Firewall check

RouterOS Beginner Basics
1

Hi All,

I build my first MikroTik firewall, would like to check if I missed anything major or over-engineered it :slight_smile:
Goal is to;

  • Allow internet for the LAN Clients
  • Allow Wiregaurd remote VPN with Access to the other LAN Clients
  • Allow a port DNAT for only certain IP Address
  • Drop everything else
/interface list
add name=WAN
add name=LAN
/interface list member
add interface=internet list=WAN
add interface=bridge1 list=LAN
add interface=wireguard1 list=LAN
/ip firewall filter
add action=accept chain=forward comment="Allow new connections to the internet from LAN" connection-state=new in-interface-list=LAN
add action=accept chain=forward comment="Allow established,related,untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Allow port 8086 only for the address list Remote_Probes" dst-port=8086 protocol=tcp src-address-list=Remote_Probes
add action=drop chain=forward comment="Drop All Forwarded"
add action=accept chain=input comment="Allow DNS traffic from LAN to router" in-interface-list=LAN port=53 protocol=udp
add action=accept chain=input comment="Allow DNS traffic from LAN to router" in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input comment="Allow WireGuard traffic" dst-port=13231 protocol=udp
add action=accept chain=input comment="Allow traffic from LAN interface list to the router" in-interface-list=LAN
add action=drop chain=input comment="Drop All New"
/ip firewall nat
add action=masquerade chain=srcnat comment="Enable NAT on WAN interface" out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Destination NAT to forward traffic on port 8086 to 172.16.10.3" dst-port=8086 in-interface-list=WAN dst-nat protocol=tcp to-addresses=172.16.10.3 to-ports=8086
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
2

You’re following the concept “allow what’s needed, drop everything else”, which is good.

From performance point of view your rules would benefit of some reworking. Rules are evaluated top-to-bottom (inside each chain) so performance-wise it’s good to make rules, which will deal with most packets, higher on the list. You’re missing fasttrack rules (those particularly boost performance). Default firewall rule set is very good at these aspects, so I’m recommending you to have a look at default and try to understand how it performs. And then adjust your firewall rules accordingly.

Personally I’d start from default (not only it’s good performance wise, it’s also pretty secure) and adjust/add needed rules. Starting from scratch does sound fun, but it’s easier to miss things as well.

3

Good to know I didn’t do anything stupid. Will have a look at the default rules to see what I can optimize more.

4

Is this device connected to the internet directly or through another router?
Why did you remove all the defaults?

5

Directly to the internet

Learning purposes mostly. Wanted to learn how to build a firewall from scratch.

6

Keep chains together and order is important overall. One should have a source originating traffic and an endpoint destination for that traffic.
Traffic that is port forwarded should not normally be placed in forward chain but in dstnat chain. The fw forward chain only needs a general rule allowing port forwarding.

/ip firewall filter
add action=fasttrack-connection chain=forward comment=“fasttrack” connection-state=established,related
add action=accept chain=forward comment=“Allow established,related,untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“drop invalid traffic” connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface=list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”
++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=input comment=“default established etc..” connection-state=established,related,untracked
add action=drop chain=input comment=“Drop invalid” connection-state=invalid
add action=accept chain=input comment=“allow ping” protocol=icmp
add action=accept chain=input comment=“allow admin” src-address-list=Authorized
add action=accept chain=input comment=“Allow LAN DNS traffic udp” in-interface-list=LAN port=53 protocol=udp
add action=accept chain=input comment=“Allow LAN DNS traffic tcp” in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input comment=“Allow WireGuard traffic” dst-port=13231 protocol=udp
add action=drop chain=input comment=“Drop all else”
/ip firewall nat
add action=masquerade chain=srcnat comment=“Enable NAT on WAN interface” out-interface-list=WAN
add action=dst-nat chain=dstnat comment=“Server XYZ” dst-port=8086 protocol=tcp in-interface-list=WAN to-addresses=172.16.10.3

Note Firewall address list ( usually from dhpc static leases )
add adddress=admin1 list=Authorized comment=“admin wired PC”
add address=admin2 list=Authorized comment=“admin laptop wifi”
add address=admin3 list=Authorized comment=“admin smartphone/ipad wifi”

7

Thanks, in this example i still need a rule to allow traffic from the wireguard to the lan

8

Correct.
/ip firewall filter
add action=fasttrack-connection chain=forward comment=“fasttrack” connection-state=established,related
add action=accept chain=forward comment=“Allow established,related,untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“drop invalid traffic” connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface=list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“wg lan access” in-interface=wireguard1 dst-address=172.16.10.0/24
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”