Please add a wiki document on settings to maximize home user privacy.

Please publish an official document giving all the choices which a user can use to minimize the potential for external entities to extract information about the internal network via the router, when a home router is not a gateway to a real network, and instead is just a home device.

In no small part, its because frankly I don’t trust a number of very large companies not to do all sorts of monkey business.

But, don’t get me wrong, you are doing quite well. I’ve also learned a tremendous amount here and I have not hesitated to recommend your products very highly to others.

It doesn’t work like that. None of the internal network info is exposed through the router using the default config.

Besides, what kind of info do you think is being exposed? and what kind of “monkey business” do you think companies can do with it?

First, Mikrotik routers with the latest RouterOS and firmware appear already very private and have a high security potential. The default is nothing available on the WAN and no responses except to pings. Even penetration tools like nmap will find no WAN leaks with all conventional scans.

If your router is Internet facing, I recommend disabling the default ICMP accept IP Firewall Filter rule. This disables you responding to pings, which should be completely unnecessary on the Internet for almost any possible situation. They must leave that rule in place by default because most business routers are placed facing a non-Internet network.

Second, there is already the Mikrotik Securing Your Router wiki page for both security tips and further hardening, though it is not updated with the latest commands for the current RouterOS (6.41.3), if you literally type them all out manually. It is easier to use the interface.

Some hardening settings that are missing or not up to date:

/tool romon set enabled=no
/tool bandwidth-server set enabled=no 
/ip neigbhor discovery-settings set discovery-interface-list=none

Much of the same information is available here.

Also, be careful where you keep your router backups. Like many devices and computer files that can store user information, they must be treated with some respect and kept somewhere secure.

Once you follow those instructions - which include basic instructions like disabling all services and interfaces you do not use (best is to leave only ssh or/and winbox available), different admin account + strong password - you are far more secure and private than the overwhelming majority of all router installations, both externally and internally.

Keep the router up to date and with the additional huge set of features these routers support well beyond consumer routers, including VLANs, you can make yourself as or even more secure than many entire businesses. You just have to be willing to put a little work in and find the information you need - after all, these devices are sold to networking professionals.

Squeeze, thank you, yes, this was my experience too running nmap from the outside. Also bit by bit I discovered what you suggested pretty much all of it. Your advice is good.

Can you think of any reason why some big sites accuse me of having “unusual traffic from my IP” when I have not done anything wrong, do not run any automated scripts and this happens even when my IP has changed, and when I unblock cookies from tracking sites. (which I usually block) It started a few months ago, before I bought the Mikrotik, so I dont think its its fault, either.

Thank you.

The traffic could always be coming from inside your network, infected webcam, or virus in windows … Just a possibility.
If nmap from internet side shows no open ports, the router is not the cause then.