Hi.
I have a question I’d like you to answer.
I’ve set up “Building Advanced Firewall” for Mikrotik 1009-8G-1-1+ long term version 6.48.6.
The question is, am I supposed to do “Building Your First Firewall” and then “Building Advanced Firewall” or don’t I have to do it?
https://help.mikrotik.com/docs/display/ROS/Securing+your+router
Your device did not come with a default preset firewall, correct ?
Like a house: first you build the base, then you put on the subsequent floors.
So “First firewall” to start, then move to advanced.
The thing is that the “basic firewall” section in the manual refers to “default firewall rules” but duplicates some of them, and also the “advanced firewall” section duplicates some of the rules given in the “basic firewall” section. So whilst your alegory with the house is a common sense one, the way the documentation is structured seems not use some other logic.
Interesting, I lost all conn to the router setting up the basic firewall according to the manual pages.
/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
Maybe something else is wrong with my quick-set setup. Oh, and in my case i use 192.168.1.0/24.
Curious as to how it goes for others.
THis is what the basic user needs, using the defaults as a starting point.
If you have additional connectivity requirements ask for assistance.
/ip firewall filter
add action=accept chain=input comment=“default configuration”
connection-state=established,related,untracked
add action=drop chain=forward comment=“default configuration”
connection-state=invalid
add action=accept chain=input dst-port=13231 protocol=udp in-interface=ether1-WAN {only required if planning to use wireguard vpn - the port number is up to you }
add action=accept chain=input comment=“default configuration” protocol=icmp
add action=accept chain=input in-interface-list=LAN *********** {allows access to the router for configuration - then limit by subnet and/or source address list later}
add action=accept chain=input comment=“Allow LAN DNS queries-UDP” \ { intended for all LAN users, and required when you modify the admin config access rule above}
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“drop all else”
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“default configuration”
connection-state=established,related
add chain=forward comment=“default configuration” connection-state=
established,related,untracked
add action=drop chain=forward comment=“default configuration”
connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN {allows internet traffic}
add action=accept chain=forward comment=“allow port forwarding” \ (allows servers if necessary}
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=drop chain=forward comment=“drop all else”
Where the +++++++ indicates where to put additional allow rules for traffic.
************ When comfortable, reduce this rule to the (trusted) subnet or vlan where the admin resides and reduce further by source address list if required
SeCon, dont use quickset!
Already provided a reference not to lock yourself out, especially if configuring the bridge!!, which is a whole other topic?
https://forum.mikrotik.com/viewtopic.php?t=181718
In terms of firewall rules, it is important to NOT put in the drop all rule in the iNPUT Chain until you have an allow rule above that for the admin to access the router for configuration purposes…
Typically to be safe at startup we put this rule…
add action=accept chain=input in-interface-list=LAN
Later we change it to the trusted subnet where the admin works from… or trusted interface list
add action=accept chain=input in-interface-list=Management OR in-interface=trusted subnet/vlan
Later if necessary we reduce the access solely to the devices used by the admin by firewall source address list (lets say trusted subnet is 192.168.5.0/24)
add action=accept chain=input in-interface=192.168.5.0/24 src-address-list=authorized
where (IP are set statically in the config)
add address=IP of admin desktop list=authorized
add address=IP of admin laptop list=authorized
add address=IP of admin smartphone list=authorized
etc.
i do it but now this is show in log
“invalid forward: in:VLAN1 out:pppoe-1, src-mac ac:f6:f7:f7:7e:51, proto TCP (ACK,FIN,PSH), 172.16.2.29:57283->157.240.196.60:443, len 76”
In your case, the address-list “allowed_to_router” should have contained an address range from 192.168.1.0/24, in particular the IP address of the device from which you configure the router. And although I would have put the command to populate this address-list before the commands to set up the firewall rules if I were the one to write the documentation, even this order should cause no trouble if the “accept established or related” rule is put in place sooner than the “drop the rest” one, and if you do not leave the management session between adding the rules and populating the address-list.
