Roast My Firewall

Guccio · January 15, 2025, 8:57am

Hi. I am not new to Mikrotik, but I am low on the knowledge spectrum. I have attached my Frankenstein of a firewall setup. Can you identify anything here that is wrong, faulty, counterintuitive, and or redundant? I am using PPPoE from my ISP for a 10gig line. This is a home setup.

/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
/ip firewall address-list
add address=192.168.13.2-192.168.13.254 list=allowed_to_router
add address=192.168.26.2-192.168.26.254 list=allowed_to_router

/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=192.168.13.0/24 comment=VL1 list=nolanip
add address=192.168.26.0/24 comment=VL1 list=nolanip

/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related,untracked
add action=accept chain=forward comment="Established, Related, Untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid

add action=accept chain=forward protocol=tcp dst-port=25565 in-interface=EO-Hikari comment="Allow Minecraft server traffic"

add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=EO-Hikari log=yes log-prefix=!public_from_LAN out-interface=sfp-sfpplus2-LAN
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface=EO-Hikari log=yes log-prefix=!NAT
add action=jump chain=forward protocol=icmp jump-target=icmp comment="jump to ICMP filters"
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=EO-Hikari log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=sfp-sfpplus2-LAN log=yes log-prefix=LAN_!LAN src-address-list=!not_in_internet

anav · January 15, 2025, 2:47pm

cannot comment as I dont know what the rest of your config looks like. As a new person be aware that the config is interrelated and parsing out bits is not exactly useful.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys, long dhcp lease lists)

Guccio · January 16, 2025, 5:52am

Thanks! I have uploaded the output and I believe I cleared anything dangerous.
toasty.rsc (4.97 KB)

johnson73 · January 16, 2025, 9:06am

Input chain is missing some entries. Add ‘‘drop invalid connection’’, add dns53 port permission only for internal network.
You have a lot of mix in Forward section. Use the method that states ‘‘deny everything that is not allowed’’ at the end. It will be more correct.

/interface list
add name=WAN
add name=LAN
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip firewall address-list
add address=192.168.13.0/24 list=allowed_to_router
add address=192.168.26.0/24 list=allowed_to_router

/ip firewall filter
add action=accept chain=input comment="Allow Established,Related" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid packets" connection-state=\
    invalid
add action=accept chain=input comment="ICMP" 
add action=accept chain=input comment="Allow DNS to local" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow DNS to local" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=accept chain=input in-interface-list=LAN \
    src-address-list=allowed_to_router
add action=drop chain=input comment="Drop all else"
add action=fasttrack-connection chain=forward comment=Fatsttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow Established,Related" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="Drop Invalid Connections" \
    connection-state=invalid
add action=accept chain=forward comment="Access Internet From LAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="Drop everything else"

/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade" ipsec-policy=out,none out-interface-list=WAN