Buying - RB1100AHx4 Dude Edition - Questions about Firewall

So i will be buying RB1100AHx4 Dude Edition https://mikrotik.com/product/RB1100Dx4 .
It is probably a bit overkill for my SOHO, but better safe than sorry and make sure it will last a few years ahead.

The thing I have been pondering the most is the ability to control the Firewall and I have read some of the relevant articles for this: https://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall but i am also curious as to if any of the community members have exported firewalls with pre defined rules one might look in to? Perhaps saving some work by using a tried and tested configuration?

Best thing is to accept the default firewalls as they work out of the box quite safely.
Then work to understand all the default rules.
Then state your requirements and folks will likely chime in to give some advice.
Do not use quickset.
Do use the safe mode button at all times.
Clear requirements with a network diagram = useful assistance.

SOHO-line of Mikrotik routers comes with very decent default firewall rule set. RB1100AHx4, however, is not from that line and comes with pretty plain defaults, hence it’s wise to get some decent starting setttings elsewhere.

@SecCon: you can either wait for somebody to publish default settings and risk (probably low risk though) that it won’t really be complete or not really MT default. Or you can get yourself cheapest possible MT device (that would likely be hEX lite with suggested price of $40) and use that both as playground and as trustworthy source of default settings.

search tag # rextended default firewall rules

WARNING: default WAN and LAN interface list must be defined

WARNING: if you do not know what you are doing, you probably lose control of your device

MikroTik RouterOS 6.49.19 default firewall rules (fixed for reflect new 7.22 rules change)
for IPv4 must be also created interface lists, remember to correct assign interfaces inside lists and bridge.

/interface list
add name=WAN comment=defconf
add name=LAN comment=defconf

/interface list member
add list=WAN interface=ether1 comment=defconf
add list=LAN interface=bridge comment=defconf

/ip firewall filter
add chain=input   action=accept               connection-state=established,related,untracked     comment="defconf: accept established,related,untracked"
add chain=input   action=drop                 connection-state=invalid                           comment="defconf: drop invalid"
add chain=input   action=accept               protocol=icmp                                      comment="defconf: accept ICMP"
add chain=input   action=accept               src-address=127.0.0.1  dst-address=127.0.0.1       comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input   action=drop                 in-interface-list=!LAN                             comment="defconf: drop all not coming from LAN"
add chain=forward action=accept               ipsec-policy=in,ipsec                              comment="defconf: accept in ipsec policy"
add chain=forward action=accept               ipsec-policy=out,ipsec                             comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related               comment="defconf: fasttrack"
add chain=forward action=accept               connection-state=established,related,untracked     comment="defconf: accept established,related, untracked"
add chain=forward action=drop                 connection-state=invalid                           comment="defconf: drop invalid"
add chain=forward action=drop                 in-interface-list=WAN connection-nat-state=!dstnat comment="defconf: drop all from WAN not DSTNATed"

/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none comment="defconf: masquerade"

for IPv6 is also created address-list bad_ipv6 before creating firewall rules
must be also created interface lists like IPv4, remember to correct assign interfaces inside lists and bridge.

/interface list
add name=WAN comment=defconf
add name=LAN comment=defconf

/interface list member
add list=WAN interface=ether1 comment=defconf
add list=LAN interface=bridge comment=defconf

/ipv6 firewall address-list
add list=bad_ipv6 address=::/128            comment="defconf: unspecified address"
add list=bad_ipv6 address=::1/128           comment="defconf: lo"
add list=bad_ipv6 address=fec0::/10         comment="defconf: site-local"
add list=bad_ipv6 address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped"
add list=bad_ipv6 address=::/96             comment="defconf: ipv4 compat"
add list=bad_ipv6 address=100::/64          comment="defconf: discard only "
add list=bad_ipv6 address=2001:db8::/32     comment="defconf: documentation"
add list=bad_ipv6 address=2001:10::/28      comment="defconf: ORCHID"
add list=bad_ipv6 address=3ffe::/16         comment="defconf: 6bone"