Saha post your config for review, one cannot efficiently parse little bits without seeing it in context of the config…
/export hide-sensitive file=anynameyouwish
I noticed that.. so we can say that the advanced firewall setup is enough and there is no need to use the basic right?
l
/ip firewall address-list
add address=10.50.0.0/24 list=AP
add address=10.50.0.0/16 list=Network
add address=172.16.0.0/12 list=Network
add address=10.50.0.1 list=GETWEY
add address=172.16.1.1 list=GETWEY
add address=172.16.2.1 list=GETWEY
add address=172.16.3.1 list=GETWEY
add address=172.16.4.1 list=GETWEY
add address=172.16.5.1 list=GETWEY
add address=172.16.6.1 list=GETWEY
add address=172.16.7.1 list=GETWEY
add address=172.16.8.1 list=GETWEY
add address=172.16.9.1 list=GETWEY
add address=172.16.10.1 list=GETWEY
add address=172.16.11.1 list=GETWEY
add address=172.16.12.1 list=GETWEY
add address=172.16.13.1 list=GETWEY
add address=172.16.14.1 list=GETWEY
add address=172.16.15.1 list=GETWEY
add address=172.16.16.1 list=GETWEY
add address=172.16.17.1 list=GETWEY
add address=172.16.18.1 list=GETWEY
add address=172.17.1.1 list=GETWEY
add address=172.17.2.1 list=GETWEY
add address=172.17.3.1 list=GETWEY
add address=172.17.4.1 list=GETWEY
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface=OUT log=yes log-prefix=!public_from_LAN \
out-interface=!OUT
add action=drop chain=forward comment=\
"Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
connection-state=new in-interface=E1 log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
protocol=icmp
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=E1 log=\
yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=OUT log=yes \
log-prefix=LAN_!LAN src-address-list=!Network
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=drop chain=forward comment="AP Drop" out-interface-list=WAN \
src-address-list=AP
add action=drop chain=input comment="dropping port scanners" \
src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input in-interface-list=!OUT-LIST src-address=\
127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!OUT-LIST
add action=accept chain=forward comment=\
"defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv4
add action=reject chain=input content=freedom disabled=yes reject-with=\
icmp-network-unreachable
add action=drop chain=input content=freedom disabled=yes
add action=reject chain=output content=freedom disabled=yes reject-with=\
icmp-network-unreachable
add action=drop chain=output content=freedom disabled=yes
add action=drop chain=input disabled=yes dst-port=53 in-interface=E1 \
protocol=udp
add action=accept chain=input disabled=yes dst-port=53 in-interface-list=\
OUT-LIST limit=2500,5:packet protocol=udp
add action=drop chain=input disabled=yes dst-port=53 in-interface-list=\
OUT-LIST limit=2500,5:packet protocol=udp
add action=accept chain=forward connection-state=\
established,related,untracked disabled=yes
add action=accept chain=input connection-state=established,related,untracked \
disabled=yes
add action=drop chain=forward connection-state=invalid disabled=yes
add action=fasttrack-connection chain=output disabled=yes port=53 protocol=\
udp
add action=accept chain=output disabled=yes port=53 protocol=udp
add action=drop chain=input connection-state=invalid disabled=yes
add action=drop chain=input disabled=yes dst-port=53 in-interface=Internet \
protocol=tcp
add action=drop chain=input disabled=yes dst-port=53 in-interface=Internet \
protocol=udp
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=AP in-interface-list=\
OUT-LIST
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface=E1
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=10.50.0.0/16
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=172.16.1.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=172.16.2.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=172.16.3.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=172.16.4.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=172.16.5.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=172.16.6.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=172.16.7.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=172.16.8.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=172.16.9.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=172.16.10.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=172.16.11.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=172.16.12.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=172.16.13.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=172.16.14.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=172.16.15.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=172.16.16.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=172.16.17.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=172.16.18.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=172.17.1.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=172.17.2.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=172.17.3.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=172.17.4.0/24
