In interface and Out interface FW rule

Hello friends!
I am creating firewall rules for our client and i have some doubts and i hope you guys can help me.
I allowed all protocols and ports that i need.
Added explicit DROP rule to drop everything else on the end.
To make internet work from our clients side, i had to allow LAN segment on forward chain(192.168.10.x, for example).
Now, my question is…is it safe that way? Would i need in interface marked from where packets come(Eth2-lan interface) -------> and mark out-interface to WAN interface.
Would i solve the issue to not allow some non-routable segment from outside to LAN?
I hope you guys understand my doubts.Thanks in advance!

I am confused, you are asking some very basic questions for firewall rules.
Are you an admin for an IT network involving MT devices ( or the first time you are dealing with MT devices )?

In general.
a. only the admin requires access to config the router [input chain]
b. the users only require access to the router for specific services ( such as DNS, NTP etc) [input chain]
c. drop chains are used at the bottom of both input and forward chains to basically drop ALL traffic not explicitly allowed above and is considered best practice.

One then only needs the basic rules to start with from below and then expand them as required to meet a. and b. with more fidelity. *****

/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN  *****
add action=drop chain=input comment="drop all else"
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN

note1: If you dont intend on doing port forwarding you can remove the dst-nat rule in the forward chain
note2: The LAN to WAN internet traffic rule can be modified as required, a specific interface vice the entire LAN interface list for example.
note3: If you want to add traffic flow on the LAN side, such as access to a shared printer from one vlan to another, just put the rule ABOVE the drop rule.

Ref: https://forum.mikrotik.com/viewtopic.php?t=180838
Ref: From MT docs… but overly complicated and not recommended until you have a solid config and have a real need to add stuff (rare).
https://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall

On a more basic level…
There are many ways to identify users/devices.
Lets take a subnet 192.168.88.0/24, which could be also designated a vlan, such as Home_VLAN88, which could be also be assigned to ether2

SUBNET:
To identify this subnet on a rule.
( in or out ) interface=Home_VLAN88
( in or out ) interface=ether2
(src or dst)-address=192.168.88.0/24

USER/DEVICE:
One can identify individual devices by their IP address.

MULTIPLE USERS/DEVICES:
One can identify a group of IPs within a subnet by FIREWALL IP ADDRESS.
One can identify a group of IPs from various subnets by FIREWALL IP ADDRESS.
One can identify a group of IPs from various subnets along with subnet(s) by FIREWALL IP ADDRESS

MULTIPLE SUBNETS:
One can identify two or more WHOLE subnets by use of the Interface List and Interface List members.
Special case: Single subnet identification of management subnet for router config access, neighbours discovery rule and mac winbox rule.

One can combine the above as well…

add chain=forward action=accept in-interface-list=LAN src-address=subnetA out-interface=subnetB dst-address=printer_subnetB

Bit overkill most would do something like
add chain=forward action=accept src-address=subnetA dst-address=printer_subnetB

RULES OF THUMB…

1. Firewall addresses - use when there are a group of IP addresses OR a group of IP addresses AND anything else (subnet etc…)
2. Single IP addresses - use for single user/device
3. Subnet - use Ip address or interface name as appropriate.
4. Multiple subnets - use interface list (see special case)
5. Use of drop rules makes it easy, if its not allowed its dropped!

Note: In general this guidance is for firewall rules. The idea being to eliminate multiple rules if possible and there are MANY WAYS to do this…
Example LAN consists of subnets A-E
subnet A needs internet
subnet B needs internet
subnet C needs internet
subnet D does not need internet.
subnet E does not need internet.

Interface List
INTERNET (members → subnets A-C)

(obvious)
add chain=forward action=accept in-interface-list=INTERNET out-interface-list=WAN

IN AND OUT INTERFACE:

I personally think of IN-interface as meaning where is the traffic coming FROM [ SOURCE ]
I personally think of the OUT-interface as meaning where is the traffic going TO [ DESTINATION ]

anav,

thank you. You provide so much for this forum, and we all love you for that.
Your answers are unique and wholesome.
Yes, i know something about networking and i am familiar with mtik devices. Im trying to understand flow and what would be IN and what OUT interface in my case and i think we are on the same track about that.
My question was about letting inner subnet out(IN on LAN, OUT on WAN interface) and does it solve my problem(if im not specific about IN and OUT interface, i am just letting everything go through router from both directions, right?)
Thank you again!

In firewall rules, in interface is IP interface which passed IP packet to routing/firewall engine. out interface is IP interface, which will (most likely) be used to send IP packet towards destination.

Pay attention to difference between interface and port. Sometimes same “hole in router” can be both, but there are times when they’re not:

• when using bridge to create kind of a switch … default config on multi (3 or more) port devices that do come with default config (SOHO mikrotiks). For example, a 5-port device will typically have ether1 configured as WAN interface, while the rest (ether2-ether5) will be configured as ports to bridge. In ROS, bridge has two pesonalities (read more on this), one is interface which allows ROS to communicate to network(s) bridged by bridge.
  In this case, it’ll be bridge interface that will be seen as in-interface by firewall, not individual ether ports
• when using VLANs, one will typically create multiple VLAN interfaces (in /itnerface vlan), anchored to same underlying interface (such as bridge or ether3).
  In this case, it’ll be one of those vlan interfaces that will be seen as in-interface by firewall, not the underlying interface
• when using any kind of tunnels, such as PPPoE (quite commonly used as access tunnel by many ISPs) or wireguard or IPsec, which create a virtual interface as tunnel entry/exit point. In this case, it’ll be one of those tunnel interfaces that will be seen as in-interface by firewall, not the underlying interface
• when interfaces need to be stacked (e.g. WAN physical port is made member of a bridge, traffic over that bridge is VLAN tagged and ISP requires PPPoE … so ether1->bridge->VLAN->pppoe), it’ll be the “top level” interface that will be seen as in-interface by firewall, not any of underlying interfaces.

And same goes for out-interface … and likewise for in-interface-list and out-interface-list.

In addition to that, most interface lists have to be created manually. There are a few implicit/automatic interface lists, but experience goes that use of those can bring troubles. There are two interface lists created by default configuration (WAN and LAN), but they are simply default lists which correspond to default configuration (ether1 as WAN interface, bridge as LAN interface). If you manually change default configuration (e.g. add PPPoE interface on top of ether1), you have to manually update also interface list members.
And (more importantly): those names don’t reflect any particular use, e.g. router doesn’t know what’s LAN in sociological definition used by particular user’s environment. It’s only names, they could easily be called “statler” and “waldorf” for that matter.

Thanks mkx!