[Share] - Router Config with Firewall (Tcp/Udp) Filter

RouterOS Beginner Basics
1

Hello Mikrotik-Community,

from the first time I visited the Forums here and read allot of Documentation about the Mikrotik Router - I am hooked to RouterOS… and love how things work and how open Mikrotik is about technical specs about the HW and SW. :slight_smile:

I know MIkrotik RouterOS is not for beginners and should be used by Enthusiasts and/or Professionals. The reason is if you do not research before you can make your network allot more vulnerable.

This is the reason why I want to share my configuration of my home router. Of course there are some things that need changing but its a first steppingstone to a solid configuration. The other reason is to inspire Enthusiasts and/or Professionals to create a nice config of there own.

**>>><<<>>>DISCLAIMER-START<<<>>><<<
For Posted Config and Lists

  1. I am not responsible for damaged Hardware / Software of any kind
  2. I do not own or am affiliated to the company / developers linked here
  3. This is not a sponsored thread and do this as part of my hobby
  4. Have fun and share your findings / experiences

<<<>>>DISCLAIMER-END<<<>>><<<**

Here we go my Config:

# jul/12/2020 12:38:38 by RouterOS 6.47
# software id = 0CP5-041K
#
# model = RB4011iGS+
# serial number = xxx
/ip pool
add name=dhcp ranges=192.168.200.97-192.168.200.109
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=3d name=dhcp1
/ip address
add address=192.168.200.110/28 comment=bridgeDHCP interface=ether2 network=\
    192.168.200.96
/ip dhcp-client
add comment="WAN DHCP" disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.200.108 client-id=xx:xx:xx:xx:xx:xx mac-address=\
    xx:xx:xx:xx:xx:xx server=dhcp1
add address=192.168.200.100 client-id=xx:xx:xx:xx:xx:xx mac-address=\
    xx:xx:xx:xx:xx:xx server=dhcp1
add address=192.168.200.106 client-id=xx:xx:xx:xx:xx:xx mac-address=\
    xx:xx:xx:xx:xx:xx server=dhcp1
add address=192.168.200.107 mac-address=xx:xx:xx:xx:xx:xx server=dhcp1
add address=192.168.200.102 mac-address=xx:xx:xx:xx:xx:xx server=dhcp1
add address=192.168.200.99 client-id=xx:xx:xx:xx:xx:xx mac-address=\
    xx:xx:xx:xx:xx:xx server=dhcp1
add address=192.168.200.97 client-id=xx:xx:xx:xx:xx:xx mac-address=\
    xx:xx:xx:xx:xx:xx server=dhcp1
add address=192.168.200.101 client-id=xx:xx:xx:xx:xx:xx mac-address=\
    xx:xx:xx:xx:xx:xx server=dhcp1
/ip dhcp-server network
add address=192.168.200.96/28 dns-server=192.168.200.110 gateway=\
    192.168.200.110
/ip dns
set allow-remote-requests=yes use-doh-server=\
    https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.200.110 name=router.lan type=A
add address=192.168.200.100 name=switch.lan type=A
add address=1.1.1.1 name=cloudflare-dns.com type=A
add address=1.0.0.1 name=cloudflare-dns.com type=A
add address=192.168.200.97 name=dude.lan type=A
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    list=Bogons
add address=192.168.200.110 comment="DNS Router for DoH" list=DNSForward
add address=74.119.76.0/22 list=Facebook
add address=69.63.176.0/21 list=Facebook
add address=69.63.176.0/20 list=Facebook
add address=69.171.250.0/24 list=Facebook
add address=69.171.240.0/20 list=Facebook
add address=69.171.239.0/24 list=Facebook
add address=69.171.224.0/20 list=Facebook
add address=69.171.224.0/19 list=Facebook
add address=66.220.152.0/21 list=Facebook
add address=66.220.144.0/21 list=Facebook
add address=66.220.144.0/20 list=Facebook
add address=45.64.40.0/22 list=Facebook
add address=41.189.185.0/24 list=Facebook
add address=31.13.96.0/19 list=Facebook
add address=31.13.94.0/24 list=Facebook
add address=31.13.93.0/24 list=Facebook
add address=31.13.92.0/24 list=Facebook
add address=31.13.89.0/24 list=Facebook
add address=31.13.87.0/24 list=Facebook
add address=31.13.86.0/24 list=Facebook
add address=31.13.85.0/24 list=Facebook
add address=31.13.84.0/24 list=Facebook
add address=31.13.83.0/24 list=Facebook
