I’ve just bought an RB5009 for my homelab to get better at my networking skills.
I have started from ground up, so I’m not using the defconf of the MT.
Currently I’ve set-up just a PPPoE client (my modem is in bridge mode) and a NAT rule to get internet access on the router and made some VLANS.
The only thing that’s missing to put the RB5009 in “production” is the firewall rules… and I’m a bit lost here.
How can I “secure” my router? What are the must-have/suggested firewall rules?
P.S. I would also like to use the BackToHome service.
IMO this is a pretty bad decision. Default MT firewall is quite good and allows for easy adaptation (e.g. for using PPPoE instead of DHCP client as WAN “technology”). It also allows to make adjustments (e.g for port forwarding).
If you want to learn, then start with default config, play with changes and observe effects.
Why will you need BTH, its only for the case where you dont have a public IP or the ISP router doesnt get a public IP or the ISP router gets a public IP but you cannot forward a port to the MT device.
Further, its only good for single devices to your router, it will not support remote router to your router.
Ref Firewall: what is the point of us giving you a firewall rule set …it would be the same as using the default… you still dont know what its doing.
So mkxs advice of using the default to start…then see what it is, and try to make sense of the rules they have implemented, and then ask intelligent questions about the default…
How can I “secure” my router? What are the must-have/suggested firewall rules?
Focus on adding rules to the INPUT-chain.
These are packets targetting the RouterOS itself.
Securing the router would mean ;
→ you want to filter out crap hitting the INPUT-chain, eg coming on from your WAN and hitting your box on unwanted ports (eg ssh, winbox,…) and/or create white-list to only allow certain public IP’s to hit your router.
→ you want to additionally tighten security that winbox,ssh,https, api interfaces are not just “open” from any IP but narrow down also at that level. (see “ip” → “services”
→ you want to remove/rename the default “admin” user to something else AND also at this level narrow down the “allowed-ip” ranges from that are allowed
→ Look at VPN ; so setup VPN-layer through which you perform admin-activities
I need it to easily have a VPN to my home from my phone (with MT app), not PTP routers.
I know how to setup a “normal” Wireguard server and so on but BTH seemed a good “integrated” feature, along with the Android app.
I don’t need a rule set, I was searching for suggestions like @jvanhambelgium did in their post up here. I can figure it out myself the implementation.
Is the default rule set a good starting point to allow me to expose my router and “not be hacked”?
And if you do not have any or very limited port forwarding on your ISP router towards that RB5009, chances are even slimmer that anything will happen.
I have the same setup at home. I only allow ports which I need for my wireguard connections through ISP router, nothing else.
Ahh now I understand your BTH approach.
There is no need for BTH if your router gets a public IP, but as you note personal choice it is an option and a bit easier.
The main difference is that BTH uses and relies upon the a Mikrotik cloud server ( and only covers devices to the home router, not router to router connections)
In your case with a public IP, I believe BTH can figure this out and bypasses the cloud server so in effect is the same as a manual setup.
I use MT routers behind my main router, mainly to ensure they can apply wireguard etc, but its the only time I dont use firewall rules on MT devices ( if behind an MT router that does ).
I would do the same as holvoetn, aka not pretend NAT of an upstream ISP router is a security solution.
Ok so, I’ve created the following rules.
How do they look to you? Are they OK to secure my network? (and did some other stuff from the First Time Configuration docs)
