Hello,
I am a very new Mikrotik user and I am working on my firewall rules for my home network on a RB3011. I red a lot of wikis but I am not sure, if I am on the right way.
I have developed the rules in a text editor and not deployed to the productive system, yet.
I am also not sure, if my rules are working correctly, therefore I would like to ask, if someone can keep an eye on it, if the network, especially the WAN connection, or if there are some “holes” which have been closed.

To make it readability, i have structured the rules, so i hope that the order of the rules is correct.
For a my better understanding I also used comments beginning with “#” The comments will not be posted into the RB later.

Prerequisites:

• interface list add name=WAN
• interface list add name=LAN
• interface list member add interface=ether1 list=WAN
• interface list member add interface=br_vlan list=LAN
• allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

Requirements:

• block Bogons but not own Subnets
• Allow all Subnets to connect to Internet
• Allow only VLANFriends to talk to each other
• Allow AdminSubnet to connect to Internet and all other Subnets
• Allow AdminSubnet to connect to Router via HTTPS, SSH and Winbox
• Block DNS Requests from WAN
• Spam prevention (SMTP-Port 25)
• blocking of LAN users from asking external DNS servers

Thanks in advanced,
Christian

# Firewall Filter
#
# Prerequisites:
# /interface list add name=WAN
# /interface list add name=LAN
# /interface list member add interface=ether1 list=WAN
# /interface list member add interface=br_vlan list=LAN
# /ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
#
# Requirements:
# - block Bogons but not own used Subnets
# - Allow Subnets to connect to Internet
# - Allow only VLANFriends to talk to each other
# - Allow AdminSubnet to connect to Internet and all other Subnets
# - Allow AdminSubnet to connect to Router via HTTPS, SSH and Winbox
# - Block DNS Requests from WAN
# - Spam prevention (SMTP-Port 25)
# - blocking of LAN users from asking external DNS servers
#
# Bogons
#
/ip firewall address-list add list=bogons address=0.0.0.0/8			disable=no 
/ip firewall address-list add list=bogons address=10.0.0.0/8		        disable=no
/ip firewall address-list add list=bogons address=100.64.0.0/10		disable=no
/ip firewall address-list add list=bogons address=127.0.0.0/8		disable=no
/ip firewall address-list add list=bogons address=169.254.0.0/16	        disable=no
/ip firewall address-list add list=bogons address=172.16.0.0/12		disable=yes
/ip firewall address-list add list=bogons address=192.0.0.0/24		disable=no
/ip firewall address-list add list=bogons address=192.0.2.0/24		disable=no
/ip firewall address-list add list=bogons address=192.168.0.0/16	       disable=yes
/ip firewall address-list add list=bogons address=198.18.0.0/15		disable=no
/ip firewall address-list add list=bogons address=198.51.100.0/24	disable=no
/ip firewall address-list add list=bogons address=203.0.113.0/24	        disable=no
/ip firewall address-list add list=bogons address=240.0.0.0/4		disable=no
#
#
# private Subnetze
#
/ip firewall address-list add address=172.16.1.0/24 list=PrivateSubnets
/ip firewall address-list add address=172.16.10.0/24 list=PrivateSubnets
/ip firewall address-list add address=172.16.20.0/24 list=PrivateSubnets
/ip firewall address-list add address=192.168.1.0/24 list=PrivateSubnets
#
#
# Admin subnet
#
/ip firewall address-list add address=172.16.1.0/24 list=AdminSubnet
#
#
# VLAN friends can talk to each other
#
/ip firewall address-list add address=172.16.10.0/24 list=VlanFriends
/ip firewall address-list add address=172.16.20.0/24 list=VlanFriends
#
#
# Input Chain
#
/ip firewall filter add chain=input connection-state=established,related comment="accept established,related" action=accept 
/ip firewall filter add chain=input connection-state=invalid comment="drop invalid" action=drop
/ip firewall filter add chain=input protocol=icmp action=jump jump-target=allow-icmp
/ip firewall filter add chain=input src-address-list=AdminSubnet dst-address-list=AdminSubnet in-interface-list=LAN protocol=tcp action=jump jump-target=allow-admin
/ip firewall filter add chain=input src-address-list=PrivateSubnets dst-address-list=PrivateSubnets in-interface-list=LAN protocol=udp dst-port=53 comment="accept DNS-UDP from LAN" action=accept 
/ip firewall filter add chain=input src-address-list=PrivateSubnets dst-address-list=PrivateSubnets in-interface-list=LAN protocol=tcp dst-port=53 comment="accept DNS-TCP from LAN" action=accept 