add address=31.13.82.0/24 list=Facebook
add address=31.13.81.0/24 list=Facebook
add address=31.13.80.0/24 list=Facebook
add address=31.13.79.0/24 list=Facebook
add address=31.13.77.0/24 list=Facebook
add address=31.13.76.0/24 list=Facebook
add address=31.13.74.0/24 list=Facebook
add address=31.13.73.0/24 list=Facebook
add address=31.13.72.0/24 list=Facebook
add address=31.13.71.0/24 list=Facebook
add address=31.13.70.0/24 list=Facebook
add address=31.13.67.0/24 list=Facebook
add address=31.13.66.0/24 list=Facebook
add address=31.13.65.0/24 list=Facebook
add address=31.13.64.0/24 list=Facebook
add address=31.13.64.0/19 list=Facebook
add address=31.13.64.0/18 list=Facebook
add address=31.13.24.0/21 list=Facebook
add address=204.15.20.0/22 list=Facebook
add address=202.59.209.0/24 list=Facebook
add address=199.201.67.0/24 list=Facebook
add address=199.201.66.0/24 list=Facebook
add address=199.201.64.0/24 list=Facebook
add address=199.201.64.0/22 list=Facebook
add address=185.60.219.0/24 list=Facebook
add address=185.60.218.0/24 list=Facebook
add address=185.60.217.0/24 list=Facebook
add address=185.60.216.0/24 list=Facebook
add address=185.60.216.0/22 list=Facebook
add address=173.252.96.0/19 list=Facebook
add address=173.252.88.0/21 list=Facebook
add address=173.252.64.0/19 list=Facebook
add address=157.240.9.0/24 list=Facebook
add address=157.240.8.0/24 list=Facebook
add address=157.240.7.0/24 list=Facebook
add address=157.240.6.0/24 list=Facebook
add address=157.240.30.0/24 list=Facebook
add address=157.240.3.0/24 list=Facebook
add address=157.240.29.0/24 list=Facebook
add address=157.240.28.0/24 list=Facebook
add address=157.240.27.0/24 list=Facebook
add address=157.240.26.0/24 list=Facebook
add address=157.240.223.0/24 list=Facebook
add address=157.240.222.0/24 list=Facebook
add address=157.240.221.0/24 list=Facebook
add address=157.240.220.0/24 list=Facebook
add address=157.240.22.0/24 list=Facebook
add address=157.240.218.0/24 list=Facebook
add address=157.240.217.0/24 list=Facebook
add address=157.240.216.0/24 list=Facebook
add address=157.240.215.0/24 list=Facebook
add address=157.240.212.0/24 list=Facebook
add address=157.240.210.0/24 list=Facebook
add address=157.240.21.0/24 list=Facebook
add address=157.240.209.0/24 list=Facebook
add address=157.240.208.0/24 list=Facebook
add address=157.240.206.0/24 list=Facebook
add address=157.240.204.0/24 list=Facebook
add address=157.240.203.0/24 list=Facebook
add address=157.240.201.0/24 list=Facebook
add address=157.240.200.0/24 list=Facebook
add address=157.240.20.0/24 list=Facebook
add address=157.240.2.0/24 list=Facebook
add address=157.240.199.0/24 list=Facebook
add address=157.240.197.0/24 list=Facebook
add address=157.240.196.0/24 list=Facebook
add address=157.240.195.0/24 list=Facebook
add address=157.240.194.0/24 list=Facebook
add address=157.240.193.0/24 list=Facebook
add address=157.240.192.0/18 list=Facebook
add address=157.240.191.0/24 list=Facebook
add address=157.240.190.0/24 list=Facebook
add address=157.240.19.0/24 list=Facebook
add address=157.240.189.0/24 list=Facebook
add address=157.240.188.0/24 list=Facebook
add address=157.240.187.0/24 list=Facebook
add address=157.240.186.0/24 list=Facebook
add address=157.240.185.0/24 list=Facebook
add address=157.240.184.0/24 list=Facebook
add address=157.240.183.0/24 list=Facebook
add address=157.240.182.0/24 list=Facebook
add address=157.240.181.0/24 list=Facebook
add address=157.240.180.0/24 list=Facebook
add address=157.240.18.0/24 list=Facebook
add address=157.240.179.0/24 list=Facebook
add address=157.240.178.0/24 list=Facebook
add address=157.240.177.0/24 list=Facebook
add address=157.240.176.0/24 list=Facebook
add address=157.240.175.0/24 list=Facebook
add address=157.240.174.0/24 list=Facebook
add address=157.240.173.0/24 list=Facebook
add address=157.240.172.0/24 list=Facebook
add address=157.240.17.0/24 list=Facebook
add address=157.240.169.0/24 list=Facebook
