which rules prevents access to services on the mikrotik?

RouterOS Beginner Basics
1

Hi everyone,
I’m trying to understand some basic concepts following this basic guide on mikrotik’s documentation
https://wiki.mikrotik.com/wiki/Tips_and_Tricks_for_Beginners_and_Experienced_Users_of_RouterOS

which of these rules prevents access to services on the mikrotik itself (winbox, webfig, ssh etc)?

Create firewall filter rules to protect router from incoming (input) connections:

/ip firewall filter
 add chain=input comment="Accept established and related packets" connection-state=established,related
 add chain=input comment="Accept all connections from local network" in-interface=LAN
 add action=drop chain=input comment="Drop invalid packets" connection-state=invalid
 add action=drop chain=input comment="Drop all packets which are not destined to routes IP address" dst-address-type=!local
 add action=drop chain=input comment="Drop all packets which does not have unicast source IP address" src-address-type=!unicast
 add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network" in-interface=WAN src-address-list=NotPublic

Create firewall filter rules to protect your local network from passing (forwards) connections:

/ip firewall filter
 add chain=forward comment="Accept established and related packets" connection-state=established,related
 add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid
 add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=WAN
 add action=drop chain=forward comment="Drop all packets from public internet which should not exist in public network" in-interface=WAN src-address-list=NotPublic
 add action=drop chain=forward comment="Drop all packets from local network to internet which should not exist in public network" dst-address-list=NotPublic in-interface=LAN
 add action=drop chain=forward comment="Drop all packets in local network which does not have local network address" in-interface=LAN src-address=!192.168.88.0/24

Cause with this configuration I can still access webfig from the outside, so I added this rule to drop traffic directed to non local networks

/ip firewall filter 
 add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network" in-interface=WAN dst-address-list=NotPublic

many thanks

2

None actually. Default firewall filter rules have this stanza et the end of rules for chain=input:

add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

which is similar (or not, depending on interface list membership) to what you added. The rule above can actually replace rule #2 in your list of rules for chain=input, just be careful about it’s placement, if misplaced it could block something you would like to allow.

3

You started form an “old” manual. At least the rules make no sense…
There is a newer and better one under this link: https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router

But the ultimate best is to start with the default FW rules on most devices after reset!

Apparently you have not yet read the Wiki and docs in more depth. You will have to do that to better understand all this.
Tweaking something without knowing what you do is very dangerous…

To make it short:
Input: Router itself, like Winbox/Webfig/Files/SSH… this should be closed as much as possible…
Forward: Traffic through the router, either LAN-LAN or LAN-WAN or WAN-LAN…

To start from a safe basis, do SW upgrade to last stable (or long term) SW release, and start with a full reset and use default config.
With that it is impossible to access the router from WAN.

As quick start, Mikrotik security has 3 aspects:

  • User and access rights (incl. password, allowed address range etc.)
  • IP services, enable/disable those not needed and define IP address from where available
  • Firewall, preventing the connection by itself.

And: adapt as needed bandwidth server, those MAC-servers not used, and neighbourhood discovery

4

Thank you so much for your suggestions, you were very clear.
thank you

5

The easy answer for both input chain and forward chain is to put a simpler last rule.

add chain=forward (or) input action=drop comment=“Drop All Else”
What this does is drop all traffic to the router (input chain) OR across the router wan to lan, lan to wan, lan to lan, that you have not EXPLICITLY stated above the drop rule as allowable traffic.

In the input chain the minimum is
a. allow admin to router (to be able to config router) and this needs to be done prior to invoking drop rule or you will lock yourself out.
b. allow services for users if required (optional: DNS port 53, NTP etc…)

In the forward chain the most usual ones are:
a. lan to wan traffic
b. any vlan to vlan traffic one wants to allow
c. port forwarding as a separate rule (plus commensurate dst nat rules)
d. admin to all subnets0

One only needs the default rules and remove the default !LAN rule on the input chain
and the default !dstnat rule in the forward chain.