Review of PPPoE and Firewall rules for improvements

RouterOS Beginner Basics
1

I have been configuring my Mikrotik for three years, but I can’t tell if I left any gaps, because I’m not a super expert in Mikrotik. I would like to know if the community can help me check if I did stupid things, if I can improve anything else, or remove some kind of unwanted conflict in configurations that I have made.

Premises:
1 - My ether 2 port is connected as a DCHP client (to have internet from the modem).
2 - I have a PPPoE server on ether3;
3 - I have a VPN configured with IPSEC/IKEV2, but sometimes I disable it and use the VPN from my OPnsense (new server that I set up).

I don’t want anyone to work for me, I just want criticism about my work as a networking student.

Rules general IP:

# 2025-05-11 13:47:46 by RouterOS 7.18.2
# software id = XHA8-7FTF
#
# model = RB760iGS
# serial number = DX50XE76XA6X
/ip firewall layer7-protocol
add comment=SOLUCAO1 name=CVE-2023-28771 regexp="\";bash -c \\\"curl [0-9]+\\\
    \\.[0-9]+\\\\.[0-9]+\\\\.[0-9]+\\\\t \\\\| sh\\\";echo -n\""
add comment=SOLUCAO2 name=CVE-2023-28771-2 regexp=\
    "\";bash -c \"curl [0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]"
/ip ipsec policy group
add name="Grupo IPsec VPN"
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
add dh-group=modp2048 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=\
    aes-256,3des hash-algorithm=sha256 name="Perfil IPsec VPN"
/ip ipsec peer
add exchange-mode=ike2 name="Peer IPsec VPN" passive=yes profile=\
    "Perfil IPsec VPN"
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name="IPsec VPN" \
    pfs-group=none
/ip pool
add name=PPPoE-Remoto ranges=10.80.80.0/24
add name="Pool VPN" ranges=10.80.88.0/24
/ip ipsec mode-config
add address-pool="Pool VPN" name="IPsec VPN"
/ip smb users
set [ find default=yes ] disabled=yes
add name=admin
/ip address
add address=10.0.0.1 interface=Loopback network=10.0.0.1
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add interface=ether2
/ip dns
set allow-remote-requests=yes cache-max-ttl=3d cache-size=6120KiB \
    query-server-timeout=4s query-total-timeout=15s servers=\
    8.8.4.4,8.8.8.8,1.1.1.1
/ip firewall address-list
add list=ddos-attackers
add list=ddos-targets
add address=10.80.88.0/24 list=permitidos
add address=192.168.10.0/24 list=permitidos
add address=10.80.80.0/24 comment="Rede interna - PPPOE" list=clientes
add address=10.0.8.0/24 list=permitidos
add address=8.8.4.4 comment=DNS list=dns
add address=8.8.8.8 list=dns
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set rp-filter=strict tcp-syncookies=yes
/ip firewall filter
add action=accept chain=input comment=\
    "Permitir respostas estabelecidas e relacionadas" connection-state=\
    established,related
add action=accept chain=forward comment=\
    "Permitir acesso dos clientes - DNS interno" dst-address=192.168.10.254 \
    dst-port=53 protocol=udp src-address-list=clientes
add action=drop chain=input comment="Pacotes Inv\C3\A1lidos" \
    connection-state=invalid
add action=drop chain=input comment="Bloquear ICMP externo" protocol=icmp \
    src-address-list=!permitidos tcp-flags=""
add action=drop chain=input comment="Violou a porta" in-interface=ether2 \
    src-address-list=violou
add action=add-src-to-address-list address-list=violou address-list-timeout=\
    30m chain=input comment="Tentativa de acesso em portas incorretas" \
    connection-state=new dst-port=!81 in-interface=ether2 protocol=tcp \
    src-address-list=!permitidos
add action=drop chain=input comment="Drop winbox brute forcers" dst-port=81 \
    protocol=tcp src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist \
    address-list-timeout=3w4d chain=input connection-state=new dst-port=81 \
    protocol=tcp src-address-list=winbox_stage2
add action=add-src-to-address-list address-list=winbox_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=81 \
    protocol=tcp src-address-list=winbox_stage1
add action=add-src-to-address-list address-list=winbox_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=81 \
    in-interface=ether2 protocol=tcp src-address-list=!permitidos
add action=drop chain=input comment="Drop ssh brute forcers" \
    src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=3w4d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=5m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=!permitidos
add action=drop chain=input comment="Drop ftp brute forcers" dst-port=21 \
    protocol=tcp src-address-list=ftp_blacklist
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=input content="530 Login incorrect" \
    protocol=tcp src-address-list=!permitidos
add action=drop chain=input comment="Solu\C3\A7\C3\A3o: https://packetstormsec\
    urity.com/files/172820/Zyxel-IKE-Packet-Decoder-Unauthenticated-Remote-Cod\
    e-Execution.html" dst-port="" layer7-protocol=CVE-2023-28771-2 log=yes \
    protocol=udp
add action=accept chain=input comment=\
    "(Desativado) - Migrado para OPENVPN Permitir conexoes IPSEC/IKE2" \
