Default Firewall Order

So I have an issue with RDP being slow and sending video over VPN connections and traced it down to FastTrack, disabling would allow the videos to load, RDP and overall performance increased. From MT forum I created the rules below and at this point everything seems to work now. We want to use “Usermanger” for our level 2 admins to add clients on the fly so they do not have to enter the core router (MT Radius and Userman beautiful, thank you). I seems there is no way to add VPN interface to WAN interface-list list to bypass the “drop all from WAN not DSTNATed” rule. Since I have the accept rules before the “drop all from WAN not DSTNATed” rule this should be ok even though I believe they are not technically DSTNated unless it considers the router the DST.

Can I get some thoughts, is this safe?

add action=accept chain=input comment="Allow SSTP" dst-port=1443 in-interface=ether2 protocol=tcp
add action=accept chain=input comment="Allow IPsec NAT" dst-port=4500 in-interface=ether2 protocol=udp
add action=accept chain=input comment="Allow IKE" dst-port=500 in-interface=ether2 protocol=udp
add action=accept chain=input comment="Allow L2TP" dst-port=1701 in-interface=ether2 protocol=udp
add action=accept chain=input comment="Allow PPTP" dst-port=1723 in-interface=ether2 protocol=tcp
add action=accept chain=input in-interface=ether2 protocol=gre
add action=accept chain=input in-interface=ether2 protocol=ipsec-esp
add action=accept chain=input in-interface=ether2 protocol=ipsec-ah
add chain=output comment="Default Firewall - Start of Basic Firewall" disabled=yes
add action=drop chain=input comment="Default Firewall - DNS Block TCP" connection-state=new dst-port=53 in-interface=ether2 protocol=tcp
add action=drop chain=input comment="Default Firewall - DNS Block UDP" connection-state=new dst-port=53 in-interface=ether2 protocol=udp
add action=accept chain=input comment="Default Firewall - Accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="Default Firewall - Drop Invalid Connections" connection-state=invalid
add action=accept chain=input comment="Default Firewall - Accept ICMP" protocol=icmp
add action=drop chain=input comment="Default Firewall - drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="Default Firewall - Fasttrack Connection Manager" connection-state=established,related,untracked
add action=drop chain=forward comment="Default Firewall - Drop Invalid Connections" connection-state=invalid
add action=accept chain=forward comment="Default Firewall - Accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Default Firewall - Accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="Default Firewall - Fasttrack disable for IPsec VPN Connections" connection-mark=!ipsec connection-state=established,related
add action=fasttrack-connection chain=forward comment="Default Firewall - Fasttrack Connection Manager" connection-state=established,related
add action=drop chain=forward comment="Default Firewall - drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN
add chain=output comment="Default Firewall - End of Basic Firewall" disabled=yes

I’m focusing on your forward chain as that’s what would be involved with the RDP stuff. And know that I consider myself a very dangerous amateur when it comes to this subject - I do not consider myself an authority in networks in general or Mikrotik in particular.

An excerpt from my own firewall:

add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="Allow Protected External from Internet" connection-state="" in-interface=bInternet src-address-list=ProtectedExternal
add action=drop chain=forward comment="drop invalid" connection-state=invalid in-interface=bInternet
add action=drop chain=forward comment="dropping port scanners" src-address-list="port scanners"
add action=accept chain=forward comment="avoid fasttrack for OpenDrive (to use Simple Queue for rate limiting)" connection-state="" packet-mark=OpenDrive
add action=fasttrack-connection chain=forward comment="Enable FastTrack for non-ipsec traffic" connection-mark=!ipsec connection-state=established,related
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=jump chain=forward comment="Jump to RFC Port Scanners TCP Chain" jump-target="RFC Port Scanners TCP Chain" protocol=tcp src-address-list=!non-public
add action=jump chain=forward comment="Jump to Vulnerable TCP Chain" jump-target=vulnerabilities-tcp protocol=tcp src-address-list=!non-public
add action=jump chain=forward comment="Jump to RFC Port Scanners UDP Chain" jump-target="RFC Port Scanners TCP Chain" protocol=udp src-address-list=!non-public
add action=jump chain=forward comment="Jump to Vulnerable UDP Chain" jump-target=vulnerabilities-udp protocol=udp src-address-list=!non-public
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=bInternet
add action=drop chain=forward comment="drop all from fake LAN on Internet" connection-nat-state=!srcnat connection-state="" in-interface=bInternet src-address-list=non-public
add action=accept chain=forward comment="Forward LAN-to-LAN" dst-address-list=non-public in-interface=bLAN out-interface=bLAN
add action=accept chain=forward comment="Forward LAN-to-WAN" dst-address-list=!non-public in-interface=bLAN out-interface=bInternet
add action=accept chain=forward comment="accept all from WAN if DSTNATed" connection-nat-state=dstnat connection-state=new in-interface=bInternet
add action=accept chain=forward comment="Forward ICMP from LAN" in-interface=bLAN protocol=icmp

