I have done a fresh install of routerOS version v6.37.1 [current] on my Mikrotik model: 751G-2. I currently have the following rules running. I would like to secure the router.
I connect via PPPOE to my ISP. I do not want to allow anyone to be able to connect to my router’s management interface from the WAN. How do I set this up?
I want to force all clients to use the router as a DNS server. This is because I have the router using OpenDNS and am using a script to update my isp assigned dynamic ip address with opendns.
Keep it simple. Even default firewall (the one you already have) is not bad (except rule #4 does not currently block access from WAN, because yours is not ether1). I just find it better (or more foolproof) to reverse the logic. Currently you have everything allowed by default and specifically block selected stuff. If you do it the other way around, by adding default drop/reject rule at the end of both input and forward chains, and specifically allow only stuff you need (access from LAN, etc. ; and don’t forget to do this before you add the blocking rule), it’s less likely to allow something by mistake.
About your points:
Rule #8 already does that for you. If you’d use the other approach, you’d simply not add any exception for traffic from WAN.
Those rules seem ok, but if you simply block anything from WAN, you don’t really need them (assuming you can trust your LAN).
You can. Add NAT rule to catch tcp/udp 53 from LAN and use action=redirect.
Thanks for your message. The rules were created as a part of the default configuration. I get the logic of allowing only what I want to get out but my LAN is trusted. This is my home network which has a couple of desktops, 3 or 4 mobile phones and a couple of iPads. My top priority is to prevent attack from the outside and then begin blocking things that I don’t want going out but I am not sure how to profile my traffic.
I am probably still over complicating this.
Pranav
I did not mean “allowing what you want to get out”, but generally allowing what you want to have allowed.
So the basic firewall for forward chain would be:
accept established and related
drop invalid
accept from LAN interface to everywhere
accept forwarded ports (if you have any)
drop or reject the rest
And similar for input:
accept established and related
drop invalid
accept from LAN interface
accept at least some of icmp
drop or reject the rest
And if you want to fine-tune it later, e.g. do not allow everything from LAN to get out, you can. But by default it’s safe. Even if you connected some other network to one of non-LAN ports, it would be blocked first and you’d have to allow any traffic from there.
But it doesn’t mean that it’s the only right way. You can keep current default firewall and it won’t be less secure for normal use. If you block all stuff from WAN using specific rule or using default block rule at the end, it’s blocked either way.
Thanks for your lucid explanation. As of this writing, I will go with blocking from the WAN which I think is already in place (if I understand the rules correctly) that is.
Yes, your rule #8 from first post blocks any connection to router from WAN. You just want to update rule #4 to use the same interface. It’s there to block any traffic from WAN to LAN, unless it’s forwarded port. But your WAN is not ether1, it’s pppoe-out1, so in theory someone might be able to access your LAN. In practice it’s not that simple, but it doesn’t hurt to make it safer.