I recently bought myself a new MK router. This was ENTIRELY as a new project and I am excited to be getting my hands dirty. I have an intermediate understanding of networking and firewall rules and I have followed this guide to setting up my new router:
The firewall rules section are about halfway down the page.
This is the firewall rules that I finally have according to that page. Is this acceptable for a SOHO setup?
I don’t want to block any LAN devices to the internet. ALL devices must have full access to the WAN. I just want to make sure my LAN is protected from naughty people.
The default rules are enough for protection. Because your picture is no showing (better post /ip/firewall export), it is hard to say what you did. And I’m not going to read some website.
I didn't expect you to read the website page. I only put it there so that others could see why I used the rules in the screenshot. I'm also not sure why the screenshot didnt show. I have now changed it to a url.
Only as a side note:
The default rules that come with Mikrotik SOHO devices have two features that your ones miss:
they are marked in comment as “defconf” which is useful when/if you want to change some of them
they have a comment summing up what the rule does
As well, the generic advice is to group rules by their chain, to make them more readable.
Now imagine yourself in 1, 2, 3 months time needing to modify the firewall rules and having them without a reference or explanation, and even if you have good memory and learned by heart all the intricacies of firewall filters, and you manage to add or change something successfully, what will happen after another 3 or 6 months?
I just had a quick glance at the page ... the first chapter is titled "Remove all configuration:" .. which makes me turn away from this thread. If @OP follows such a "cook book", then he should trust the author of the cookbook and discuss any minor issues he might have with the cookbook. Or @OP should turn away from that article, stick to default and ask here for advice on how to improve default.
I can always perform a hard reset of the router and start again. I just liked the idea of going through everything and learning how everything was set up.
I don’t want to detract from the context of this post but one of the reasons I wanted to start from scratch is because I have never worked with MK before and I wanted to use the SFP port as my WAN port and had no idea how to do that. The tutorial explained how to set up one of the ports as the WAN port and all I did was I chose the SFP instead of ether1.
Anyways, now that I have my hands dirty, I can hard reset and change the setup accordingly and leave the firewall rules in place.
When I saw that rules and you have your chains mixed up, I threw up and left for awhile.
Just came back to say, put chain rules together, makes it much easier to read and troubleshoot issues, as rules are processing within a chain, in the order they are presented and order is important.
simply in the forward chain, prior to the last rule ( Drop all else )
Add in the traffic required device A to Subnet B or Subnet C to device D for example…
Firstly, thank you all for your comments and input
Ok, so what I did is took everyone’s advice and reset the unit back to factory defaults. I made some changes to the IP ranges and the interfaces and everything is working as it was before but this time I never touched the Firewall. So now the firewall is still standard out of the box.