/ip firewall filter add chain=input comment="drop" action=drop
#
# End of Input Chain
#
#
#
#
# Forward Chain
#
/ip firewall filter add chain=forward connection-state=established,related comment="fasttrack established,related" action=fasttrack-connection
/ip firewall filter add chain=forward connection-state=established,related comment="accept established,related" action=accept
/ip firewall filter add chain=forward connection-state=invalid comment="drop invalid" action=drop
/ip firewall filter add chain=forward src-address-list=bogons in-interface-list=WAN comment="drop bogons from WAN" action=drop
/ip firewall filter add chain=forward connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="drop to WAN w/o DSTNAT" action=drop
/ip firewall filter add chain=forward out-interface-list=WAN protocol=tcp dst-port=25 comment="reject SMTP to WAN" action=reject
/ip firewall filter add chain=forward src-address-list=AdminSubnet in-interface-list=LAN comment="Accept VLAN Admin"  action=accept
/ip firewall filter add chain=forward src-address-list=VlanFriends dst-address-list=VlanFriends in-interface-list=LAN comment="Accept VLAN friends"  action=accept
/ip firewall filter add chain=forward comment="drop" action=drop
#
# End of Forward Chain
#
#
#
# output Chain
#
/ip firewall filter add chain=output dst-port=53 out-interface-list=WAN protocol=udp src-address=!172.16.1.1 action=drop
/ip firewall filter add chain=output dst-port=53 out-interface-list=WAN protocol=tcp src-address=!172.16.1.1 action=drop
#
# End of output Chain
#
#
#
# customized Chains
#
# permit ICMP-commands
/ip firewall filter add chain=allow-icmp src-address-list=!PrivateSubnets dst-address-list=!PrivateSubnets in-interface-list=WAN protocol=icmp icmp-options=0:0 comment="accept ICMP echo reply from WAN" action=accept 
/ip firewall filter add chain=allow-icmp src-address-list=!PrivateSubnets dst-address-list=!PrivateSubnets in-interface-list=WAN protocol=icmp icmp-options=3:0-1 comment="accept ICMP destination unreachable from WAN" action=accept
/ip firewall filter add chain=allow-icmp src-address-list=!PrivateSubnets dst-address-list=!PrivateSubnets in-interface-list=WAN protocol=icmp icmp-options=8:0 comment="accept ICMP echo request from WAN" action=accept 
/ip firewall filter add chain=allow-icmp src-address-list=!PrivateSubnets dst-address-list=!PrivateSubnets in-interface-list=WAN protocol=icmp icmp-options=11:0 comment="accept ICMP time exceeded from WAN" action=accept
/ip firewall filter add chain=allow-icmp src-address-list=PrivateSubnets dst-address-list=PrivateSubnets in-interface-list=LAN protocol=icmp icmp-options=0:0 comment="accept ICMP echo reply from LAN" action=accept 
/ip firewall filter add chain=allow-icmp src-address-list=PrivateSubnets dst-address-list=PrivateSubnets in-interface-list=LAN protocol=icmp icmp-options=3:0-1 comment="accept ICMP destination unreachable from LAN" action=accept
/ip firewall filter add chain=allow-icmp src-address-list=PrivateSubnets dst-address-list=PrivateSubnets in-interface-list=LAN protocol=icmp icmp-options=8:0 comment="accept ICMP echo request from LAN" action=accept 
/ip firewall filter add chain=allow-icmp src-address-list=PrivateSubnets dst-address-list=PrivateSubnets in-interface-list=LAN protocol=icmp icmp-options=11:0 comment="accept ICMP time exceeded from LAN" action=accept
/ip firewall filter add chain=allow-icmp comment="drop" action=drop
#
# permit Admin-Access for SSH, HTTPS and Winbox
/ip firewall filter add chain=allow-admin dst-port=22 comment="accept SSH from LAN" action=accept
/ip firewall filter add chain=allow-admin dst-port=443 comment="accept HTTPS from LAN" action=accept
/ip firewall filter add chain=allow-admin dst-port=8291 comment="accept WinBox from LAN" action=accept
/ip firewall filter add chain=allow-admin comment="drop" action=drop
#
#
# NAT
/ip firewall nat add chain=srcnat comment="masquerade LAN->WAN" disabled=yes out-interface=ether1 action=masquerade

Just taking a quick look and don’t understand the complexity of your input rules and overkill on jumping. Eat a lot of beans??
Simply
add chain=input action=accept in-interface-list=adminsubnet

Same for DNS
add chain=input action=accept in-interface-list=LAN protocol TCP port 53
add chain=input action=accept in-interface-list=LAN protocol UDP port 53

Since you have an input list drop all as the last rule implicitly all else is dropped including WAN to Router DNS queries so no separate drop rule required for that (remove).