    dst-port=500,4500 protocol=udp src-port=""
add action=accept chain=forward comment="Aceitar pol\C3\ADtica em IPSEC" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
    "Aceitar a pol\C3\ADtica IPSEC - Saida de banda pela Mikrotik" \
    ipsec-policy=out,ipsec
add action=drop chain=input comment="Scanner de portas" src-address-list=\
    port_scanners
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1h chain=input protocol=tcp psd=8,3s,3,2
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1h chain=input protocol=udp psd=8,3s,3,2
add action=jump chain=forward comment="Protect DDOS" connection-state=new \
    jump-target=detect-ddos
add action=return chain=detect-ddos comment="Default - Rate: 32, Burst: 48" \
    dst-limit=48,64,src-and-dst-addresses/10s
add action=add-src-to-address-list address-list=ddos-attackers \
    address-list-timeout=30m chain=detect-ddos
add action=add-dst-to-address-list address-list=ddos-targets \
    address-list-timeout=30m chain=detect-ddos
add action=log chain=detect-ddos log-prefix="DDoS Detected: " \
    src-address-list=ddos-attackers
add action=log chain=forward comment="SPAMMERS LOG" log-prefix=SMTP \
    src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=\
    10m chain=forward comment="AntiSPAM o AntiWORM" connection-limit=20,32 \
    dst-port=465 protocol=tcp
add action=add-src-to-address-list address-list=spammer address-list-timeout=\
    10m chain=forward connection-limit=20,32 dst-port=25 protocol=tcp
add action=drop chain=forward dst-port=465 protocol=tcp src-address-list=\
    spammer
add action=drop chain=forward dst-port=25 protocol=tcp src-address-list=\
    spammer
add action=add-src-to-address-list address-list=blocked-addr \
    address-list-timeout=1d chain=input comment="SYN Flood protect" \
    connection-limit=400,32 protocol=tcp
add action=tarpit chain=input comment="SYN Flood protect" connection-limit=\
    3,32 protocol=tcp src-address-list=blocked-addr
add action=jump chain=forward comment="SYN Flood protect" connection-state=\
    new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=accept chain=SYN-Protect comment="SYN Flood protect" \
    connection-state=new limit=400,5 protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect comment="SYN Flood protect" \
    connection-state=new protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop acesso externo ao DNS - UDP" \
    dst-port=53 protocol=udp src-address-list=!clientes
add action=drop chain=input comment="Drop acesso externo ao DNS - TCP" \
    dst-port=53 protocol=tcp src-address-list=!clientes
add action=accept chain=input comment=\
    "Experimental para desabilitar \r\
    \n\"Allow Remote DNS\"" disabled=yes dst-port=53 protocol=udp \
    src-address-list=clientes
add action=drop chain=forward comment=\
    "Bloquear acesso dos clientes - LAN interna" connection-state=!related \
    dst-address=192.168.10.0/24 log=yes log-prefix="Block lan network" \
    src-address-list=clientes
add action=log chain=input disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT Link 2" out-interface=ether2
add action=redirect chain=dstnat comment=\
    "Redirecionamento UDP para DNS cache" disabled=yes dst-port=53 \
    in-interface=!ether2 protocol=udp to-ports=53
add action=redirect chain=dstnat comment=\
    "Redirecionamento TCP para DNS cache" disabled=yes dst-port=53 \
    in-interface=!ether2 protocol=tcp to-ports=53
/ip firewall raw
add action=drop chain=prerouting comment=Anti-ddos dst-address-list=\
    ddos-targets src-address-list=ddos-attackers
add action=drop chain=prerouting comment="Firewall para clientes banda larga" \
    protocol=udp src-port=19,25,1900,11211
add action=drop chain=prerouting protocol=tcp src-port=19,25,1900,11211
add action=drop chain=prerouting dst-port=19,25,1900,11211 protocol=udp
add action=drop chain=prerouting dst-port=19,25,1900,11211 protocol=tcp
add action=drop chain=prerouting comment=\
    "https://research-scan.sysnet.ucsd.edu/: 169.228.66.212" src-address=\
    169.228.66.212
add action=drop chain=output comment="Bloquear o trafego de sa\C3\ADda" \
    src-address=169.228.66.212
add action=drop chain=prerouting comment="Clientes inadimplente" \
    src-address-list=Bloqueado
/ip ipsec identity
add auth-method=digital-signature certificate="Server VPN" comment=\
    "Identidade Ipsec dos usuarios da VPN" generate-policy=port-strict \
    match-by=certificate mode-config="IPsec VPN" peer="Peer IPsec VPN" \
    policy-template-group="Grupo IPsec VPN" remote-certificate=\
    "Certificado Cliente"
/ip ipsec policy
set 0 disabled=yes
add comment="Politicas do IPsec VPN" group="Grupo IPsec VPN" proposal=\
    "IPsec VPN" template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set winbox port=81
set api-ssl disabled=yes
/ip smb
set domain=Archives
/ip smb shares
set [ find default=yes ] directory=/flash/pub
add directory=Mikrotik disabled=yes name=Mikrotik
/ip ssh
set strong-crypto=yes

