Hello. I recently started installing and using a dedicated firewall unit (an outdated i3-ish AMD laptop) in my local network. After trying some alternatives, such as pfSense, I found that Mikrotik performs quite well and is worth learning to become an advanced user. Hence, I am currently endeavouring to understand RouterOS better.
After installing the OS without an internet connection to the router hardware, I created firewall rules by referring to the Firewall and QoS Case Studies (as well as the First Time Configuration and DDoS Protection) documents from help.mikrotik.com. Although I couldn’t fully grasp each firewall condition, I successfully registered most of the rules presented in the guides. However, oddly, two conditions prevented my computer (on the local network) from accessing the internet and the router’s www administration. Consequently, I needed to turn off the two rules on the router hardware (as I couldn’t access the www administration) to restore functionality to my local network and internet connection. To me, the two rules I should have turned off look crucial. Therefore, I would like to inquire whether this situation is acceptable. Below are the rules I deactivated:
add action=drop chain=prerouting comment=“defconf: drop non global from WAN” src-address-list=not_global_ipv4 in-interface-list=WAN
add action=drop chain=prerouting comment=“defconf: drop forward to local lan from WAN” in-interface-list=WAN dst-address=192.168.88.0/24
The WAN is a direct PPPoE connection (using credentials) from the router to the ISP. Since the VPN gateway was in an address range outside the Mikrotik router’s network, I attempted to disable the VPN on my computer in the local network and then access the router. However, that did not resolve the issue, nor did turning off some OS services that prevent web tracking.
Could you advise me on my current situation? Thank you!
The default rules are good enough for a starting point.
I personally do not recommend the bloatware of rules that MT has piled on in their documents.
As your traffic needs grow or change, then so should the firewall rules.
So if your config is still one single bridge with one LAN subnet and one WAN, there is no reason to modify the rules.
Nor should you modify the rules until you understand what he default rules are doing.
We cannot advise without evidence.
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc.)
How many interfaces do you have? There are two. One is the built-in LAN, and the other is a USB LAN. Is the same interface used for LAN and WAN functions? Two interfaces are used for WAN and LAN, respectively. Which way the PPPoE goes? The built-in LAN is for the PPPoE.
The include=all in /interface list Iooks strange to me.
You should have only two simple lists, LAN and WAN, and two interface list members in them, bridge and pppoe respectively.
Yes.
Once a port is part of a bridge It doesn’t really “exist” anymore, it Ioses some of its dignity and so adding ether2 to either LAN or WAN has little effect (actually none).
Same goes for ether1 the actual interface is either the pppoe one or the vlan one.
And while we are at it, you might find interesting Rules #1 and #2 here: http://forum.mikrotik.com/t/the-twelve-rules-of-mikrotik-club/182164/1
Thanks a lot. Now, I can activate the rules that caused the crash. Furthermore, I changed the VLAN interface name to something other than VLAN1. Is that what the rule means?
That’s not quite correct. Normally the ethernet interface (vlan or the port if no vlan is used) right underneath the PPPoE out connection still should be added to the WAN interface list, because usually over that port you have access to the ISP modem management interface, or the converter management interface. That way, you can configure an IP address on the interface (same subnet as the modem/converter) and have masquerade automatically applied to that port too (you can then manage the modem/converter from your LAN), as well as a firewall protection against unwanted access from the modem side.
Currently, the router bypasses the ISP modem (so the modem’s DHCP is excluded in the local network) but logs into the ISP and connects to the internet by itself through a VLAN interface created in the router. Indeed, before, the router logs showed that the modem periodically scanned my local network, which was unavoidable because the WAN IP address came from the modem’s DHCP at that time. As far as I understand, in the current settings that exclude the ISP modem, applying what you suggested can be like putting “PPPoE, VLAN, ethernet towards the ISP’s PPPoE network” in the same “WAN interface list” and grouping “bridge, ethernet for the local network (DHCP)” into the same “LAN interface list”.
In this thread, I am advised in two ways: “one interface in one list” and “all the involving interfaces into a group”. Nevertheless, as far as I have tested, such a “plural interfaces into one group” setting works in my local network. Is it just a matter of choice? Thanks for your advice!
Here’s an update: Adding many “used in the same sort(?)” interfaces to one list seems to cause my local network to crash. I think this may be because the firewall’s overly defined rules filter out packets from the VLAN and LAN interfaces.