Also ensure in winbox services or settings (can’t rememeber) you limit to and allow same subnet for winbox and SSH.
Set ssh as strong crypto and change default (use different SSH port.
Not sure if using HTTPS is recommended, not required if you are on the LAN and have access already through Winbox or SSH.
If you want external admin access from the internet use VPN.

Moving to forward chain, lets discuss BOGON list because I too am wondering how to best apply this list…

I have seen two variations…
/ip firewall filter
add chain=forward action=drop in-interface-list=WAN src-address-list=bogons (STOP FORWARDED TRAFFIC coming from internet FROM PRIVATE ADDRESSES)
AND
add chain=forward action=drop in-interface-list=WAN dst-address-list=bogons (STOP FORWARDED TRAFFIC coming from internet TO PRIVATE ADDRESSES)

WHICH IS CORRECT ???

In any case, I would apply this rule either way in RAW , not it Filter.
One has to be careful on direction of traffic and may have to remove/disable any private address blocks that encompass the private IP structures you use on your own router. (trust stupid me that forgets to use Sandbox Mode for firewall changes. )

The next rule I dont understand is your drop not dsnated rules??? First of all you have an implicit drop all except allowed traffic as the last rule in your forward chain, so thats great and I do that myself. But think about it. What this means is you only need to make ALLOW rules, as everything else will be dropped if not matched to one of the allow rules!!!

So you NEED to allow dstnat (if you have any port forwardings.
add chain=forward action=accept in-interface-list=WAN ( I think connection state=dstnat) but will confirm later.

In terms of port 25 smtp, I cant advise as i dont understand the requirement? Do you mean incoming traffic to the router on port 25 (more like scan then spam), do you mean traffic being forwarded from the net on port 25? or do you mean LAN traffic going on port 25 which I wouldn’t block because I need it for email)? Thus need a bit more clarity on purpose.
If it strictly no TCP 25 from the LAN then you don’t need outbound interface in the rule.
/ip firewall filter
add chain=forward action=drop protocol=tcp dst-port=25
If you wanted to find out which PCs were spamming
/ip firewall filter
add chain=forward action=add-src-to-address-list address-list=spanking_list address-list-timeout=2d in-interface-list=LAN protocol=tcp dst-port=25
add chain=forward action=drop in-interface-list=LAN protocol=tcp dst-port=25 src-address-list=spanking_list

Personally this is a rule I would simply move to raw
/ip raw
add chain=prerouting action=drop dst-port=25 protocol tcp (all traffic coming or going with dest of port 25 is dropped).
add chain=prerouting action=drop dst-port=25 protocol udp (if also needed)

The VLAN friends to VLAN friends I understand and makes sense, if the source and destination are VLAN friends allow the traffic coming from the LAN interface and route it at layer 3.

The admin rule however I don’t quite get. You state except all traffic coming from the ADMIN subnet, fine so its allowed to exist at the LAN interface but then it will be dropped because you dont state where it is allowed to go after that???
/ip firewall filter
add chain=forward src-address-list=AdminSubnet in-interface-list=LAN comment=“Accept VLAN Admin” action=accept

it should read
/ip firewall filter
add chain=forward action=accept in-interface-list-LAN src-address-list=AdminSubnet dst-address=PrivateSubnets


Lastly before I forget, we didnt talk SRCNAT rules but I do recommend some additional dstnat rules which redirect your users
forcing them to use DNS that is supplied through your selections… for me I force users to use my LANgateway IPs.

Hi,
thank you very much for the detailed answer. I will rework my rules again, but I am not really sure, if I understood all your comments correctly. I will come back to you tomorrow!

Regarding the SPAM rule: I want to prevent my clients from sending SPAM mails to WAN.
I’m also confused about the bogons now. Are you saying you have to use both rules? And in which of these case is it better to remove your own subnets from the bogon-list?

Thank you
Christian

Christian the bogon question was not directed at you. It was meant for the guru’s here that lurk but dont often have the cojones (gender correct - gonads) to get their hands dirty and dive in to help.
Usually, after hearty laughter or tears, I am not sure which, Sob or CZFAN or Sindy will come to the rescue, so they think, to impart great wisdom. Often all I hear the first time around is flatulence as their lips move, but after a time or a few times anyway the advice sinks in. I am learning too so patience is required. By all means I will attempt to answer any questions.

As to the spam rule I am with you.
Observation: Must mean no one behind your router uses email requiring port 25?
So to you I ask - does it matter to find out where this spam is coming from?