Rules interface:

# 2025-05-11 13:48:37 by RouterOS 7.18.2
# software id = XHA8-7FTF
#
# model = RB760iGS
# serial number = DX50XE76XA6X
/interface bridge
add dhcp-snooping=yes name=Loopback port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether2 ] comment="Link 2 - DHCP"
set [ find default-name=ether3 ] comment="Link 3 - Servidor PPPoE"
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=sfp1 ] advertise="10M-baseT-half,10M-baseT-full,100M-b\
    aseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" disabled=yes
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface detect-internet
set detect-interface-list=all
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:49:4B:8B:2B:89 name=ovpn-server1
/interface pppoe-server server
add authentication=chap,mschap1,mschap2 disabled=no interface=ether3 max-mru=\
    1480 max-mtu=1480 one-session-per-host=yes service-name="Rota 3"
2

/interface detect-internet
set detect-interface-list=all

Rule #5:
http://forum.mikrotik.com/t/the-twelve-rules-of-mikrotik-club/182164/1

A couple related threads:
http://forum.mikrotik.com/t/does-detect-internet-actually-do-anything/143971/1
http://forum.mikrotik.com/t/does-detect-internet-actually-do-anything/143971/1

/interface bridge
add dhcp-snooping=yes name=Loopback port-cost-mode=short

Rule #6:
http://forum.mikrotik.com/t/the-twelve-rules-of-mikrotik-club/182164/1
Related thread:
http://forum.mikrotik.com/t/bridge-auto-mac-issue/162131/1
(but yours is seemingly empty, so not a problem, though maybe a bridge with no interfaces in it is unneeded)

Mind you, those settings (or non-settings) are not “wrong” in an absolute sense, but they are re-known to potentially become a source of issues.

3

Thank you. I will check your suggestions and make improvements.

4

It is ViTal that you ask your provider to protect you from (true) DDoS because you yourself have configured the device so that after a few minutes of DDoS the system crashes due to exhausted memory.

The firewall is terrible and the choice to block ICMP is also terrible.

Not to mention uselessly protecting the router from attacks valid only for Zyxel routers…

And to top it off, your router is accessible from the entire world, especially now that you have published the cloud address and how the router is currently configured…

5

Thanks @rextended, you are known in the community for analyzing complicated problems, I will take your statements into consideration.

The memory problem can be solved by simply doing the drop action instead of saving and then dropping whoever is on the list in memory, it makes sense. I was naive when I created it and wanted to know the origin of whoever was consulting my Mikrotik. I kept the rule because I thought it was convenient.

I only have two questions now:
1- Why is blocking ICMP a bad idea?
2- Is the problem the Mikrotik firewall or my firewall rules?

6

Your config aka firewall rules are complete waste of time, its like you decided I am going to focus on blocking everything I can think of or read about or saw a youtube video about and never asked the question do I really need to do this.
or WHY doesnt the basic firewall set of rules that MT provides, which are perfectly adequate for a single bridge one flat network doesnt include all the crap you added??
++++++++++++
KISS as in life is applicable on the MT Config and firewall rules.

