I’m new to the CCR1016-12S-1S+.
I got the WAN working, then realized that there were NO fw rules. So, I put some basic ones in. Setting up a basic small WISP.
Does anyone want to put in a sample of their CLI fw rules (with notes) so that I can study it?
Thanks
-Richard
Below are the default Mikrotik firewall rules.
IPv4 Rules
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnatconnection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=Masquerade ipsec-policy=out,none out-interface-list=WAN
IPv6 Default Rules and Address List
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
See also “The DEFACTO DEFAULT FIREWALL Setup”:
https://forum.mikrotik.com/viewtopic.php?t=180838
OMG … it’s like …
I’ve just learned how to slice the backed chicken and realized that it has no hands and knees bend to the back not to the front … could you provide me more info and notes how to cook it better? Setting small restaurant.
How ISP admin with pfsense and other brands experience is not able to find proper info?
To be fair.. pfSence firewalls, are a completely different animal.
-Richard
Outstanding! Thank you for this kind replay so that I can ‘digest’.
-Richard
not much to digest here - these are the def.conf FW rules on a RB
CCR/CRS are shipped with no default config!
PLEASE, for [insert something here] sake - get familiar and get GOOD with mikrotik, routing and firewalling before playing (W)ISP
try out your plans/ideas/setups in a virtual or lab environment before would be a good “green field” practicing ground thb.
for example EVE-NG
What exactly do you think I’m doing?? I’ve set up a lab! I’m getting familiar with Mikrotik. I’m getting familiar with routing, firewalling, and VLANs… before as you say, “playing WISP”.. whatever the [insert something here] that means??
I swear.. open mouth, insert foot kind of guy I see. I got my examples (From others here thanks) that I can study now.. It was a simple question, please just go away and troll someone else now.
-Richard
ewll excuse me i did not know you working this out in a lab.
whatever you meant with “open mouth, insert foot kind of guy I see”
no trolling intended or what so ever. xD
the default firewall rules (for RB devices) is in the wiki and help pages anyways. everything else mostly is case-specific, just saying.
anyway, good luck
@borg357
Everything that has been written is perfectly useless…
It is not enough to take a small piece of something to understand everything.
Before “something”, for example, you first need to understand what interface groups are, that are written to the firewall.
If you copy & paste (regardless if you understand the rules, or not) it’s absolutely useless if you don’t first create the groups and configure everything else.
So first everything else needs to be configured well before worrying about the firewall.
And about WISP comment of other users,
obviously if you write
Setting up a basic small WISP
is logical than others they think, “here’s another novice who can’t even configure a firewall himself”,
given the example of other WISPs who don’t know what they’re doing…
he certainly didn’t want to be an offense against you, but an obvious concern that another ass–le doesn’t go “up in the air”…
Im NOT copying and pasting. I have discovered that I can digest and understand more while looking at exports. In fact, even as I understand basic concepts such as In and Out.. By doing my own exports and looking at it in a text editor, it helps me understand even more about what’s going on even after I set up my own router. Perhaps that’s something about the way my mind works, or the programmer in me, or maybe something else.
I asked simply about posting some firewall examples… I didn’t need assumptions about me not setting up a lab (which was assumed incorrect), or comments about working with a WISP in which people have NO understanding of my capabilities or any other comments. Simply just move on if you can’t provide the answer which is a copy and paste on your end.
Sorry to be snarky, but this was simply a pretty straightforward example of looking at other people’s firewalls in pure export format, nothing more needs to be assumed about it.
Since no one is perfect and anyone can make mistakes no matter how experienced,
I don't think other ISPs give you "a copy of own house keys" if you allow the ANALogy 
Take us less seriously, you're between friends and as–les...
Seriously now:
The concept must be, starting from the default one, BLOCK EVERYTHING and allow only what is necessary...
NEVER block ICMP for no reason (except big Large fragmented ICMP that for sure do not are Path MTU Discovery...)
Prvent generate IP spoofing from your side, and do not accept spoofed packets.
Take a look here
But is all useless if you do not provide public IPs on your LAN.
And there
But a butcher is a butcher.