and the mangle rules:

add action=mark-connection chain=forward comment="mark ipsec outbound connections to exclude them from fasttrack" ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=no
add action=mark-connection chain=forward comment="mark ipsec inbound connections to exclude them from fasttrack" ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=no
add action=mark-connection chain=forward comment="Mark OpenDrive upload traffic" connection-state=new dst-address=38.108.185.64 new-connection-mark=OpenDrive passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment="Mark OpenDrive upload traffic" connection-mark=OpenDrive new-packet-mark=OpenDrive passthrough=no

Look this over and see if some adjustment will work for you. My OpenDrive rules could be changed out for RDP - something like:

add action=mark-connection chain=forward comment="Mark RDP traffic" connection-state=new dst-port=3389 new-connection-mark=RDP passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment="Mark RDP traffic" connection-mark=RDP new-packet-mark=RDP passthrough=no

and of course change the filter rules accordingly.

Change Order in Green
Remove in Red
Add in Blue


add action=accept chain=input comment=“Default Firewall - Accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“Default Firewall - Drop Invalid Connections” connection-state=invalid

**add action=accept chain=input comment=“Allow SSTP” dst-port=1443 in-interface=ether2 protocol=tcp
add action=accept chain=input comment=“Allow IPsec NAT” dst-port=4500 in-interface=ether2 protocol=udp
add action=accept chain=input comment=“Allow IKE” dst-port=500 in-interface=ether2 protocol=udp
add action=accept chain=input comment=“Allow L2TP” dst-port=1701 in-interface=ether2 protocol=udp
add action=accept chain=input comment=“Allow PPTP” dst-port=1723 in-interface=ether2 protocol=tcp
*add action=accept chain=input in-interface=ether2 protocol=gre
add action=accept chain=input in-interface=ether2 protocol=ipsec-esp
add action=accept chain=input in-interface=ether2 protocol=ipsec-ah

*I am not familiar with ipsec but I question these rules as they do not appear normal to me - seen on other configurations … may be fine, but hopefully someone with ipsec knowledge can chime in.

add action=accept chain=input comment=“Default Firewall - Accept ICMP” protocol=icmp
add action=drop chain=input comment=“Default Firewall - drop all not coming from LAN” in-interface-list=!LAN
add action=drop chain=input comment=“Default Firewall - DNS Block TCP” connection-state=new dst-port=53 in-interface=ether2 protocol=tcp
add action=drop chain=input comment=“Default Firewall - DNS Block UDP” connection-state=new dst-port=53 in-interface=ether2 protocol=udp

add action=fasttrack-connection chain=forward comment=“Default Firewall - Fasttrack disable for IPsec VPN Connections” connection-mark=!ipsec connection-state=established,related
add action=fasttrack-connection chain=forward comment=“Default Firewall - Fasttrack Connection Manager” connection-state=established,related
add action=accept chain=forward comment=“Default Firewall - Fasttrack Connection Manager” connection-state=established,related,untracked
add action=drop chain=forward comment=“Default Firewall - Drop Invalid Connections” connection-state=invalid
add action=accept chain=forward comment=“Default Firewall - Accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“Default Firewall - Accept out ipsec policy” ipsec-policy=out,ipsec
add action=drop chain=forward comment=“Default Firewall - drop all from WAN not DSTNATed” connection-nat-state=!dstnat in-interface-list=WAN

add chain=output comment=“Default Firewall - End of Basic Firewall” disabled=yes
add chain=output comment=“Default Firewall - Start of Basic Firewall” disabled=yes