7

Ok, @anav and @rextended. Most of the rules that currently exist I applied according to some security requirements provided by Mikrotik:
https://help.mikrotik.com/docs/spaces/ROS/pages/28606504/DDoS+Protection
https://help.mikrotik.com/docs/spaces/ROS/pages/268337176/Bruteforce+prevention

I am currently consulting a basic rules manual published by @rextended: http://forum.mikrotik.com/t/buying-rb1100ahx4-dude-edition-questions-about-firewall/148996/4

Currently, my original firewall is an OPNSENSE, which is millions of times easier to configure than Mikrotik. Sometimes I leave Mikrotik in the DMZ for experiments.

I have been studying Mikrotik for 2 years, but my focus is actually on algorithms, competitive programming and machine learning. I may have made some mistakes in the network configurations. For this reason, I am asking for the community’s opinion to mature my knowledge about firewall rules and general settings of my device.
I find it curious that you have so much to criticize, but do not provide adequate guidance on the problems implicit in the implementation. Even so, I respect you both, as you are community entities. You have already helped in many problem corrections.
Even so, I would like you to be clearer about the firewall rules, I am studying the most recommended ones that have been published in the community.

I’ve just implemented most of @rextended’s advice and I see that I have a lot to learn.
Sometimes I forget that networking is about thinking about the relationships between parts in a more general way. I haven’t removed the previous rules or implemented interface lists yet, but I’ll do that by tomorrow.
Currently the firewall rules look like this (I know, a mess):

