high-level structure to build an efficient, recommendations?

RouterOS General
1

Hi MKs,
I would like to tidy up /restructure my firewall.
Instead of asking detailed questions, I would like to get opinions on how to structure it efficiently so that the CPU is spared as much as possible.

  1. general protection for the router, against e.g. DsS/DDoS attacks, so RAW
  2. Accept everything that is already running, or send it to FastTrack:

add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related


  2. ```text
add action=accept chain=forward comment="default configuration" connection-state=established,related,untracked

add action=accept chain=input comment=“default configuration” connection-state=established,related,untracked


(maybe move this to router-access?)
3. website filter, if desired
4. allow new browser connections and email:
1. ```text
add action=accept chain=forward in-interface=VLANsWithWANAccees-List out-interface=WAN port=(email ports and 80, 443)
  1. drop false connections:

add action=drop chain=forward connection-state=invalid


6. Protect router
7. Filter router access
1. ```text
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

…chain=input …


8. Protect LAN
1. Restrict access between VLANs (192.168.0.0/16 are all VLANs)

```text
add action=drop chain=forward dst-address=192.168.0.0/16 src-address=192.168.0.0/16
  1. not NAT’d traffic → drop
  3. drop rest
2

Forget “3” , there is no such thing as a webfilter in RouterOS that can be done efficiently to save CPU-cycles.
Venturing in any of this higher-level OSI-layer processing will have huge CPU-impact dwarfing your other rules…

Option “4” ? There is much much more then only browser & mail … only allowing these will break a lot…what is your environment ? Home-user ? Office/Enterprise ? Service-Provider ?

3

wow that was quick :smiley:

but if someone wants to block youtube for his/her kids if you don’t redirect to e.g. PiHole?


forgot to add

add action=accept chain=forward in-interface=VLANsWithWANAccees-List out-interface=WAN

somewhere between 4 and the end. Depending what checks you may want to add on normal web traffic from LANtoWAN

4

There is some ways to probably block Youtube completely, but I’ve never experimented with them if they are 100% working in 2022
With thing like “private DNS” (DNS-over-HTTPS etc) , usage of QUIC-protocol etc things are getting more complex. You need to block & intercept all of that stuff or will find some ways to “sneek through”

5

A rules like this seems to work over here :

add action=reject chain=blocklist comment=“block youtube” protocol=tcp reject-with=icmp-network-unreachable tls-host=youtube

6

I saw it too and the answer on that below is not 100% usable continue discussion could be endless as it seems not to be that trivial, even for Pi-hole (#1&#2) or openWRT (#1&#2).

I would like to keep a high-level discussion at least until the structure is agreed :slightly_smiling_face:. I rephrased the topic’s title, as the wording was not that well.