I went crazy, because I wanted to see examples of how to have decent security. My config file works fine and everything but I’m not sure if everything works the way its supposed to as the Access Control Lists (ACLs aka firewall rules) maybe in the wrong order and stuff like that? Its all just mushed together (there are probably duplicate rules). I guess I want everything on its own seperate vlan too.
My router resources are still low but I have a good router for my situation
Please help me fix and consolidate this config with your experience, Thanks!
My MikroTik is 192.168.88.1 (GW) it connects to my ISP router (GW) 192.168.254.254
My PC is 192.168.88.254
My first sentence says: I wanted to see examples of how to have decent security. I want to learn the syntax. I want to learn how to create IDS/IPS systems. Just diving in head first trying to learn this stuff. I like the CLI but dont understand these chains yet. I will revise it soon.
I really enjoy the freeware program called PeerBlock.. I wish I had a hardware version to protect my whole network like at the inside local area (my wan interface)
anyone up for this, want to help me consolidate for a good home wifi AP security? If not I will eventually get around to learning the syntax and config it how i want. thanks
I see a few duplicates in the default config.
Do these rules go from top → down like in Cisco’s ACLs?
If so, is there an implicit deny all at the end?
Ex: in your post, you have a “drop everything else” in the middle of the settings… how does the processor know when to “drop everything else”, if the timing is not specified?
Really important stuff that you have to understand regarding firewall in RouterOS are chains, you have to know TCP and UDP protocol, have some insight into ICMP. And then there is IPv6.
p.s. default home/soho router configuration is locked down. Everything you add most probably will make it less secure as nothing beats chain=input action=drop interface=
So are you saying that rule is a “tcp established” type of rule?
OR is that rule meant to be at the very last (after the allow rules)?
If not, please break it down for me thanks
add action=drop chain=forward comment=“Drop everything else not specified, except LAN” in-interface=!ether01If it is first, everything gets instantly dropped and nothing passes trough.
Routers process Access-lists and Firewall statements, line by line beginning from top, untill first match is found.
If match is found, no further rules will be processed for that packet.
How many interfaces you have, how much of those are “trusted” and how many are “untrusted” also different approaches exist
For example I have multiple “untrusted” uplink interfaces, hence it makes more sense to block all others except one “trusted” one via single line.
It will log what will get blocked. It depends on the packets arriving at the router and the rules what is allowed.
If there are many packets send to the router from outside without the request of an internal device it probably is unwanted traffic and it will be blocked.
The log rules are not always necessary though. It is more for debugging if the firewall is not behaving as wanted.
He probably meaned:
add action=drop chain=inputcannot be first, yours is correct implementation…
Also I talked about “final drop rule”, not dropping only invalid packets.
Using this firewall list: http://wiki.mikrotik.com/wiki/Basic_universal_firewall_script
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment=“Port Scanner Detect”
disabled=no protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment=“Drop to port scan list” disabled=no src-address-list=Port_ScannerWhy is it now, always thinking that I am a port scanner?
I see I have a lot of TCP 6 connections but I dont know what that port is?
It didnt do this before and I dont know what changed?
I am in the support user list. Thanks!