# 2025-05-15 00:35:23 by RouterOS 7.18.2
# software id = XHA8-7FTF
#
# model = RB760iGS
# serial number = DX50XE76XA6X
/ip ipsec policy group
add name="Grupo IPsec VPN"
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
add dh-group=modp2048 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=\
    aes-256,3des hash-algorithm=sha256 name="Perfil IPsec VPN"
/ip ipsec peer
add exchange-mode=ike2 name="Peer IPsec VPN" passive=yes profile=\
    "Perfil IPsec VPN"
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name="IPsec VPN" \
    pfs-group=none
/ip pool
add name=PPPoE-Remoto ranges=10.80.80.0/24
add name="Pool VPN" ranges=10.80.88.0/24
/ip ipsec mode-config
add address-pool="Pool VPN" name="IPsec VPN"
/ip smb users
set [ find default=yes ] disabled=yes
add name=admin
/ip address
add address=10.0.0.1 interface=Loopback network=10.0.0.1
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add interface=ether2
/ip dns
set allow-remote-requests=yes cache-max-ttl=2d cache-size=6120KiB \
    query-server-timeout=4s query-total-timeout=15s servers=\
    8.8.4.4,8.8.8.8,1.1.1.1
/ip firewall address-list
add list=ddos-attackers
add list=ddos-targets
add address=10.80.88.0/24 list=permitidos
add address=192.168.10.0/24 list=permitidos
add address=10.80.80.0/24 comment="Rede interna - PPPOE" list=clientes
add address=10.0.8.0/24 list=permitidos
add address=8.8.4.4 comment=DNS list=dns
add address=8.8.8.8 list=dns
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set rp-filter=strict tcp-syncookies=yes
/ip firewall filter
add action=accept chain=input comment=\
    "Permitir respostas estabelecidas e relacionadas" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=fasttrack-connection chain=forward comment=\
    "Permitir respostas estabelecidas e relacionadas" connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment=\
    "Permitir respostas estabelecidas e relacionadas" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=\
    "Permitir acesso dos clientes - DNS interno" dst-address=192.168.10.254 \
    dst-port=53 protocol=udp src-address-list=clientes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether2
add action=drop chain=input comment="Bloquear ICMP externo" disabled=yes \
    protocol=icmp src-address-list=!permitidos tcp-flags=""
add action=drop chain=input comment="Violou a porta" in-interface=ether2 \
    src-address-list=violou
add action=add-src-to-address-list address-list=violou address-list-timeout=\
    30m chain=input comment="Tentativa de acesso em portas incorretas" \
    connection-state=new dst-port=!81 in-interface=ether2 protocol=tcp \
    src-address-list=!permitidos
add action=drop chain=input comment="Drop winbox brute forcers" dst-port=81 \
    protocol=tcp src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist \
    address-list-timeout=3w4d chain=input connection-state=new dst-port=81 \
    protocol=tcp src-address-list=winbox_stage2
add action=add-src-to-address-list address-list=winbox_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=81 \
    protocol=tcp src-address-list=winbox_stage1
add action=add-src-to-address-list address-list=winbox_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=81 \
    in-interface=ether2 protocol=tcp src-address-list=!permitidos
add action=drop chain=input comment="Drop ssh brute forcers" \
    src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=3w4d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=5m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=!permitidos
add action=drop chain=input comment="Drop ftp brute forcers" dst-port=21 \
    protocol=tcp src-address-list=ftp_blacklist
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=input content="530 Login incorrect" \
    protocol=tcp src-address-list=!permitidos
add action=drop chain=input comment="Solu\C3\A7\C3\A3o: https://packetstormsec\
    urity.com/files/172820/Zyxel-IKE-Packet-Decoder-Unauthenticated-Remote-Cod\
    e-Execution.html" dst-port="" layer7-protocol=CVE-2023-28771-2 log=yes \
    protocol=udp
add action=accept chain=input comment=\
    "(Desativado) - Migrado para OPENVPN Permitir conexoes IPSEC/IKE2" \
    dst-port=500,4500 protocol=udp src-port=""
add action=accept chain=forward comment="Aceitar pol\C3\ADtica em IPSEC" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
    "Aceitar a pol\C3\ADtica IPSEC - Saida de banda pela Mikrotik" \
    ipsec-policy=out,ipsec
add action=drop chain=input comment="Scanner de portas" src-address-list=\
    port_scanners
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1h chain=input protocol=tcp psd=8,3s,3,2
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1h chain=input protocol=udp psd=8,3s,3,2
add action=jump chain=forward comment="Protect DDOS" connection-state=new \
    jump-target=detect-ddos
add action=return chain=detect-ddos comment="Default - Rate: 32, Burst: 48" \
    dst-limit=48,64,src-and-dst-addresses/10s
add action=add-src-to-address-list address-list=ddos-attackers \
    address-list-timeout=30m chain=detect-ddos
add action=add-dst-to-address-list address-list=ddos-targets \
    address-list-timeout=30m chain=detect-ddos
add action=log chain=detect-ddos log-prefix="DDoS Detected: " \
    src-address-list=ddos-attackers
add action=log chain=forward comment="SPAMMERS LOG" log-prefix=SMTP \
    src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=\
    10m chain=forward comment="AntiSPAM o AntiWORM" connection-limit=20,32 \
    dst-port=465 protocol=tcp
add action=add-src-to-address-list address-list=spammer address-list-timeout=\
    10m chain=forward connection-limit=20,32 dst-port=25 protocol=tcp
add action=drop chain=forward dst-port=465 protocol=tcp src-address-list=\
    spammer
add action=drop chain=forward dst-port=25 protocol=tcp src-address-list=\
    spammer
add action=add-src-to-address-list address-list=blocked-addr \
    address-list-timeout=1d chain=input comment="SYN Flood protect" \
    connection-limit=400,32 protocol=tcp
add action=tarpit chain=input comment="SYN Flood protect" connection-limit=\
    3,32 protocol=tcp src-address-list=blocked-addr
add action=jump chain=forward comment="SYN Flood protect" connection-state=\
    new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=accept chain=SYN-Protect comment="SYN Flood protect" \
    connection-state=new limit=400,5 protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect comment="SYN Flood protect" \
    connection-state=new protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop acesso externo ao DNS - UDP" \
    dst-port=53 protocol=udp src-address-list=!clientes
add action=drop chain=input comment="Drop acesso externo ao DNS - TCP" \
    dst-port=53 protocol=tcp src-address-list=!clientes
add action=accept chain=input comment=\
    "Experimental para desabilitar \r\
    \n\"Allow Remote DNS\"" disabled=yes dst-port=53 protocol=udp \
    src-address-list=clientes
add action=drop chain=forward comment=\
    "Bloquear acesso dos clientes - LAN interna" connection-state=!related \
    dst-address=192.168.10.0/24 log=yes log-prefix="Block lan network" \
    src-address-list=clientes
add action=log chain=input disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT Link 2" out-interface=ether2
add action=redirect chain=dstnat comment=\
    "Redirecionamento UDP para DNS cache" disabled=yes dst-port=53 \
    in-interface=!ether2 protocol=udp to-ports=53
add action=redirect chain=dstnat comment=\
    "Redirecionamento TCP para DNS cache" disabled=yes dst-port=53 \
    in-interface=!ether2 protocol=tcp to-ports=53
/ip firewall raw
add action=drop chain=prerouting comment=Anti-ddos dst-address-list=\
    ddos-targets src-address-list=ddos-attackers
add action=drop chain=prerouting comment="Firewall para clientes banda larga" \
    protocol=udp src-port=19,25,1900,11211
add action=drop chain=prerouting protocol=tcp src-port=19,25,1900,11211
add action=drop chain=prerouting dst-port=19,25,1900,11211 protocol=udp
add action=drop chain=prerouting dst-port=19,25,1900,11211 protocol=tcp
add action=drop chain=prerouting comment=\
    "https://research-scan.sysnet.ucsd.edu/: 169.228.66.212" src-address=\
    169.228.66.212
add action=drop chain=output comment="Bloquear o trafego de sa\C3\ADda" \
    src-address=169.228.66.212
add action=drop chain=prerouting comment="Clientes inadimplente" \
    src-address-list=Bloqueado
/ip ipsec identity
add auth-method=digital-signature certificate="Server VPN" comment=\
    "Identidade Ipsec dos usuarios da VPN" generate-policy=port-strict \
    match-by=certificate mode-config="IPsec VPN" peer="Peer IPsec VPN" \
    policy-template-group="Grupo IPsec VPN" remote-certificate=\
    "Certificado Cliente"
/ip ipsec policy
set 0 disabled=yes
add comment="Politicas do IPsec VPN" group="Grupo IPsec VPN" proposal=\
    "IPsec VPN" template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set winbox port=81
set api-ssl disabled=yes
/ip smb
set domain=Archives
/ip smb shares
set [ find default=yes ] directory=/flash/pub
add directory=Mikrotik disabled=yes name=Mikrotik
/ip ssh
set strong-crypto=yes
8

