firewall rules advices

RouterOS Beginner Basics
1

Hello,

i would like your advices about my firewall filter rules.
i’m a noob, I have build my rules following several tutorials and mikrotik manual.
I think understanding more or less the job of them, but less about the importance of the ordering of them, especially wireguard rules, fasttrack rules and ssh protecting rules.
I have also a problem for setup wireguard: client can access to lan but can’t access internet.

Here my firewall rules, could you said me your opinion about them and the necessary changes for optmize them?

Thank you

/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=30/1m,0:packet log=yes protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 log=yes protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="allow wireguard" dst-port=13231 protocol=udp
add action=accept chain=forward comment="Allow wireguard traffic to lan" dst-address=10.28.201.0/24 src-address=10.13.13.0/24
add action=accept chain=forward comment="Allow wireguard traffic to internet" dst-address=0.0.0.0/24 src-address=10.13.13.0/24
add action=fasttrack-connection chain=forward comment=Fasttrack connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=Fasttrack connection-state=established,related disabled=yes
add action=accept chain=input comment="Accept to established connections" connection-state=established
add action=accept chain=input comment="Accept to related connections" connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support
add action=accept chain=input comment="Allow IGMP for Orange TV" in-interface=vlan840-TV-Stream protocol=igmp
add action=accept chain=output comment="Allow IGMP for Orange TV" out-interface=vlan840-TV-Stream protocol=igmp
add action=accept chain=input comment="Allow IGMP for Orange TV" in-interface=ether7-TV protocol=igmp
add action=accept chain=forward comment="Allow Forward Multicast Orange" dst-address=224.0.0.0/4 dst-port=8200,8202 in-interface=vlan840-TV-Stream protocol=udp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 log=yes log-prefix=dropssh_ protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 log=yes log-prefix=dropssh_ protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 log=yes log-prefix=dropssh_ protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 log=yes log-prefix=dropssh_ protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 log=yes log-prefix=dropssh_ protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment="BLOQUE TOUTES LES CONNEXIONS ENTRANTES (exception avant)"
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
2

This part:

add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp

You are accepting all DNS requests, either from LAN or WAN.

Next, you are mixing input and forward chain. In itself not a problem, readability is low.

And at last (I’m not a firewall expert) you are creating all kinds of address lists. What is the main purpose of working like that? Listen to a port, add the source to an address list and then block entries on that address list.

My opinion, stick to the defaults unless you have a very good reason.

3

(Now I’m not going to go into a line-by-line list of what’s wrong or not, but the last rule… better no comment…)

Really disgusting, to be thrown in the trash.

Put back the default ones that are more than enough for you.
http://forum.mikrotik.com/t/buying-rb1100ahx4-dude-edition-questions-about-firewall/148996/4

Unless you are an ISP, and pretending VERY hard that the rules are fine,
in case of an attack after a few minutes the router memory is exhausted and it crashes or reboots the router.
This is what you get from “your” rules, besides obviously making (as indicated in the previous post) your own router a means to create DDoS attacks.

Reset the defaults, and unless you know what you are doing, stay still.

4

Hello,

Thank for your reply and your frankness!
I have read the linked post and it’s so simple! i understand.
so it’s not necessary to set up rules to protect router againt syn flood, ssh brute forcer, port scanner or other?

The ping shouldn’t reply only from lan request? and not also from wan

I use ccr2004 to replace my FAI BOX, so i need add rules for tv box,
at wich level i must insert this rules?

For the hosted web services and my mailserver, it’s no necessary to setup “advanced” rules for protect them?

Thank you

add action=accept chain=input comment="Allow IGMP for Orange TV" in-interface=vlan840-TV-Stream protocol=igmp
add action=accept chain=output comment="Allow IGMP for Orange TV" out-interface=vlan840-TV-Stream protocol=igmp
add action=accept chain=input comment="Allow IGMP for Orange TV" in-interface=ether7-TV protocol=igmp
add action=accept chain=forward comment="Allow Forward Multicast Orange" dst-address=224.0.0.0/4 dst-port=8200,8202 in-interface=vlan840-TV-Stream protocol=udp
5

Your ISP should do that job, not your router.
And what about bruteforce… bruteforce what?
You are the one leaving the door open, by default they are all closed on WAN side…
You should use a VPN as a wireguard, then log in.


Ping must respond from everywhere (ignoring now the various types etc.), for various and usual reasons written and rewritten by dozens of users.
Anyone who claims that they should all ICMP traffic be blocked is objectively incompetent.


Not expert on that TV box, I prefer not to answer than to write bull–it.
For sure, shouldn’t put anything on output, and the multicast WAN to LAN forward rule goes over the last default forward.
However, one must always have an overall vision of the config (port names, VLAN, bridges, etc.), otherwise the discussion is always incomplete.


If you have hosted services at most limit TCP connections per second (ignore ICMP),
do not try to add items to the address list or you will run out of memory in case of DDoS…
It has to be seen from time to time.

6

Before you apply anything one must understand the purpose of the chains.
Input chain is traffic TO the router, so to router services.
None of your servers behind the router and on the LAN have anything to do with router services and thus seeing their rules in the input chain is ridonkulous.

So from a very basic premise you are blindly and incorrectly applying technical information that is more confusing than useful for the new beginner. I blame MT documentation for suggesting this garbage and it should be left for youtube videos and not MT documentation.

The default rules are a safe place to start.
ONly input chain rule additions are to allow admin to the router, users only to services typically DNS, and of course any port coming in for VPN on the router like wireguard.

Configing the router should be about what traffic needs to flow, not blocking every thing known to man…
Simply use drop all else rules at the end of forward chain and input chain… in combination with most of the default rules and you are in good shape.

7

Rule #8:
http://forum.mikrotik.com/t/the-twelve-rules-of-mikrotik-club/182164/1

Start from:
http://forum.mikrotik.com/t/buying-rb1100ahx4-dude-edition-questions-about-firewall/148996/4

8

Hello,
thank you for your help, i have rebuild my firewall rules like your post plus adding rules for my tv box and wireguard.
All work fine, more simple, more effective and more understanble for me.

Thank you