Help me protect my router;)

Here we go, I usea 450G, eth1 is my own LAN, eth 2-4 later multiple ISP’s.

I need to:

• Stop all private IP traffice from going over eth2-4 (as thi would be a routing issue, like a VPN down)
• Any traffic terminating on eth2-4, without blocking NAT. THere is no server running there, and even if I put that up later, this can be changed, but now now any attempt to talk to eth2-4 from the outside is invalid (with the exception if icmp / ping).

How do I set up those rules?

Source NAT happens after postrouting, which is the last firewall facility. It is impossible to determine whether or not a packet is going to be source NATted or not, so you cannot block private source IP addresses from leaving through ether2 - 4. You’ll just have to write NAT rules to ensure this doesn’t happen. If you mean traffic with private destination IP addresses, that is relatively easily done as destination NAT (if used at all) happens after prerouting, so the forward chain will see the final IP address in the destination field of the header. To protect the LAN it is best to filter statefully. Permit all traffic in connections that are already allowed (established), as well as all related connections. Then only allow traffic out to the WAN for establishing connections. Something like this:

/ip firewall address-list
add chain=forward connection-state=established action=accept 
add chain=forward connection-state=related action=accept 
add chain=forward connection-state=invalid action=drop 
add chain=forward out-interface=!ether1 dst-address=192.168.0.0/16 action=drop
add chain=forward out-interface=!ether1 dst-address=10.0.0.0/8 action=drop 
add chain=forward out-interface=!ether1 dst-address=172.16.0.0/12 action=drop 
add chain=forward out-interface=!ether1 action=accept 
add chain=forward action=drop

While that answers your specific questions, that doesn’t actually protect the router - it secures traffic going THROUGH the router, but not traffic going TO the router. You should read at least the ip firewall filter wiki manual, and the packet flow diagram to understand the different chains. A very quick approach that doesn’t account for the router being a VPN server:

/ip firewall filter
add chain=input connection-state=established action=accept 
add chain=input connection-state=related action=accept 
add chain=input connection-state=invalid action=drop 
add chain=input in-interface=ether1 action=accept 
add chain=input protocol=icmp action=accept
add chain=input action=drop 

That will allow only your LAN to establish connections to the router, as well as ping from any interface.

Thanks, that was very helpfull. The protections is in place now The NAT thing I will look into - so far I use source NAT.

Sorry, but this seems wrong to me. A packet reaching eth2-5 with a destination (!) address that is in the private list basically tries to reach a private internet adress on the public internet. Source nat does not enter there (or?). As such, it should be dropped. Even after NAT it will try to reach the private IP. In case of UDP traffic this means that possibly confidential information will leave the corporate network unencrypted in the direction of the ISP (who should just throw it away).

Or do I get something wrong here.

For destination addresses that are private that is correct. In your initial post you did not clearly indicate what you are trying to keep from leaving the WAN interface: packets with private IPs in the destination field, or in the source field. Packets with private IPs in the destination field are easily blocked as I described. Packets with private IPs in the source field encounter the issue I described where a firewall rule cannot determine if a packet is going to be source NATted.

I hope that is more clear.