It is written everywhere, and in any case the Linux kernel already prevents its abuse,
therefore, apart from particular cases (which I do not want to talk about so as not to confuse) it should always be allowed for correct MTU negotiation.


he default rules are apparently perfect.
So far no one has ever proven otherwise, for normal use.

You can get advice on the forum, but if you are looking for teachers it is not the right option.

If you are looking for help, start from the default and then ask how to do this or that specifying how the network is configured and the requirements.
It’s easier than waiting for something already done to be corrected.
At most, the critical issues are highlighted in what has already been done.

9

There are basically three “groups” of people on Mikotik forum with diverging opinions regarding firewall rules, let’s see if I can explain how I see the situation.

The first one, that we will call for simplicity “the rextenders” :wink: believe that the default firewall rules that Mikrotik provides for SoHo devices are good in 99.99% of normal user cases and can (at the most and only in particular cases) be integrated by a handful of specific targeted rules..

The second, that we will call for simplicity “the anavites” :open_mouth: believe that the default firewall rule that Mikrotik provides for SoHo devices are good for the most part, but the last rule in forward chain MUST be a “drop all else” one (which implies that just before it a number of explicit, narrowly targeted rules need to be inserted to explicitly allow whatever is desired to pass).

The third, that we will call for simplicity “the others” believe that they can put together a better firewall on the base of their own ignorance :laughing: ( built up on viewing youtube videos or reading the - seriously lacking - Mikrotik documentation or by asking for advice on ChatGPT and similia).

While there can be debate on whether the first or second group is “more right” than the other, the third group appears to invariably produce something that is almost, but not quite, completely unlike a valid set of firewall rules.

Which brings us back to the Rules of Mikrotik Club, specifically #8:
http://forum.mikrotik.com/t/the-twelve-rules-of-mikrotik-club/182164/1

10

@jaclaz, @anav and @rextended

I understand the idea, it’s as if I had created my firewall rules in a very imperative way, thinking about specific cases, instead of thinking about more general cases. This makes my firewall simpler, without the need to add blocking rules for cases that I hadn’t thought of before.

I managed to understand @rextended idea, since I have already implemented most of the rules and disabled others, but I’m still studying @jaclaz case.

By next week, I should have done all the new configuration, so I’ll republish it here and accept new suggestions about the work.

11

Hahah, luv the explanation jaclaz, but I agree with rextended that the default rules for a single bridge and flat network are just fine ( a very narrow set of initial circumstances )!!
As soon as one starts changing the config, the default rules can usually be better optimized to fit the changes.