To ask the wider, audience to block port 25 outbound spam what is most drop efficient rule?
filter or raw and in terms of content
tcp 25 outchain in-interface-list=LAN
or simply
tcp 25 outchain period

It’s a secret.

About bogons, that’s an interesting thing. It’s invalid (well, sort of) addresses that you should never receive anything from or send anything to. With private addresses being an exception, when you use them in your internal network.

When we’re talking about usual home setup or something similar, it doesn’t seem too important to worry about bogons too much. You don’t accept any input from WAN anyway, and you don’t forward any incoming traffic to LAN either, except few selected ports using dstnat. If something happens to come from bogon address, to port forwarded to internal server, what will happen? If it’s from 127.0.0.0/8, it might bypass some ACL on server, but won’t be able to establish a connection. So it’s not completely impossible, but quite unlikely that it could do something bad. Private networks may be a little more dangerous, because you can have a broader ACL on server (e.g. that anything from 192.168.0.0/16 can access some restricted interface), but when you’d have only some /24 in LAN, the rest of /16 would be routable to WAN, and would allow full bidirectional communication. But it’s wrong configuration on server, fix that and they have no chance. And it should go for the rest of bogons as well, because they are likely to have the same level of access as any other random address.

If you want to stop them, that’s a question what’s best. I think it’s good idea to prevent private networks from leaking between LAN and WAN. One simple way is to just add unreachable routes for them, which will prevent leaks from LAN to WAN. But it also screws up pure IPSec VPNs. And it doesn’t prevent spoofed packets from private networks coming from WAN. So firewall might be better. But that’s another question, regular filter or raw? On one hand, it’s good idea to get rid of them as soon as possible, so that would be raw. But every single packet comes through raw, and while connection tracking is resource intensive, checking each packet against several subnets can’t be too cheap either, so regular filter might be better after all, because you only need to check for bogons for connection-state=new. It would need some tests to see what’s better.

For blocking port 25, less contions = more efficient rule. So if you know that you don’t need tcp/25 in any direction, it can be the only condition, no need to bother with source interface. Downside is that it might be less clear what you meant by it, e.g. if someone else gets to manage the firewall after you. I’d probably do something like:

/ip firewall filter
...
add chain=forward in-interface=LAN action=jump jump-target=outgoing
add chain=outgoing protocol=tcp dst-port=25 src-address=!<my local mailserver> action=reject reject-with=tcp-reset
add chain=outgoing ... <other filtering rules>
add chain=outgoing action=accept

And it’s perfectly clear that I wanted to filter outgoing traffic. And if I have multiple filtering rules, I’ll save on checking in-interface for each of them.

Hi all,
puuh! Many thanks for your replies. It is not easy for me to follow up, because I used a consumer router with a preconfigured Subnet and firewall (FritzBox) until now and my first steps with Mikrotik HW is only 6 weeks ago.
I will rework my rules to my best knowledge and it would be great if I can still count on your support in order to make my network save.

Many many thanks and see you soon,
Christian

Sob, its great your example bared no resemblance to your advice and to the questions, but I am getting used to it.
(I have no idea what your example was trying to do LOL - like you were working on two threads at the same time and mixed up the responses}
(No one mentioned having an email server on the LAN, and your jump rule jumps ALL LAN traffic - did you let the grandchild sit down at the puter while you went to the bathroom?)

What I read was
/ip firewall raw
add chain=output action=drop protocol=tcp port=25 comment=“Sob said to tell the next manager of this device that this rule is for blocking any port 25 traffic outbound (spam) - which also means there is no valid or needed email traffic on port 25 emanating from the LANs”

/ip firewall filter
add chain=forward action=drop in-interface=LAN connection-state=new source-address-list=bogons comment=“Sob thinks this is more efficient than a RAW rule but without testing and despite DDOS folks saying raw is very efficient compared to other methods, I am sure he will test and get back to us for fear of losing credibility”

Dears,
it is difficult for me, to follow the discussion, because it requires very deep knowledge and I can’t see what I have to do now! Your answers raise up 1,000 new questions for me (That’s because of my limited knowledge about Firewall-rules!)

There are some internal SMTP-Systems (e.g. NAS-Server) which will send out messages, but the use not Port 25. My E-Mail clients use port 587, so blocking port 25 would be the easiest way for me!
And therefore I can use a very simple rule in raw:

/ip raw
add chain=prerouting action=drop dst-port=25 protocol tcp (all traffic coming or going with dest of port 25 is dropped).
add chain=prerouting action=drop dst-port=25 protocol udp (if also needed)

I also cannot follow the “Bogons” discussion either. I understood, that it is good to implement prevention, but I do not have a clue how this looks like concretely.

