Please add a button that will add certain common, basic firewall rules. For example, on ip/firewall/rules add a winbox button called “add basic rules wizard”. Have this button generate a series of check-boxes that can be selected from to add basic firewall rules based on your LAN/WAN lists.
Such possibilities include:
Just to name a few
That’s already included in the default config. The rules are freely available from the Wiki if you need to reference them.
I understand that they are there but not logging into the terminal and running a bunch of commands would be nice for the average user. Not looking through the wiki would be nice also.
Click button, get firewall rules.
There’s nothing wrong with adding some simple features via a wizard. It’s when there’s no manual configuration and it’s not transparent that wizards become an issue.
Making RouterOS slightly more friendly never hurt anybody.
You can’t simplify this. Each situation is different. For example some people may be behind ISP’s NAT and use RFC1918 address… blocking bogons might break this…
In addition, these “premade” rules may be incompatible with existing setting etc… If you have a single change against defconf, it may break so many things…
Too many problems, not much simplification.
Finally, if you know you want bogon rules (i.e. you know the term) then you can create the rule in less than 1 minute anyway. If you want VPN rules, you know exactly what kind of VPN you use and again - you can add it in few minutes. Users, who would benefit from such Wizard will not understand those terms and in the end will not have any benefit.
That is why we have quickset where you can disableenable default firewall ruleset or default NAT rules.
This is exactly why I hate the IT community. Simplifying something isn’t going to cost you your job.
Simplifying a firewall rule wizard such as adding bogon and certain types of VPN won’t mess anything up for standard configurations as long as you actually follow best practice and put your WAN’s and LAN’s in the address lists.
Personally I have a script written that applies all the firewalls I need for certain situations, including Multi-WAN and Multi-LAN and everything. The scripts utilize the address lists to ensure everything works. I am not the typical user, but I do work with ISPs that utilize Mikrotik products at the customer location, including basic residential.
Note, I’m saying for standard configurations. One WAN, one LAN, standard.
If you are not using a “standard configuration“ then you likely don’t want to use a firewall rule or wizard.
Get your head out of the sand and realize that simplifying a product or its configuration makes the product more marketable to more people. The more markable routerOS products are, the more cool products Mikrotik will keep making.
It would be helpful when there was a feature (in quickset or otherwise) to reset the firewall to defaults (including the required interface lists) without changing other router config.
The default firewall has been improved a lot, but many users still run the old firewall because it is only updated when you reset EVERYTHING to defaults.
I did not know this and I would not reset everything.
That’s why I hate the non-IT community. Instead of complaining about what you don’t know how to use and asking to dumb down things, you should start by RTFM. It doesn’t cost your job. It isn’t even your job to begin with.
making something more intuitive - good, and RouterOS is doing well (of course it’s relative, beginners may not agree)
making it simpler - depends, but probably good if it doesn’t limit possibilities
dumbing down - bad
This could be the second case, some of it could be good as part of future more capable Quick Set. But outside of it, I’m not sure. Some of those things are just too simple (e.g. VPN/IPSec needs one to three simple rules). And you add them once. You save nothing with the wizard. It could make sense for something more complex, but then you have the problem how to put things together. You still need to understand what you’re doing, put the rules in right place, etc. It’s difficult to do automatically, unless you support it only for one specific basic config. Which IMHO leads again to improved Quick Set.
There is no possible scenario an “auto firewall” button would work. Where it may work for you, it won’t for another.
I share your sentiment entirely with not over complicating things but sometimes there is wanting to be spoon fed.
Well of course there is the possibility of having an extra layer on top of the current settings where you would manage the firewall from Quick Set only and you would have selections like “open this service to internet” or “forward this port to that IP (from internet)” and the system would maintain the rules required for that by itself.
Indeed when you make manual changes in the config and then go back to the Quick Set way it will totally break, but that already is the case with the current Quick Set once you go beyond a simple NAT-router setup… we have requested a “lock” on Quick Set for a long time (so you can block Quick Set once you have made specific customizations, either manually or automatically) but it never happened, so MikroTik apparently is not so worried about that.
But note that lots of things that people are fighting with, like having the proper firewall settings for a system that uses IPsec, have been solved in the default firewall on newer RouterOS versions.
But most people never get that new default firewall. Even when you buy the device new, the first time you plug it in it loads the default firewall rules for the RouterOS that was installed by the factory (maybe half a year ago) and then when you click “Check for Updates” in the Quick Set and it updates the RouterOS, the new firewall is never loaded unless you then again click Reset to Defaults.
Which most people never do because they already started from defaults.
Similar, once you have owned the device for some time and you upgrade RouterOS, the new firewall is never loaded and you won’t Reset to Defaults anymore because you have already configured it.
It would be great when there was an additional “Reset only Firewall to Defaults” button on Quick Set that just resets the firewall. Maybe it should even hint to do that when you first access the router after an upgrade and it sees it does not have the current defaults yet.
Resetting just the firewall is not great either, except for totally casual users.
A firewall analyzer would be nice.
I think most casual users would be totally fine with the default firewall as it is today.
Of course it is not a button you must click without knowing what you are doing, but that is the case for almost any setting in a router like this.
You have to be careful because the WAN might not be connected to the first port.
That’s why Interface Lists were introduced: no more “ether1” in firewall rules!
Indeed, that is one of the reasons the new default firewall is so much better.
Of course, resetting the firewall should also create and populate the interface lists when they were not yet present.
(as the defaults script does as well)
How would the router know which ports are WAN in the general case to create those lists?
It can look at the existing configuration. E.g. check where the default route is pointing.
Remember this is only for the simple “NAT router on a consumer internet connection” case.
It manages quite well when you use QuickSet to configure a router, e.g. when you configure PPPoE client that interface is automatically added to the WAN list.
It does not matter so much when it makes wrong decisions because of the clever use of WAN and !LAN in the firewall.
I would very much agree to include a very simplified entry under Quick setup to open a certain port or service to a specific IP address. I believe that the Quick Setup page could be made a separate package of ROS so that it is installed only by novice users and those who do not want it do not install it.