What I would add/modify.
Input chain

(1) Theme: Tighter access to router itself:
-allow admin access to router for configuration purposes (address-list=adminaccess devices (desktop, laptop, ipad etc)
-only allow lan users access to required services such as DNS
-drop all else rule at end of chain.

add action=accept chain=input comment=“Allow ADMIN to Router”
** { in-interface-list=XXXXX OR in-interface=subnet} src-address-list=adminaccess
** wherever the admin devices are located

add action=accept chain=input comment=“Allow LAN DNS queries-UDP”
connection-state=new dst-port=53 in-interface-list=YYYY protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
connection-state=new dst-port=53 in-interface-list=YYYY protocol=tcp
Where interface-list=YYYY you can define which interfaces should have dns access and apply it in this rule.

add action=drop chain=input comment=“DROP ALL ELSE”"
then remove
add action=drop chain=input comment=“Default Firewall - drop all not coming from LAN” in-interface-list=!LAN

For the forward chain
Theme is to simplify and make clear rules and drop all not required.

• add any rules requiring access to internet
• add any rules requiring access at L3 routing (such as vlan A to vlan B for such things as admin access, shared devices etc…)
• last rule drop all else
  ex,
  add action=accept chain=forward comment=“ENABLE LAN to WAN”
  in-interface=xxxx OR in-interface-list=tttttt out-interface-list=wan

add action=drop chain=forward comment=“Default Firewall - drop all from WAN not DSTNATed” connection-nat-state=!dstnat in-interface-list=WAN

if you do need port forwarding, instead make this rule…
add action=accept chain=forward comment=“Allow port forwarding” connection-nat-state=dstnat in-interface-list=WAN

add action=drop chain=input comment=“DROP ALL ELSE”"

@anav you’re a firewall machine. You should create a sticky post for reference.

Not really, I just have such a poor understanding of how this router works (of well packet flow in general) that I have to dumb it down so I understand.

dalami and anav, thank you for your replies. I will look and test both changes on 2 local yet remote routers and come back next week with what happens, again thank you for your time. anav, I like your signiture LOL

dalami, it might take a bit of time to test yours, my virus and other service protection are further down my rules. These are the top 20ish of 245 rules. Virus, RDP, VPN, DDos and other protection is down the list. Your rules do raise some questions if I’m placing them in the wrong portion. I appreciate your input.

anav, I think I put everything together wrong, everything seems to work but my 24/7 public VPN connection I use for my local Domain, Website and LAN Office VPN connection drop unless I disable rule in red.

add action=drop chain=input comment=“Default Firewall - DROP ALL ELSE”

add action=accept chain=input comment="Default Firewall - Accept ICMP" protocol=icmp
add chain=forward action=fasttrack-connection comment="Default Firewall - Fasttrack disable for IPsec VPN Connections" connection-state=established,related connection-mark=!ipsec
add action=accept chain=input comment="Defcon Exempt - Accept Exempt IP Addresses" disabled=no src-address-list="Exempt Addresses"
add action=accept chain=forward comment="Defcon Exempt - Accept Exempt IP Addresses" disabled=no src-address-list="Exempt Addresses"
add action=drop chain=forward comment="Default Firewall - Drop Invalid Connections" connection-state=invalid
add action=accept chain=forward comment="Default Firewall - Accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Default Firewall - Accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="Default Firewall - Allow port forwarding WAN" connection-nat-state=dstnat in-interface-list=WAN
add action=drop chain=input comment="Default Firewall - DROP ALL ELSE"

I forgot to add these in/out marked mangles in beginning for the Fasttrack bypass

add action=mark-connection chain=forward comment="Mark IPsec connections to exclude them from Fasttrack" ipsec-policy=out,ipsec new-connection-mark=ipsec 
add action=mark-connection chain=forward comment="Mark IPsec connections to exclude them from Fasttrack" ipsec-policy=in,ipsec new-connection-mark=ipsec