I’ve recently bought a RB4011iGS+ for my home network. I’m using it for my home devices like phones, laptops etc. as well as for my KVM server with 10-20 Linux virtual machines that i create, use and then remove after i’m finished with my excersises, software testing etc. There are servers running on them and may need to be made available on the outside of my network, so i will be forwarding some ports from time to time.
I have not yet divided my network into VLANs.
The attached diagram shows my home network.
I wish to establish a solid, base firewall to use the router’s potential, not overload it by useless or too many rules and still make it work the way i’d like to.
After reading information on many websites and trying to understand how the firewall filter works i’ve been trying to merge that information together in a set of rules that i’d like to show below.
I’d also like to ask for any advice about improving it, make it more effecient, remove rules that exclude one another, eliminate useless rules. Anything that looks suspicious for more experienced users.
I’m exploring it’s features and am trying to learn as much as i can. I still make mistakes.
My suggestion: reset firewall filter rules to default rule set, it is a very good starting point (pretty safe and pretty high performance) which you decided to throw away. You don’t have to reset whole device, you can see default config by running command /system default-configuration print (make sure terminal window is wide enough to accomodate whole lines or else they will be truncated).
After you reset the firewall to defaults, you only have to make changes in /ip firewall nat zo forward some ports to internal hosts, you don’t have to touch filter rules.
And generally stay away from random on-line tutorials. Most of them are either outdated (ROS evolves), incomplete or are plain wrong.
In that case what is the source of information i should stick to while learning ?
My current configuration came from the default configuration, MUM presentations, Mikrotik wiki and some random online tutorials as this was where i was able to get any information.
This is why i need to polish what i already have. I will also try your suggestion. I appreciate it, thank you.
Your selection of knowledge sources is not entirely wrong, just ditch the “random online tutorials”.
But it’s the order you used which made your config a weird mess. So start off with default config and only change or add things you know you need. And things you understand. Official docs should help you understand how certain settings affect router’s behaviour and performance. And whatever knowledge source you’re using, make sure it is about up-to-date ROS version. That’s true both for MUM presentations (if they’re more than 18 months old, they may not apply any more) and posts in this forum.
While I’m talking about thus forum: there are quite a few very friendly, helpful and knowledgeable people around here (a few users are even all of them) and I guess you’ll always get good advice if you describe your problem well enough and give the information needed (which includes export of complete settings of device making you problems … some people hesitate at this point which leaves them with mediocre advices).
Its called tag team assistance approach.
I grab the easy questions and let the others handle the difficult people or difficult cases.
When we are all stuck we call on god Sindy to the rescue.
I also saw some stuff on Udemy. I enrolled for one course, where i got some stuff that were in my rules ( MikroTik RouterOS Hardening LABS ). I’m not saying it’s bad. I might have gotten something wrong.
Anyway i reverted to default firewall rules, then the whole router and configured it again. I’ll be adding stuff one by one and test. Since some servers are going to be available on the Internet whatever protection the router may be able to give me is welcome.
Sorry for this OT, but I just want to thank you for the tip on how to view the default config for my hap lite. Now I can recreate the default ipv6 firewall rules that are missing from my setup.