add address=157.240.168.0/24 list=Facebook
add address=157.240.167.0/24 list=Facebook
add address=157.240.166.0/24 list=Facebook
add address=157.240.165.0/24 list=Facebook
add address=157.240.164.0/24 list=Facebook
add address=157.240.163.0/24 list=Facebook
add address=157.240.162.0/24 list=Facebook
add address=157.240.160.0/24 list=Facebook
add address=157.240.16.0/24 list=Facebook
add address=157.240.159.0/24 list=Facebook
add address=157.240.158.0/24 list=Facebook
add address=157.240.155.0/24 list=Facebook
add address=157.240.152.0/24 list=Facebook
add address=157.240.151.0/24 list=Facebook
add address=157.240.148.0/24 list=Facebook
add address=157.240.147.0/24 list=Facebook
add address=157.240.146.0/24 list=Facebook
add address=157.240.145.0/24 list=Facebook
add address=157.240.144.0/24 list=Facebook
add address=157.240.143.0/24 list=Facebook
add address=157.240.142.0/24 list=Facebook
add address=157.240.141.0/24 list=Facebook
add address=157.240.140.0/24 list=Facebook
add address=157.240.14.0/24 list=Facebook
add address=157.240.139.0/24 list=Facebook
add address=157.240.138.0/24 list=Facebook
add address=157.240.137.0/24 list=Facebook
add address=157.240.136.0/24 list=Facebook
add address=157.240.135.0/24 list=Facebook
add address=157.240.134.0/24 list=Facebook
add address=157.240.133.0/24 list=Facebook
add address=157.240.132.0/24 list=Facebook
add address=157.240.131.0/24 list=Facebook
add address=157.240.130.0/24 list=Facebook
add address=157.240.13.0/24 list=Facebook
add address=157.240.129.0/24 list=Facebook
add address=157.240.128.0/24 list=Facebook
add address=157.240.12.0/24 list=Facebook
add address=157.240.11.0/24 list=Facebook
add address=157.240.10.0/24 list=Facebook
add address=157.240.1.0/24 list=Facebook
add address=157.240.0.0/17 list=Facebook
add address=146.88.59.0/24 list=Facebook
add address=129.134.31.0/24 list=Facebook
add address=129.134.30.0/24 list=Facebook
add address=129.134.30.0/23 list=Facebook
add address=129.134.29.0/24 list=Facebook
add address=129.134.28.0/24 list=Facebook
add address=129.134.27.0/24 list=Facebook
add address=129.134.26.0/24 list=Facebook
add address=129.134.25.0/24 list=Facebook
add address=129.134.154.0/24 list=Facebook
add address=129.134.150.0/24 list=Facebook
add address=129.134.149.0/24 list=Facebook
add address=129.134.148.0/24 list=Facebook
add address=129.134.144.0/24 list=Facebook
add address=129.134.140.0/24 list=Facebook
add address=129.134.136.0/24 list=Facebook
add address=129.134.135.0/24 list=Facebook
add address=129.134.132.0/24 list=Facebook
add address=129.134.131.0/24 list=Facebook
add address=129.134.130.0/24 list=Facebook
add address=129.134.129.0/24 list=Facebook
add address=129.134.128.0/24 list=Facebook
add address=129.134.0.0/17 list=Facebook
add address=102.132.96.0/20 list=Facebook
add address=102.132.125.0/24 list=Facebook
add address=102.132.124.0/24 list=Facebook
add address=102.132.118.0/24 list=Facebook
add address=102.132.117.0/24 list=Facebook
add address=102.132.116.0/24 list=Facebook
add address=102.132.115.0/24 list=Facebook
add address=102.132.114.0/24 list=Facebook
add address=102.132.112.0/24 list=Facebook
add address=8.25.196.0/24 list=Twitter
add address=8.25.196.0/23 list=Twitter
add address=8.25.195.0/24 list=Twitter
add address=8.25.194.0/23 list=Twitter
add address=69.195.191.0/24 list=Twitter
add address=69.195.190.0/24 list=Twitter
add address=69.195.189.0/24 list=Twitter
add address=69.195.188.0/24 list=Twitter
add address=69.195.187.0/24 list=Twitter
add address=69.195.186.0/24 list=Twitter
add address=69.195.185.0/24 list=Twitter
add address=69.195.184.0/24 list=Twitter
add address=69.195.182.0/24 list=Twitter
add address=69.195.181.0/24 list=Twitter
add address=69.195.180.0/24 list=Twitter
add address=69.195.179.0/24 list=Twitter
add address=69.195.178.0/24 list=Twitter
add address=69.195.177.0/24 list=Twitter
add address=69.195.176.0/24 list=Twitter
add address=69.195.175.0/24 list=Twitter