@anav:
One question to you: How did you realized that?

Lastly before I forget, we didnt talk SRCNAT rules but I do recommend some additional dstnat rules which redirect your users
forcing them to use DNS that is supplied through your selections… for me I force users to use my LANgateway IPs.

Since I have different networks, I have to refer to different GWs running as internal DNS.

Thanks a lot for the discussion and your support,
Christian

A really nice trick for not allowing DNS to the outside world is to use a NAT redirect. It’s slightly different to a dst-nat in that dst-nat you can direct the traffic to anything you want but a redirect will point the traffic back to the router. Ideal in the situation you are mentioning for not allowing external DNS as the devices will “presume” they are getting the DNS from wherever they are pointed but in actual fact the packets end up at the router and being queried.

With regards to the firewall, I’d advise to build yourself a decent firewall from the outside world and then concentrate on the additional filters you want to add in like VLAN friends etc. Break it down into easy to follow chunks and you’ll have no issues rather than trying to write 1 big firewall from the off.

Just be patient Spartacus.
The raw rule you stated looks ok to me.
As Sob said we can leave bogons till later
(they are simply a list of private addresses that have no business coming to your router or leaving your router)

I don’t probably need them either as my default setup is DROP ALL at the end of input chain and forward chain and thus if I have not explicitly allowed traffic it should get dropped.

DNS
For DNS I make an allow rules in the input chain for my LAN so that PCs can request DNS resolving from the router. (A. see below)
For /IP DNS I allow remote requests, you have to decide whether or not to use the dynamic servers from the IP or stick some other at the top as fixed servers.
in /ip firewall NAT I redirect users to their lan gateway for DNS queries (B. see below)
In /ip dhcp server go to NETWORK TAB and ensure you select the LAN GW as per normal and then put in the LAN GW as the DNS server.

A. /ip firewall filter
add action=accept chain=input comment=“Allow LAN DNS queries-UDP” dst-port=53
in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP” dst-port=
53 in-interface-list=LAN protocol=tcp

These and any other rules in the input chain must be prior to the drop all rule, the most important input rule being
add action=accept chain=input comment=“ADMIN ACCESS TO ROUTER”
in-interface-list=LAN src-address-list=adminaccess
(one creates the adminaccess list in /ip firewall address lists)

B. /ip firewall nat
add action=redirect chain=dstnat comment=
“Force Users to Router for DNS - TCP” dst-port=53 protocol=tcp
add action=redirect chain=dstnat comment=
“Force Users to Router for DNS - UDP” dst-port=53 protocol=udp

So as above, in the dhcp server network tab, is where you state all the LAN Networks go to their LAN gateway for DNS.
In /ip DNS you state which DNS servers all will use. IN the input chain you allow lan to router DNS traffic,
In NAT your force users to use the router for DNS, regardless of what they put in on their PCs.

@anav: Come on, I was trying really hard to answer your questions.

One of OP’s requirements is “Allow all Subnets to connect to Internet”, so unlimited access except port 25 (to prevent infected clients from spamming) and DNS. The firewall draft fails to do the first part, there’s no rule allowing access from LAN to internet and any attempt will be dropped by last unconditional drop rule. DNS is not handled either (there’s some attempt in output chain, but it won’t do what it should), which is fine now, because it will be blocked by default, but if the first mistake (internet access) is fixed, even DNS will be allowed, so it’s going to need another blocking rule (unless a redirect is used, as suggested by @Steveocee).

So there can be either:

/ip firewall filter
...
add chain=forward in-interface-list=LAN protocol=tcp dst-port=25 action=reject (or out-interface=WAN, or no interface at all)
add chain=forward in-interface-list=LAN protocol=tcp dst-port=53 action=reject (same as above, if no forwarded DNS traffic is needed)
add chain=forward in-interface-list=LAN protocol=udp dst-port=53 action=reject
add chain=forward in-interface-list=LAN action=accept
...

Or you can use my beautiful jump, and have everything nice and clear. Jump for all outgoing traffic is intentional, it’s a way to separate it from everything else early, and then you have dedicated chain for all outgoing traffic and you can do easy filtering, without risk of interfering with anything else. The extra local mailserver not previously mentioned by OP was free bonus, showing how easily it can be exempted from blocking rule.

