Fix for BUGS, ERRORS on default RouterOS firewall rules and firewall changes from 6.43 to 7.21.2 / 7.22rc1

rextended · January 16, 2026, 2:00pm

Everything described, although publicly visible and unlikely to cause harm,
is to be used only at the user's own risk.

Fix for BUGS, ERRORS on default RouterOS firewall rules and firewall changes from 6.43 to 7.21.2 / 7.22rc1
without reset to default for the fix.

This applies to any version of RouterOS 6.43 and later,
and also to any version of RouterOS 7.0 and later,
especially if the machine has never been reset to default after various upgrades and updates.

Just paste on terminal, fix all bugs or errors on default RouterOS firewall rules
and align only default parts to 7.21.2 / 7.22rc1
the remaining rules are untouched, so do not fix your errors.

For RouterOS v6.43 and up

/ip firewall filter
:if ([:len [find where comment="defconf: accept to local loopback (for CAPsMAN)"]] = 0) do={
    add chain=input action=accept src-address=127.0.0.1 dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)" \
        place-before=[find where comment="defconf: drop all not coming from LAN"]
} else={
    set [find where comment="defconf: accept to local loopback (for CAPsMAN)"] src-address=127.0.0.1
}
set [find where comment="defconf:  drop all from WAN not DSTNATed"] comment="defconf: drop all from WAN not DSTNATed"
set [find where comment="defconf: drop all from WAN not DSTNATed"] !connection-state

/ipv6 firewall address-list
remove [find where list=bad_ipv6 and address="::224.0.0.0/100"]
remove [find where list=bad_ipv6 and address="::127.0.0.0/104"]
remove [find where list=bad_ipv6 and address="::/104"]
remove [find where list=bad_ipv6 and address="::255.0.0.0/104"]

/ipv6 firewall filter
set [find where comment="defconf: accept UDP traceroute"] dst-port=33434-33534 !port
set [find where comment="defconf: accept DHCPv6-Client prefix delegation."] src-address=fe80::/10

For RouterOS v7.0 and up (differences from v6 are: in-interface=lo, hw-offload=yes and action=fasttrack-connection)

/ip firewall filter
:if ([:len [find where comment="defconf: accept to local loopback (for CAPsMAN)"]] = 0) do={
    add chain=input action=accept src-address=127.0.0.1 dst-address=127.0.0.1 in-interface=lo comment="defconf: accept to local loopback (for CAPsMAN)" \
        place-before=[find where comment="defconf: drop all not coming from LAN"]
} else={
    set [find where comment="defconf: accept to local loopback (for CAPsMAN)"] src-address=127.0.0.1 in-interface=lo
}
set [find where comment="defconf:  drop all from WAN not DSTNATed"] comment="defconf: drop all from WAN not DSTNATed"
set [find where comment="defconf: drop all from WAN not DSTNATed"] !connection-state
:execute "/ip firewall filter set [find where comment=\"defconf: fasttrack\"] hw-offload=yes"

/ipv6 firewall address-list
remove [find where list=bad_ipv6 and address="::224.0.0.0/100"]
remove [find where list=bad_ipv6 and address="::127.0.0.0/104"]
remove [find where list=bad_ipv6 and address="::/104"]
remove [find where list=bad_ipv6 and address="::255.0.0.0/104"]

/ipv6 firewall filter
set [find where comment="defconf: accept UDP traceroute"] dst-port=33434-33534 !port
set [find where comment="defconf: accept DHCPv6-Client prefix delegation."] src-address=fe80::/10
:if ([:len [find where comment="defconf: fasttrack6"]] = 0) do={
    :execute "/ipv6 firewall filter add chain=forward action=fasttrack-connection connection-state=established,related comment=\"defconf: fasttrack6\" \
                                        place-before=[find where chain=forward comment=\"defconf: accept established,related,untracked\"]"
}

The default rules are here:

This needs to be clear: Anyone who updates or upgrade RouterOS will not have these updates (or default firewall) automatically applied.

So, if the machine originally had, for example, RouterOS 6.43 (or earlier) and was updated to 6.43+ or 7.xx+,
it will still NOT have the default firewall rules and the configuration fixes.

The only way to apply the fixes on such upgraded devices,
aside from using this script or comparing your rules with the default ones and applying the fixes manually,
is to run netinstall or reset-configuration.

Versions prior to 6.43 have a different firewall scheme, based on interfaces rather than groups, and I strongly recommend upgrading to the way it is default now.

rextended · January 21, 2026, 1:15pm

RouterOS v7 onIy:
I add also the hw-offload=yes "fix" (for v7.18 and up) and
the missing action=fasttrack-connection on ipv6 firewall filter (for v7.18 and up)

tangent · January 21, 2026, 5:51pm

Those lines need to start "/ipv6". The entries you're targeting don't exist in the IPv4 address list.

rextended · January 21, 2026, 5:59pm

Thanks, fixed the first post.

rextended · January 29, 2026, 4:05pm

Confirmed all for 7.21.2 and 7.22beta6

nmt1900 · January 29, 2026, 4:29pm

hw-offload=yes for fasttrack connections is not applicable on some devices

rextended · January 29, 2026, 4:32pm

Thanks, it's already taken into account in the script.

7.21

What's new in 7.21 (2026-Jan-12 14:56):

*) firewall - hide hw-offload setting from devices that do not support it;
*) firewall - make hw-offload=yes default setting in /ip/firewall/filter menu;

I have to think about this thing that was introduced in 7.18 and changed several times...

rextended · January 29, 2026, 5:20pm

I modified the script so that it doesn't give an (ignorable) error

TracksBarley2 · January 29, 2026, 6:34pm

On my ax2 (v7.21.2), the ipv6 addition of action=fasttrack-connection created a duplicate entry on my ipv6 firewall filter. Because it doesn’t check if it already exists. Thanks

rextended · January 29, 2026, 6:39pm

thanks, fixed

rextended · January 29, 2026, 6:42pm

Thanks to everyone who contributes and reports problems.

jfim88 · January 30, 2026, 7:29am

Hello,

Thanks for your script, really good idea.

I applied it on my ax3 in 7.21.2 and got this:

Tried manually a spare line:

Captura de pantalla 2026-01-30 082635

erlinden · January 30, 2026, 7:34am

My best guess would be that you execute from root instead of /ip/firewall/filter

jfim88 · January 30, 2026, 7:45am

You are right, my bad. All excecuted fine now

chiem · January 30, 2026, 9:10am

My rule here used to have “connection-state=new”. What does “!connection-state” mean?

CGGXANNX · January 30, 2026, 9:13am

It removes the condition. The connection-state=new condition in this rule at this position is redundant, because before the rule there are rules that already caught all the other possible connection states (established, related, untracked, invalid). Every packet that reaches this position will have connection-state=new and no other values.

rextended · January 30, 2026, 9:34am

Good morning and thanks for the feedback.

The script is designed to be pasted into the terminal in its entirety, not line by line, otherwise you'll "lose pieces".

I'm also writing this for others reading this thread.

Thanks again.

jfim88 · January 30, 2026, 9:45am

Thanks again!

Yes, the first time I copied it entirely and pasted into terminal, but the log errors in my screenshot above appeared.

BartoszP · January 31, 2026, 10:04am

Marked topic with "rtfum" tag as it deserves it

JhnMtrx · February 3, 2026, 12:41pm

I also got two error messages in the log, even though I ran the script in / in the terminal. I copied and pasted the whole block in Winbox 4 on RB5009.