Newbie with firewall - Is there a way of combining rules (lesser is better?)

RouterOS General
1

Hi there,

I’m starting the whole firewalling journey on my RB5009 router. After reading https://forum.mikrotik.com/viewtopic.php?t=180838 and http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 I came up with this for the forward chain and I was wondering if there is an effective way to combine some of the rules (regrouping input VLANs, regrouping DST IPs, etc.).

Any thoughts on this?

Thanks,

D.

2

You can create interface lists for interfaces that needs to be in same rule condition. Like in your case single rule for in interface vlan30 and out interface list with interfaces vlan666, vlan10, vlan20 and vlan99, if all have same condition for accept (not clear from screenshot).

3

Firewall rule guidelines

  1. Single Subnets → use dst-address or src-address
  2. More than one subnet (whole subnets) → use interface lists
  3. If you have any list that includes a bunch of users (less than a subnet) or from different subnets (with or without whole subnets) then use firewall address list.
  4. Exception: For trusted interface list could be home, or management vlan for example, one subnet is associated with an interface list.

/ip firewall filter
{Input Chain}
(default rules to keep)
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
( admin rules )
add action=accept chain=input src-address-list=**Authorized ****comment=“Config Access”
add action=accept chain=input comment=“Allow LAN DNS queries-UDP”
dst-port=53 in-interface-list=LAN** protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“drop all else” { add this rule last so as to not lock yourself out }
{forward chain}
(default rules to keep)
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
(user rules)
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
—> ANY ADDITIONAL ALLOW RULES SHOULD GO HERE <----
ex.
add action=accept chain=forward comment=“guestsubnet to shared printer” **src-address=**192.168.45.0/24 dst-address=192.168.30.234
add action=accept chain=forward comment=“port forwarding)” connection-nat-state=dstnat disabled=yes { enable if required}
add action=drop chain=forward comment=“drop all else”