add address=69.195.174.0/24 list=Twitter
add address=69.195.172.0/24 list=Twitter
add address=69.195.169.0/24 list=Twitter
add address=69.195.168.0/24 list=Twitter
add address=69.195.166.0/24 list=Twitter
add address=69.195.165.0/24 list=Twitter
add address=69.195.164.0/24 list=Twitter
add address=69.195.163.0/24 list=Twitter
add address=69.195.162.0/24 list=Twitter
add address=69.195.160.0/24 list=Twitter
add address=209.237.222.0/24 list=Twitter
add address=209.237.221.0/24 list=Twitter
add address=209.237.219.0/24 list=Twitter
add address=209.237.218.0/24 list=Twitter
add address=209.237.217.0/24 list=Twitter
add address=209.237.216.0/24 list=Twitter
add address=209.237.215.0/24 list=Twitter
add address=209.237.214.0/24 list=Twitter
add address=209.237.213.0/24 list=Twitter
add address=209.237.212.0/24 list=Twitter
add address=209.237.211.0/24 list=Twitter
add address=209.237.210.0/24 list=Twitter
add address=209.237.209.0/24 list=Twitter
add address=209.237.208.0/24 list=Twitter
add address=209.237.207.0/24 list=Twitter
add address=209.237.206.0/24 list=Twitter
add address=209.237.205.0/24 list=Twitter
add address=209.237.204.0/24 list=Twitter
add address=209.237.203.0/24 list=Twitter
add address=209.237.201.0/24 list=Twitter
add address=209.237.200.0/24 list=Twitter
add address=209.237.199.0/24 list=Twitter
add address=209.237.198.0/24 list=Twitter
add address=209.237.197.0/24 list=Twitter
add address=209.237.196.0/24 list=Twitter
add address=209.237.195.0/24 list=Twitter
add address=209.237.194.0/24 list=Twitter
add address=209.237.193.0/24 list=Twitter
add address=209.237.192.0/24 list=Twitter
add address=202.160.131.0/24 list=Twitter
add address=202.160.130.0/24 list=Twitter
add address=202.160.129.0/24 list=Twitter
add address=202.160.128.0/24 list=Twitter
add address=199.96.62.0/23 list=Twitter
add address=199.96.61.0/24 list=Twitter
add address=199.96.60.0/24 list=Twitter
add address=199.96.60.0/23 list=Twitter
add address=199.96.58.0/23 list=Twitter
add address=199.96.57.0/24 list=Twitter
add address=199.96.56.0/24 list=Twitter
add address=199.96.56.0/23 list=Twitter
add address=199.59.148.0/22 list=Twitter
add address=199.16.156.0/23 list=Twitter
add address=199.16.156.0/22 list=Twitter
add address=192.133.78.0/23 list=Twitter
add address=192.133.76.0/23 list=Twitter
add address=192.133.76.0/22 list=Twitter
add address=185.45.6.0/23 list=Twitter
add address=185.45.5.0/24 list=Twitter
add address=185.45.4.0/24 list=Twitter
add address=185.45.4.0/23 list=Twitter
add address=104.244.47.0/24 list=Twitter
add address=104.244.46.0/24 list=Twitter
add address=104.244.45.0/24 list=Twitter
add address=104.244.44.0/24 list=Twitter
add address=104.244.43.0/24 list=Twitter
add address=104.244.42.0/24 list=Twitter
add address=104.244.41.0/24 list=Twitter
add address=104.244.40.0/24 list=Twitter
add address=192.168.200.96/28 list=support
add address=192.168.200.96/28 list=LocalLAN
add address=192.168.200.97-192.168.200.110 comment="Allow LAN" list=\
    allowed_to_router
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set allow-fast-path=no
/ip firewall filter
add action=fasttrack-connection chain=forward comment=Fasttrack \
    connection-state=established,related
add action=accept chain=forward comment="Accept Established and Related" \
    connection-state=established,related
add action=drop chain=forward comment=\
    "Drop invalid connections through router" connection-state=invalid
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=bridge log=\
    yes log-prefix=LAN_!LAN src-address=!192.168.200.96/28
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=ether1 \
    log=yes log-prefix=!public src-address-list=Bogons
add action=drop chain=forward comment="Drop to bogon list LAN" \
    dst-address-list=Bogons in-interface=bridge out-interface=!bridge
add action=drop chain=forward comment="Block Facebook" dst-address-list=\
    Facebook in-interface=bridge
add action=drop chain=forward comment="Block Twitter" dst-address-list=\
