Default Firewall Filter Question

Let my start off by saying I apologize if this seems like a rant, well because.. it somewhat is. I’ve configured multiple Juniper, Cisco and pfSense firewalls without a hitch, but Mikrotik has me constantly flabbergasted when trying to configure the most basic functionality. Unfortunately, the organization I joined has a Mikrotik router so I have no choice but to learn and configure this thing. I’ll save my inexplicable confusion when trying to comprehend the creation of VLANs for another thread, since this one is about the simple functionality of a firewall.

First of all, I cannot fathom why the firewall is set to allow everything by default. I’ve taken over the role of a net admin at a small/medium company from a person who didn’t know what they were doing so everything’s a mess at the moment. Much to my horror, on my first day, I logged into the router only to see all the default services and ports were open to the WAN and constantly getting bombarded with login attempts from all over the world. I’m completed shocked that the 10 character password has held up for as long as it did. Anyways, the first thing I do is add a default deny all rule, thinking all is lovely and I don’t have to worry about the firewall rules for the most part. Everything has been working fine for 2 weeks, no issues. A couple allow rules for some internal services, and a default deny, simple enough.

Then today I start looking into Mikrotik hardening and best security practices only to stumble upon this thread: https://forum.mikrotik.com/viewtopic.php?t=180838, which has left me at a complete lack of understanding what needs to be done with this firewall. It seems outlandish to me that I need to study so much information just to setup the “DEFAULT” firewall configuration. I don’t understand which of these filters are necessary and adding them all in without understanding what it is they’re doing makes me feel like I could be opening holes or creating other problems without understanding the impact. Anyways, I guess my question is, why should I put all these extra rules in, rather than just having a singular input “deny all” rule and calling it a day?

The default rules are safe out of the box and work on the premise that blocks the most harmful type of traffic and lets all other traffic pass. This is fine for a person who opens the router plugs ether1 into the ISP and their PC into etherport2. However as soon as you start configuring the router for anything else the idea is to change the concept of the firewall to ONLY allow (accept) needed traffic and simply drop all else. Nothing fancy, nice and clean.

As a person responsible for all other systems, I would imagine there was training involved. Its rather amusing you seem to think you dont for MT.
In any case, there is nothing magical about the firewall setup.
Basically the default rules are required for full router functionality.
Then we add user rules needed for traffic flow, then we drop all else.
This is done in the article for both chains. input is traffic TO the router, think router services.
The forward chain is through the router, think wan to lan, lan to lan, lan to wan.

After that there many tools available to shape, route, and direct traffic as required as the config’s complexity arises.

FWIW some of the “non-home” routers don’t come with any “default” firewall… maybe that’s the issue? An empty config isn’t unusual for “enterprise” equipment.

The docs show a basic stateful firewall:
https://help.mikrotik.com/docs/display/ROS/Basic+Concepts#BasicConcepts-ConfigurationExample
which links to further explanation here:
https://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall

Mikrotik docs focus on being a reference, so they do lack examples to specific (and common) use cases in many cases. @anav’s guide has a useful encyclopedia of examples. But some basics of RouterOS config style/philosophy are kinda needed first.