And about bogons filtering and Sob’s credibility, no thanks, it’s a trap. Nobody said anything about DDoS. Most likely the real bogons are already filtered by ISP, so if they would be used for DDoS, they won’t get to you. And if somebody is going to DDoS you, then no matter what kind of filtering you do, it will be useless, because the connection from ISP to you will be already saturated, so even if you drop those packets super-efficiently, it’s not going to help you. The bogons you’re likely to encounter will be random leaks of private subnets, or some wannabe hacker connected to same ISP’s network (depending how much ISP cares about security). In other words, it should be a rare occurence, so checking each packets against bogons list might be waste of resources.

Sob, good catch, I will send you a cookie, when I was looking at port 25 I had realized it needed to go before an allow all LAN to WAN rule for the subnets, if placed in the forward chain filter set. I then forget to add the LAN to WAN rule for the subnets. Trying to do too much too fast LOL.

In any casy, eff your fancy pants filter puzzle, that is why I prefer
/ip raw
add chain=prerouting in-interface=LAN protocol=tcp dest port=25

Indeed he needs the following rule added in the forward chain to allow internet access.
/ip firewall filter
add chain=forward action=accept in-interface=LAN out-interface=WAN source-address-lists=PrivateSubnets

Hi Anav, Sob,
you are so fast with your answers, it´s hard for me to follow up!
…give me some more time to understand, what is going on here…

@ anav:
A: is clear to me, I´ve also included this in my ruleset.

Let me summarize what I understood:

DNS - Section of RB:

• setup external DNS-Servers (e.g. Google)
• Allow remote requests:

DHCP - Section of RB:

• each Subnet has its own DNS-Server, this points to the GW:

If I will add the following to my ruleset:

 /ip firewall nat
add action=redirect chain=dstnat comment=\
"Force Users to Router for DNS - TCP" dst-port=53 protocol=tcp
add action=redirect chain=dstnat comment=\
"Force Users to Router for DNS - UDP" dst-port=53 protocol=udp

I will automatically force the clients on the different subnets to use their GW as its DNS-Server which is distributed by the DHCP-Server.

With best regards,
Christian.

Yes correct, remember its the /ip dhcp section but its the NETWORK TAB, not the general tab where one assigns the gateway address but below that there is an entry for the DNS server and that is where you also put in that same gateway IP.

Hi all,
thank you very much for your support. But seems to be, that I am a little bit lost, because there are different ways for implementation, evidently.
I am also not sure, if I understood the contex, but let me share my new ruleset with you. Please be patient, if this is not correct, I would be very grateful for further support.

Bogons:
this is not really a need for a private Home network, therefore I do not need this, and it costs only performance.

DNS:

 Allow LAN-User to use local DNS:
/ip firewall filter add chain=input in-interface-list=LAN protocol TCP port 53 comment="Allow LAN DNS queries-TCP" action=accept
/ip firewall filter add chain=input in-interface-list=LAN protocol UDP port 53 comment="Allow LAN DNS queries-UDP" action=accept

Force User to use local DNS-Server
/ip firewall nat add action=redirect chain=dstnat comment= "Force Users to Router for DNS - TCP" dst-port=53 protocol=tcp
/ip firewall natadd action=redirect chain=dstnat comment= "Force Users to Router for DNS - UDP" dst-port=53 protocol=udp

SPAM (filtered in separate Chain for output traffic):

/ip firewall filter add chain=forward in-interface=LAN action=jump jump-target=outgoing
/ip firewall filter add chain=outgoing protocol=tcp dst-port=25 action=reject reject-with=tcp-reset
/ip firewall filter add chain=outgoing action=accept