add action=accept chain=srcnat comment=\
"defconf: accept all that matches IPSec policy" disabled=yes \
ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface-list=WAN
/ip firewall raw
add action=drop chain=prerouting dst-address-type=!local dst-port=!80,67 \
hotspot=!auth in-interface=OUT protocol=udp
add action=drop chain=prerouting dst-address-type=!local dst-port=!80,67 \
hotspot=!auth in-interface=all-vlan protocol=udp
add action=accept chain=prerouting dst-port=67 in-interface=OUT protocol=udp
add action=accept chain=prerouting dst-port=67 in-interface=all-vlan \
protocol=udp
add action=drop chain=prerouting dst-address-type=!local dst-port=!80 \
hotspot=!auth in-interface=OUT protocol=tcp
add action=drop chain=prerouting dst-address-type=!local dst-port=!80 \
hotspot=!auth in-interface=all-vlan protocol=tcp
add action=drop chain=prerouting hotspot=!auth in-interface=OUT port=\
701,143,443,1198,3128 protocol=tcp
add action=drop chain=prerouting hotspot=!auth in-interface=all-vlan port=\
701,143,443,1198,3128 protocol=tcp
add action=drop chain=prerouting hotspot=!auth in-interface=OUT port=\
701,143,443,1198,3128 protocol=udp
add action=drop chain=prerouting hotspot=!auth in-interface=all-vlan port=\
701,143,443,1198,3128 protocol=udp
add action=drop chain=prerouting dst-address-list=!GETWEY dst-port=53 \
hotspot=!auth in-interface=OUT protocol=udp
add action=drop chain=prerouting dst-address-list=!GETWEY dst-port=53 \
hotspot=!auth in-interface=all-vlan protocol=udp
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
dst-address=255.255.255.255 dst-port=67 in-interface-list=OUT-LIST \
protocol=udp src-address=0.0.0.0 src-port=68
add action=accept chain=prerouting in-interface-list=!OUT-LIST src-address=\
127.0.0.1
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
"defconf: drop forward to local lan from WAN" dst-address-list=Network \
in-interface-list=WAN
add action=drop chain=prerouting comment=\
"defconf: drop local if not from default IP range" in-interface-list=\
OUT-LIST src-address-list=!Network
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=OUT-LIST
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" \
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" \
icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" \
icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
IF there would be instructions how to add a floor to an existing house and it says “first build the basement” and you see there IS already a basement, I would assume any logical thinking person would skip that step, no ? Or would they add a basement first on top of the first floor again ? I surely hope not. I do want pictures though if you ever see that happen 
But then again, every assumption is potential cause for error. As has been shown again here.
Personal view: anyone jumping right into the advanced part without first getting the basics right, is most likely going to encounter some problems.
But hey, that’s me …
Anyhow, I see the support train has started.
Not necessarily. Not everything has been duplicated.
You do need to review those settings and evaluate if they are already present or not.
It’s BTW a perfect way too to LEARN what such a firewall does and why.
Good luck with the pile of crap you have… troubleshooting that will be a nightmare…
Is there a problem with my configurations?
Yes, there’s a problem, it’s too long for @anav, he has processing limit around hundred lines or so. 
Coming to think of I share that feeling…
It’s quite easy to start again from scratch and slowly add the blocks piece by piece.
The basic firewall is a very good place to start and pretty solid for most uses.
One of the stupidest (in my view) things one can do is blindly copy some config from whatever website (yes, even Mikrotik) and put it inside your config without knowing what it does.
Suddenly things don’t work anymore and then they blame the website were they got the partial config from.
That’s what I call “self-inflicted error”.
I’ve been there too. Certainly in the beginning I also had to clean reset my devices more then once because I locked myself out (still happens sometimes but I learned pretty early to make frequent config backups and Safe Mode is also a nifty tool to use, especially when tinkering with firewall settings …).
Best way to learn is to hit the wall sometimes. Hopefully not too hard 
Yes, I have lived 60+ years to learn two things.
a. its not what you have (possessions) that counts
b. keep it simple!!!
c. be able to laugh at yourself
Go EFF yourself sob )) luv ya bro!
(yes that was three things, told you I was old)
Some FW tips from me.
Use config that has been posted in this thread.
Have a block rule as last rule.
Make a diagram of all the rules, and understand what they do.
Here is an example from one of my Routers.
.