    Twitter in-interface=bridge
add action=accept chain=forward comment=\
    "Allow everything from the LAN Network" disabled=yes in-interface=bridge
add action=jump chain=forward comment="Jump to Chain TCP" jump-target=tcp \
    protocol=tcp
add action=jump chain=forward comment="Jump to Chain UDP" jump-target=udp \
    protocol=udp
add action=accept chain=tcp comment="Allow HTTP" dst-port=80 in-interface=\
    bridge protocol=tcp
add action=accept chain=tcp comment="Allow HTTPS" dst-port=443 in-interface=\
    bridge protocol=tcp
add action=accept chain=tcp comment="Allow Destiny2" dst-port=4000 protocol=\
    tcp
add action=accept chain=tcp comment="Allow Destiny2" dst-port=7500-7509 \
    protocol=tcp
add action=accept chain=tcp comment=\
    "Allow Steam / To log into Steam and download content" dst-port=\
    27015-27030 protocol=tcp
add action=accept chain=tcp comment="Allow Destiny2" dst-port=30000-30009 \
    protocol=tcp
add action=accept chain=tcp comment="Allow Stadia" dst-port=44700-44899 \
    protocol=tcp
add action=accept chain=udp comment="Allow Destiny2" dst-port=3074 protocol=\
    udp
add action=accept chain=udp comment="Allow Destiny2" dst-port=3097-3196 \
    protocol=udp
add action=accept chain=udp comment="Allow Steam / Destiny 2 / Dedicated or Li\
    sten Servers / SRCDS Rcon port / gameplay traffic" dst-port=27000-27200 \
    protocol=udp
add action=accept chain=udp comment="Allow Stadia" dst-port=44700-44899 \
    protocol=udp
add action=accept chain=udp comment="Allow Discord" dst-port=50000-65535 \
    protocol=udp
add action=drop chain=forward comment=\
    "Drop all other connections through the router"
add action=accept chain=input comment="Allow from LAN-List only!" \
    src-address-list=allowed_to_router
add action=accept chain=input comment="Accept Established and Related" \
    connection-state=established,related
add action=drop chain=input comment="Drop Invalid" connection-state=invalid
add action=drop chain=input comment=\
    "Block all access to the winbox - except to support list" dst-port=52741 \
    log=yes log-prefix=!SUPPORT protocol=tcp src-address-list=!support
add action=drop chain=input comment="Drop to bogon list" dst-address-list=\
    Bogons in-interface=ether1
add action=drop chain=input comment=\
    "Drop all packets which are not destined to routes IP address" \
    dst-address-type=!local
add action=drop chain=input comment=\
    "Drop all packets which does not have unicast source IP address" \
    src-address-type=!unicast
add action=drop chain=input comment="Drop incomming from WAN Interface" \
    in-interface=ether1
add action=drop chain=input comment="Drop anything else! "
/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=4000 in-interface-list=WAN protocol=\
    tcp to-addresses=192.168.200.108 to-ports=4000
add action=dst-nat chain=dstnat dst-port=7500-7509 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.200.108 to-ports=7500-7509
add action=dst-nat chain=dstnat dst-port=30000-30009 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.200.108 to-ports=30000-30009
add action=dst-nat chain=dstnat dst-address-list=!DNSForward dst-port=53 \
    in-interface-list=LAN protocol=udp to-addresses=192.168.200.110 to-ports=\
    53
add action=dst-nat chain=dstnat dst-port=3097-3196 in-interface-list=WAN \
    protocol=udp to-addresses=192.168.200.108 to-ports=3097-3196
add action=dst-nat chain=dstnat dst-port=27015-27200 in-interface-list=WAN \
    protocol=udp to-addresses=192.168.200.108 to-ports=27015-27200
add action=dst-nat chain=dstnat dst-port=50000-65535 in-interface-list=WAN \
    protocol=udp to-addresses=192.168.200.108 to-ports=50000-65535
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.200.96/28 disabled=yes port=xxxxx
set api disabled=yes
set winbox address=192.168.200.96/28 port=xxxxx
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip upnp
set show-dummy-rule=no