/ipv6 firewall filter
add chain=input   action=accept               connection-state=established,related,untracked   comment="defconf: accept established,related,untracked"
add chain=input   action=drop                 connection-state=invalid                         comment="defconf: drop invalid"
add chain=input   action=accept               protocol=icmpv6                                  comment="defconf: accept ICMPv6"
add chain=input   action=accept               protocol=udp dst-port=33434-33534                comment="defconf: accept UDP traceroute"
add chain=input   action=accept               protocol=udp dst-port=546 src-address=fe80::/10  comment="defconf: accept DHCPv6-Client prefix delegation."
add chain=input   action=accept               protocol=udp dst-port=500,4500                   comment="defconf: accept IKE"
add chain=input   action=accept               protocol=ipsec-ah                                comment="defconf: accept ipsec AH"
add chain=input   action=accept               protocol=ipsec-esp                               comment="defconf: accept ipsec ESP"
add chain=input   action=accept               ipsec-policy=in,ipsec                            comment="defconf: accept all that matches ipsec policy"
add chain=input   action=drop                 in-interface-list=!LAN                           comment="defconf: drop everything else not coming from LAN"
add chain=forward action=accept               connection-state=established,related,untracked   comment="defconf: accept established,related,untracked" 
add chain=forward action=drop                 connection-state=invalid                         comment="defconf: drop invalid"
add chain=forward action=drop                 src-address-list=bad_ipv6                        comment="defconf: drop packets with bad src ipv6"
add chain=forward action=drop                 dst-address-list=bad_ipv6                        comment="defconf: drop packets with bad dst ipv6"
add chain=forward action=drop                 protocol=icmpv6 hop-limit=equal:1                comment="defconf: rfc4890 drop hop-limit=1"
add chain=forward action=accept               protocol=icmpv6                                  comment="defconf: accept ICMPv6"
add chain=forward action=accept               protocol=139                                     comment="defconf: accept HIP"
add chain=forward action=accept               protocol=udp dst-port=500,4500                   comment="defconf: accept IKE"
add chain=forward action=accept               protocol=ipsec-ah                                comment="defconf: accept ipsec AH"
add chain=forward action=accept               protocol=ipsec-esp                               comment="defconf: accept ipsec ESP"
add chain=forward action=accept               ipsec-policy=in,ipsec                            comment="defconf: accept all that matches ipsec policy"
add chain=forward action=drop                 in-interface-list=!LAN                           comment="defconf: drop everything else not coming from LAN"

MikroTik RouterOS 7.20.8 / 7.22 default firewall rules (fixed for reflect new 7.22 rules change)
for IPv4 must be also created interface lists, remember to correct assign interfaces inside lists and bridge.

/interface list
add name=WAN comment=defconf
add name=LAN comment=defconf

/interface list member
add list=WAN interface=ether1 comment=defconf
add list=LAN interface=bridge comment=defconf

/ip firewall filter
add chain=input   action=accept               connection-state=established,related,untracked              comment="defconf: accept established,related,untracked"
add chain=input   action=drop                 connection-state=invalid                                    comment="defconf: drop invalid"
add chain=input   action=accept               protocol=icmp                                               comment="defconf: accept ICMP"
add chain=input   action=accept               in-interface=lo src-address=127.0.0.1 dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input   action=drop                 in-interface-list=!LAN                                      comment="defconf: drop all not coming from LAN"
add chain=forward action=accept               ipsec-policy=in,ipsec                                       comment="defconf: accept in ipsec policy"
add chain=forward action=accept               ipsec-policy=out,ipsec                                      comment="defconf: accept out ipsec policy"
# on next rule, if your HW support this, ADD hw-offload=yes
add chain=forward action=fasttrack-connection connection-state=established,related                        comment="defconf: fasttrack"
add chain=forward action=accept               connection-state=established,related,untracked              comment="defconf: accept established,related, untracked"
add chain=forward action=drop                 connection-state=invalid                                    comment="defconf: drop invalid"
add chain=forward action=drop                 in-interface-list=WAN connection-nat-state=!dstnat          comment="defconf: drop all from WAN not DSTNATed"

/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none comment="defconf: masquerade"

for IPv6 is also created address-list bad_ipv6 before creating firewall rules
must be also created interface lists like IPv4, remember to correct assign interfaces inside lists and bridge.

/interface list
add name=WAN comment=defconf
add name=LAN comment=defconf

/interface list member
add list=WAN interface=ether1 comment=defconf
add list=LAN interface=bridge comment=defconf

/ipv6 firewall address-list
add list=bad_ipv6 address=::/128            comment="defconf: unspecified address"
add list=bad_ipv6 address=::1/128           comment="defconf: lo"
add list=bad_ipv6 address=fec0::/10         comment="defconf: site-local"
add list=bad_ipv6 address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped"
add list=bad_ipv6 address=::/96             comment="defconf: ipv4 compat"
add list=bad_ipv6 address=100::/64          comment="defconf: discard only "
add list=bad_ipv6 address=2001:db8::/32     comment="defconf: documentation"
add list=bad_ipv6 address=2001:10::/28      comment="defconf: ORCHID"
add list=bad_ipv6 address=3ffe::/16         comment="defconf: 6bone"

