I’m new to creating firewall rules in Mikrotik.
Seems confusing under Firewall, theres Filter, Nat, Mangle etc…
Which do i use?
How do i create a rule to block all incoming traffic from the internet?
For example,
I want to block incoming SSH traffic coming from port 1 (my internet is connected here) to the LAN.
How do i block some address from the LAN going out to the internet?
(I also want to have some message being shown to the users that the traffic is being blocked)
So you’re looking for filter rules. The manual linked above explains all the different options. You didn’t give very many details at all so the below answers for your specific questions make some assumptions and are somewhat generic.
Assuming your LAN network is 192.168.1.0/24, an interface name of ‘ether1’ on port 1, and that SSH is running on standard port tcp/22:
It would be better to not deliberately block SSH, though. It would be much better to look up stateful firewalling on the wiki, and approach the whole thing as “all traffic from WAN to LAN should be blocked unless a LAN client initiated the connection”, which is referred to as blacklisting or ‘default drop’. Then permit the traffic you want to make it through. It’s much better to deny by default and list explicitly what traffic is OK than to try to play whack-a-mole and think of all the bad things that would be possible and drop them one by one.
The tricky part isn’t blocking traffic, but to show a message. The router can’t magically pop up a native Windows dialog box. What kind of traffic are you looking to block, and how do you want to notify users?
I’m want to block all SSH connections from the internet (Port 1 on my RB1100 is the gateway port) as on the logs i’m seeing many brute force attempts to log in to the router using SSH.
And i also want to block outgoing traffic
For example,
A user tries to go to www.facebook.com and instead of showing the facebook webpage, the browser will show that the webpage is being blocked.
I’m not sure this is doable on a mikrotik device though.
I’m want to block all SSH connections from the internet (Port 1 on my RB1100 is the gateway port) as on the logs i’m seeing many brute force attempts to log in to the router using SSH.
OK, that is completely different from what you originally said:
I want to block incoming SSH traffic coming from port 1 (my internet is connected here) to the LAN.
There are three predefined chains, which cannot be deleted:
input - used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router’s addresses. Packets passing through the router are not processed against the rules of the input chain
forward - used to process packets passing through the router
output - used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain
Therefore, drop traffic in the input chain that comes in via port 1. Still don’t know what it’s called as an interface, so I’m assuming ether1:
There are many wiki pages made by users that outline how to protect the router.
Blocking websites is supported, see http://wiki.mikrotik.com/wiki/How_to_Block_Websites_%26_Stop_Downloading_Using_Proxy. Instead of an action of deny you can use an action of redirect and specify a website that shows the user a “you are blocked” message. That website can’t be hosted on the router, you need a separate webserver. To only apply that block to several users adjust the NAT rule used in that example to also include a reference to the source address so that only people with specific IP addresses get proxied.
No. The router is not a webserver. Hotspots don’t count as webservers, they can’t serve arbitrary content such as a redirect from the proxy. You need an external web server.