My inspiration came from the following:

Mikrotik Sources I used:

Very Nice Explanation about how Rules work -> http://forum.mikrotik.com/t/new-to-mikrotik-config-help-fw/140646/1
Mikrotik Documentation - Secure your Router -> https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router
Mikrotik Documentation - DNS over HTTPS -> https://wiki.mikrotik.com/wiki/Manual:IP/DNS
Mikrotik Documentation - Basic universal Firewall -> https://wiki.mikrotik.com/wiki/Basic_universal_firewall_script
Mikrotik Documentation - Chagne Service Ports -> https://wiki.mikrotik.com/wiki/Manual:IP/Services <- IMPORTANT Change default Winbox Port!

External Inspiration:

MAICT Consult Youtube Channel

https://www.youtube.com/watch?v=4gxiM9cyjXc

Github User: Aleksandr Tebiev aka beeyev - Automatic Backup Router Script

https://github.com/beeyev/Mikrotik-RouterOS-automatic-backup-and-update

TKSJa Youtube Channel

https://www.youtube.com/c/TKSJa/videos

MUM - Presentation PDF for Firewall Rules

https://mum.mikrotik.com/presentations/UK18/presentation_6165_1539151116.pdf

Q/A
[Q]
Why are the Firewall Rules in that order?
[A]
The reason is simple “First come First serve” - I have Put the Fasttrack and Forward Chain on top out of the reason that things that want to go thru the router needs scanning first before the Input Chain gets processed. (Rule of thumb for me was - Get rid of large packets first then the small stuff…) :smiley:

[Q]
The Firewall Rule with the Comment “Drop everything from WAN interface” what does that do?
[A]
As it claims it Drops connections coming to the WAN Port (ether1) but does a little more. It puts the router in to a state that can not be port-scanned anymore - No MAC answers - No Telnet and so on… and after that Drop everything else that want to go thru the router!

[Q]
There is a Firewall Rule that does not seam logic - Comment: Allow everything from the LAN network?
[A]
This is for troubleshooting the Firewall Ports - Temporary Access - Default it should be disabled for the TCP/UDP Chain to take effect!

[Q]
The DNS Server Settings look strange what is that about?
[A]
It looks strange because of the reason I use Cloudflare DNS over HTTPS and in the DNS-List I entered 1.1.1.1 / 1.0.0.1 as a Static entry to resolve the cloudflare-dns.com address. How to configure that with cerificate import follow the instuctions at: https://wiki.mikrotik.com/wiki/Manual:IP/DNS

Have fun, share and I try to update this post with more Q/A

Sincerely
Sig.