outside” in-interface= src-address= out-interface=WAN
add chain=forward comment=“Allow traffic from Local network 3 to go outside” in-interface= src-address= out-interface=WAN
add action=log chain=forward comment=“Log everything else” disabled=yes log-prefix=“IPv4 Drop forward RR:”
add action=drop chain=forward comment=“Drop everything else”

7

So do I drop my the first 4 rules (the new ones) and add your second set of rules? And do I replace each IP with the local VLAN IP? Or do I also drop my VLAN rules?

ie, drop these ones:

0 ;;; Ping
chain=input action=accept protocol=icmp

1 ;;; Accept Established Connections
chain=input action=accept connection-state=established

2 ;;; Accept Related Connections
chain=input action=accept connection-state=related

3 ;;; Drop Invalid Connections
chain=input action=drop connection-state=invalid protocol=tcp

4 ;;; Drop WAN Connections
chain=input action=drop in-interface=WAN

8

You can drop the 4 rules you mentioned.
Actually the are also in my proposed list.

9

And in these rules I replace the “ip” with my two VLAN subsets? (192.168.1.0/24 & 192.168.2.0/24)

add chain=input comment=“Allow access from local network” in-interface= src-address=
add chain=input comment=“Allow access from local network 3” in-interface= src-address=

10

Correct. And also change interface names.