Firewall Rule-set

# Firewall Filter
#
# Prerequisites:
# /interface list add name=WAN
# /interface list add name=LAN
# /interface list member add interface=ether1 list=WAN
# /interface list member add interface=br_vlan list=LAN
# /ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
#
# Requirements:
# - Allow Subnets to connect to Internet
# - Allow only VLANFriends to talk to each other
# - Allow AdminSubnet to connect to Internet and all other Subnets
# - Allow AdminSubnet to connect to Router
# - Block DNS Requests from WAN
# - Spam prevention (SMTP-Port 25)
# - redirect LAN users to internal DNS-Server
#
#
#
# private Subnetze
#
/ip firewall address-list add address=172.16.1.0/24 list=PrivateSubnets
/ip firewall address-list add address=172.16.10.0/24 list=PrivateSubnets
/ip firewall address-list add address=172.16.20.0/24 list=PrivateSubnets
/ip firewall address-list add address=192.168.1.0/24 list=PrivateSubnets
#
#
# Admin subnet
#
/ip firewall address-list add address=172.16.1.0/24 list=AdminSubnet
#
#
# VLAN friends can talk to each other
#
/ip firewall address-list add address=172.16.10.0/24 list=VlanFriends
/ip firewall address-list add address=172.16.20.0/24 list=VlanFriends
#
#
# Input Chain
/ip firewall filter add chain=input connection-state=established,related comment="accept established,related" action=accept 
/ip firewall filter add chain=input connection-state=invalid comment="drop invalid" action=drop
/ip firewall filter add chain=input in-interface-list=AdminSubnet action=accept 
/ip firewall filter add chain=input in-interface-list=LAN protocol TCP port 53 comment="Allow LAN DNS queries-TCP" action=accept
/ip firewall filter add chain=input in-interface-list=LAN protocol UDP port 53 comment="Allow LAN DNS queries-UDP" action=accept
/ip firewall filter add chain=input comment="drop" action=drop
# End of Input Chain
#
#
#
#
# Forward Chain
/ip firewall filter add chain=forward connection-state=established,related comment="fasttrack established,related" action=fasttrack-connection
/ip firewall filter add chain=forward connection-state=established,related comment="accept established,related" action=accept
/ip firewall filter add chain=forward connection-state=invalid comment="drop invalid" action=drop
/ip firewall filter add chain=forward connection state=dstnat in-interface-list=WAN action=accept
/ip firewall filter add chain=forward in-interface=LAN action=jump jump-target=outgoing
/ip firewall filter add chain=forward in-interface-list=LAN src-address-list=AdminSubnet dst-address=PrivateSubnets comment="Accept VLAN Admin" action=accept
/ip firewall filter add chain=forward in-interface-list=LAN src-address-list=VlanFriends dst-address-list=VlanFriends comment="Accept VLAN friends"  action=accept
/ip firewall filter add chain=forward comment="drop" action=drop
# End of Forward Chain
#
#
#
# customized Chains
#
# outgoing Traffic-Filter
/ip firewall filter add chain=outgoing protocol=tcp dst-port=25 action=reject reject-with=tcp-reset
/ip firewall filter add chain=outgoing action=accept
#
#
# NAT
# force all users with custom defined DNS server to use 172.16.1.1 as their DNS server,
/ip firewall filter add chain=dstnat to-addresses=172.16.1.1 to-ports=53 protocol=tcp dst-port=53 action=dst-nat
/ip firewall filter add chain=dstnat to-addresses=172.16.1.1 to-ports=53 protocol=udp dst-port=53 action=dst-nat
/ip firewall nat add chain=srcnat comment="masquerade LAN->WAN" disabled=yes out-interface=ether1 action=masquerade

Thanks,
Christian

Get rid of the spam jump output crap.
First of all what is being jumped??? Seems like the rule would include everything on the in-interface LAN
Also there is no requirement for an outgoing accept rule… get rid of it.

Two choices
/ip firewall filter
add chain=input action=drop in-interface-list=LAN protocol=tcp dest-port=25
or
/ip raw
add chain=prerouting action=drop in-interface-list=LAN protocol=tcp dest-port=25

Your input rule needs work for admin access!!!
/ip firewall filter
add chain=input action=accept in-interface=LAN source-address-list=AdminSubnet

in fact where you have in-interface-list there is no such thing, that should in-interface=LAN
Same goes for your forward filter rules, replace the non-existant in-interface-list with in-interface=LAN
Also destination-address-list=PrivateSubnets

Forget that forward jump rule dont know what that is doing at all.

Also you forget again to provide internet access for your lan.
in-interface=LAN out-inteface=WAN

There is more but ran out of time.

Please show me your interfaces to see how your vlans are configured and on what interfaces and bridges if any???

Hi anav,
sorry, but now, I am completey lost

in fact where you have in-interface-list there is no such thing, that should in-interface=LAN
Same goes for your forward filter rules, replace the non-existant in-interface-list with in-interface=LAN
Also destination-address-list=PrivateSubnets

If I open winbox, I cannot select any “LAN” unter “in-interface”, this choice does only exist for “in-interface List”
In my “prerequisits” (see comments in FW-rule) I have defined “LAN” and “WAN” as an interface-List (not in the config, because I only want to focus on the FW-Rules). So what is wrong in my rule-set with “interface-List”?

sorry, Christian

Sorry my bad Christian had a gazillion things on my mind this morning and was rushing.
Ignore my stupid comments… I will reread and post an edited config shortly

Okay Im lazy so quoted your post and will fix the config using that.
DNS:

Allow LAN-User to use local DNS:
/ip firewall filter add chain=input in-interface-list=LAN protocol TCP dst-port 53 comment="Allow LAN DNS queries-TCP" action=accept
/ip firewall filter add chain=input in-interface-list=LAN protocol UDP **dst-**port 53 comment="Allow LAN DNS queries-UDP" action=accept