/ipv6 firewall filter
add chain=input   action=accept               connection-state=established,related,untracked   comment="defconf: accept established,related,untracked"
add chain=input   action=drop                 connection-state=invalid                         comment="defconf: drop invalid"
add chain=input   action=accept               protocol=icmpv6                                  comment="defconf: accept ICMPv6"
add chain=input   action=accept               protocol=udp dst-port=33434-33534                comment="defconf: accept UDP traceroute"
add chain=input   action=accept               protocol=udp dst-port=546 src-address=fe80::/10  comment="defconf: accept DHCPv6-Client prefix delegation."
add chain=input   action=accept               protocol=udp dst-port=500,4500                   comment="defconf: accept IKE"
add chain=input   action=accept               protocol=ipsec-ah                                comment="defconf: accept ipsec AH"
add chain=input   action=accept               protocol=ipsec-esp                               comment="defconf: accept ipsec ESP"
add chain=input   action=accept               ipsec-policy=in,ipsec                            comment="defconf: accept all that matches ipsec policy"
add chain=input   action=drop                 in-interface-list=!LAN                           comment="defconf: drop everything else not coming from LAN"
# fasttrack6 only on 7.18 and up
add chain=forward action=fasttrack-connection connection-state=established,related             comment="defconf: fasttrack6"
add chain=forward action=accept               connection-state=established,related,untracked   comment="defconf: accept established,related,untracked" 
add chain=forward action=drop                 connection-state=invalid                         comment="defconf: drop invalid"
add chain=forward action=drop                 src-address-list=bad_ipv6                        comment="defconf: drop packets with bad src ipv6"
add chain=forward action=drop                 dst-address-list=bad_ipv6                        comment="defconf: drop packets with bad dst ipv6"
add chain=forward action=drop                 protocol=icmpv6 hop-limit=equal:1                comment="defconf: rfc4890 drop hop-limit=1"
add chain=forward action=accept               protocol=icmpv6                                  comment="defconf: accept ICMPv6"
add chain=forward action=accept               protocol=139                                     comment="defconf: accept HIP"
add chain=forward action=accept               protocol=udp dst-port=500,4500                   comment="defconf: accept IKE"
add chain=forward action=accept               protocol=ipsec-ah                                comment="defconf: accept ipsec AH"
add chain=forward action=accept               protocol=ipsec-esp                               comment="defconf: accept ipsec ESP"
add chain=forward action=accept               ipsec-policy=in,ipsec                            comment="defconf: accept all that matches ipsec policy"
add chain=forward action=drop                 in-interface-list=!LAN                           comment="defconf: drop everything else not coming from LAN"

Nice!

I would accept the default of course but i guess there is room for improvement if you know your network and what can be blocked/allowed.

What would be the SOHO line of routers in your opinion? Mikrotik sure doesn’t list any…

I have a Xeon server standing by for custom solutions and plenty of server power for virtual solutions that I can connect anyhow I like, but I am going with this for now.

BTW, also got this switch: https://mikrotik.com/product/CRS326-24G-2SplusRM

Weird this is at it apperas both as Router and as Switch on many shop sites… very confusing. Fortunately Mikrotik has it listed as “switch”.

Delivery May 20.

THe RB4011 would be the router of choice if looking at current or future 1gig ISP connections.
But not familiar with the 1100 that may be a step down in terms of number of ports and throughput

The CRS switches can run both SwOS and ROS. When running ROS they may be used as routers and/or switches: they will route packages, and have all the possibilities of a Mikrotik router.

BUT

They have a VERY weak CPU. So, they would route - but quite slowly. This CRS326, as an example, can pass L2 traffic at wirespeed, in all ports at the same time. As a router it would barely get as high as 750Mbps.

The 1100AxH4 is just the 4011 with 3 switches, 13 gigabit ports and no SFP+. Same RAM, and I think one has 128MB of flash and the other 512MB. The 1100 Dude edition has two SATA ports.

All devices apart from: CHR, CRS line, CCR line, RB1100 line and possibly RB3011 (not sure about this one).

I’m not talking about SwOS devices here.

@mkx can you send me an email please.

I would certainly wish for that being clearly stated when looking at product purchase.The again, we look mostly at port speed, cpu power and ram when choosing I guess.

In any case, the more you can clearly define your current and likely future requirements the better advice can be provided.

where to?

The email address when you click on my icon…
Just below where it says I am a Mikrotik slow learner!

No kidding, one can actually click on icon? Who ever came up with that great idea must be a genious

and a genius!!
Normis je genije.

You meant to write “Normis ir ģēnijs”?