Force User to use local DNS-Server
/ip firewall nat add action=redirect chain=dstnat comment= "Force Users to Router for DNS - TCP" dst-port=53 protocol=tcp
/ip firewall nat add action=redirect chain=dstnat comment= "Force Users to Router for DNS - UDP" dst-port=53 protocol=udp


SPAM:

/ip firewall filter add chain=forward protocol=tcp dst-port=25 in-interface-list=LAN out-interface=ether1 action=drop

Firewall Rule-set

Firewall Filter

Prerequisites:

/interface list add name=WAN

/interface list add name=LAN

/interface list member add interface=ether1 list=WAN

/interface list member add interface=br_vlan list=LAN

WHAT OTHER INTERFACES ON YOUR LAN??
What interface do all the subnets use??
The private ones etc..

/ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

Requirements:

- Allow Subnets to connect to Internet

- Allow only VLANFriends to talk to each other

- Allow AdminSubnet to connect to Internet and all other Subnets

- Allow AdminSubnet to connect to Router

- Block DNS Requests from WAN

- Spam prevention (SMTP-Port 25)

- redirect LAN users to internal DNS-Server

private Subnets

/ip firewall address-list add address=172.16.1.0/24 list=PrivateSubnets
/ip firewall address-list add address=172.16.10.0/24 list=PrivateSubnets
/ip firewall address-list add address=172.16.20.0/24 list=PrivateSubnets
/ip firewall address-list add address=192.168.1.0/24 list=PrivateSubnets

Admin subnet

/ip firewall address-list add address=172.16.1.0/24 list=AdminSubnet

VLAN friends can talk to each other

/ip firewall address-list add address=172.16.10.0/24 list=VlanFriends
/ip firewall address-list add address=172.16.20.0/24 list=VlanFriends

Input Chain

/ip firewall filter add chain=input connection-state=established,related comment="accept established,related" action=accept
/ip firewall filter add chain=input connection-state=invalid comment="drop invalid" action=drop
/ip firewall filter add chain=input in-interface-list=**LAN source-address-list=**AdminSubnet action=accept
/ip firewall filter add chain=input in-interface-list=LAN protocol TCP **dst-**port 53 comment="Allow LAN DNS queries-TCP" action=accept
/ip firewall filter add chain=input in-interface-list=LAN protocol UDP dst-port 53 comment="Allow LAN DNS queries-UDP" action=accept
/ip firewall filter add chain=input comment="drop" action=drop

End of Input Chain

Forward Chain

/ip firewall filter add chain=forward connection-state=established,related comment="fasttrack established,related" action=fasttrack-connection
/ip firewall filter add chain=forward connection-state=established,related comment="accept established,related" action=accept
/ip firewall filter add chain=forward connection-state=invalid comment="drop invalid" action=drop
/ip firewall filter add chain=forward connection state=dstnat in-interface=ether1 action=accept (not required if not doing any port forwarding from the WAN ???)
/ip firewall filter add chain=forward in-interface-list=LAN src-address-list=PrivateSubnets out-interface=ether1 action=accept
/ip firewall filter add chain=forward in-interface-list=LAN src-address-list=AdminSubnet dst-address=PrivateSubnets comment="Accept VLAN Admin" action=accept
/ip firewall filter add chain=forward in-interface-list=LAN src-address-list=VlanFriends dst-address-list=VlanFriends comment="Accept VLAN friends" action=accept
/ip firewall filter add chain=forward comment="drop" action=drop

End of Forward Chain

customized Chains

outgoing action=accept

NAT

/ip firewall nat add chain=srcnat comment="masquerade LAN->WAN" in-interface-list=LAN out-interface=ether1 action=masquerade

force all users to use the DNS the admin selects from the /ip DNS pagever,

/ip nat
add chain=dstnat protocol=tcp dst-port=53 action=redirect
add chain=dstnat protocol=udp dst-port=53 action=redirect

The problem I am having is that the interface-list vice interface is used when you have MORE THAN ONE…
So if you only have one WANIP, then use ether1 for any WAN entries.
If you had two WANIPs, the using in-interface-list makes sense for when you are stating both for a rule (sometimes one makes rules for specific WANs).

Similarly for the LAN side. so far I only see one LAN interface defined but you have many subnets defined.
How are they related and what interfaces have you assigned them too…

I would need to see all your config to put it in context
at the terminal box type
/export compact hide-sensitive file=configreview

Go to files and download it to your computer… and post here.
etc…