Community discussions

MikroTik App
 
bds1904
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Tue Sep 10, 2013 2:52 am

FEATURE REQUEST: Add Basic Firewall Rule Wizard

Wed Mar 25, 2020 3:40 am

Please add a button that will add certain common, basic firewall rules. For example, on ip/firewall/rules add a winbox button called "add basic rules wizard". Have this button generate a series of check-boxes that can be selected from to add basic firewall rules based on your LAN/WAN lists.

Such possibilities include:
  • Add Default firewall rules
    Block BOGON networks from WAN, incoming and outgoing
    Add default FASTTRACK rules
    Add IPSEC rules
    Add VPN rules
Just to name a few
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1127
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Wed Mar 25, 2020 9:47 am

That’s already included in the default config. The rules are freely available from the Wiki if you need to reference them.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
bds1904
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Tue Sep 10, 2013 2:52 am

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Thu Mar 26, 2020 3:54 am

I understand that they are there but not logging into the terminal and running a bunch of commands would be nice for the average user. Not looking through the wiki would be nice also.

Click button, get firewall rules.

There’s nothing wrong with adding some simple features via a wizard. It’s when there’s no manual configuration and it’s not transparent that wizards become an issue.

Making RouterOS slightly more friendly never hurt anybody.
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 652
Joined: Fri Nov 10, 2017 8:19 am

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Thu Mar 26, 2020 5:31 am

You can't simplify this. Each situation is different. For example some people may be behind ISP's NAT and use RFC1918 address... blocking bogons might break this...
In addition, these "premade" rules may be incompatible with existing setting etc... If you have a single change against defconf, it may break so many things...
Too many problems, not much simplification.

Finally, if you know you want bogon rules (i.e. you know the term) then you can create the rule in less than 1 minute anyway. If you want VPN rules, you know exactly what kind of VPN you use and again - you can add it in few minutes. Users, who would benefit from such Wizard will not understand those terms and in the end will not have any benefit.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6001
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Thu Mar 26, 2020 9:08 am

That is why we have quickset where you can disableenable default firewall ruleset or default NAT rules.
 
bds1904
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Tue Sep 10, 2013 2:52 am

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Thu Mar 26, 2020 3:58 pm

You can't simplify this. Each situation is different. For example some people may be behind ISP's NAT and use RFC1918 address... blocking bogons might break this...
In addition, these "premade" rules may be incompatible with existing setting etc... If you have a single change against defconf, it may break so many things...
Too many problems, not much simplification.

Finally, if you know you want bogon rules (i.e. you know the term) then you can create the rule in less than 1 minute anyway. If you want VPN rules, you know exactly what kind of VPN you use and again - you can add it in few minutes. Users, who would benefit from such Wizard will not understand those terms and in the end will not have any benefit.
This is exactly why I hate the IT community. Simplifying something isn’t going to cost you your job.

Simplifying a firewall rule wizard such as adding bogon and certain types of VPN won’t mess anything up for standard configurations as long as you actually follow best practice and put your WAN’s and LAN’s in the address lists.

Personally I have a script written that applies all the firewalls I need for certain situations, including Multi-WAN and Multi-LAN and everything. The scripts utilize the address lists to ensure everything works. I am not the typical user, but I do work with ISPs that utilize Mikrotik products at the customer location, including basic residential.

Note, I’m saying for standard configurations. One WAN, one LAN, standard.

If you are not using a “standard configuration“ then you likely don’t want to use a firewall rule or wizard.

Get your head out of the sand and realize that simplifying a product or its configuration makes the product more marketable to more people. The more markable routerOS products are, the more cool products Mikrotik will keep making.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6333
Joined: Mon Jun 08, 2015 12:09 pm

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Thu Mar 26, 2020 5:39 pm

That is why we have quickset where you can disableenable default firewall ruleset or default NAT rules.
It would be helpful when there was a feature (in quickset or otherwise) to reset the firewall to defaults (including the required interface lists) without changing other router config.
The default firewall has been improved a lot, but many users still run the old firewall because it is only updated when you reset EVERYTHING to defaults.
 
vortex
Forum Guru
Forum Guru
Posts: 1010
Joined: Sat Feb 16, 2013 6:10 pm

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Thu Mar 26, 2020 6:33 pm

The default firewall has been improved a lot, but many users still run the old firewall because it is only updated when you reset EVERYTHING to defaults.
I did not know this and I would not reset everything.
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 930
Joined: Tue Oct 11, 2005 4:53 pm

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Fri Mar 27, 2020 12:07 am

This is exactly why I hate the IT community. Simplifying something isn’t going to cost you your job.
That's why I hate the non-IT community. Instead of complaining about what you don't know how to use and asking to dumb down things, you should start by RTFM. It doesn't cost your job. It isn't even your job to begin with.
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Fri Mar 27, 2020 1:05 am

making something more intuitive - good, and RouterOS is doing well (of course it's relative, beginners may not agree)
making it simpler - depends, but probably good if it doesn't limit possibilities
dumbing down - bad

This could be the second case, some of it could be good as part of future more capable Quick Set. But outside of it, I'm not sure. Some of those things are just too simple (e.g. VPN/IPSec needs one to three simple rules). And you add them once. You save nothing with the wizard. It could make sense for something more complex, but then you have the problem how to put things together. You still need to understand what you're doing, put the rules in right place, etc. It's difficult to do automatically, unless you support it only for one specific basic config. Which IMHO leads again to improved Quick Set.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1127
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Fri Mar 27, 2020 5:22 am

There is no possible scenario an “auto firewall” button would work. Where it may work for you, it won’t for another.

I share your sentiment entirely with not over complicating things but sometimes there is wanting to be spoon fed.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
pe1chl
Forum Guru
Forum Guru
Posts: 6333
Joined: Mon Jun 08, 2015 12:09 pm

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Fri Mar 27, 2020 12:33 pm

Some of those things are just too simple (e.g. VPN/IPSec needs one to three simple rules). And you add them once. You save nothing with the wizard. It could make sense for something more complex, but then you have the problem how to put things together. You still need to understand what you're doing, put the rules in right place, etc. It's difficult to do automatically, unless you support it only for one specific basic config. Which IMHO leads again to improved Quick Set.
Well of course there is the possibility of having an extra layer on top of the current settings where you would manage the firewall from Quick Set only and you would have selections like "open this service to internet" or "forward this port to that IP (from internet)" and the system would maintain the rules required for that by itself.
Indeed when you make manual changes in the config and then go back to the Quick Set way it will totally break, but that already is the case with the current Quick Set once you go beyond a simple NAT-router setup... we have requested a "lock" on Quick Set for a long time (so you can block Quick Set once you have made specific customizations, either manually or automatically) but it never happened, so MikroTik apparently is not so worried about that.

But note that lots of things that people are fighting with, like having the proper firewall settings for a system that uses IPsec, have been solved in the default firewall on newer RouterOS versions.
But most people never get that new default firewall. Even when you buy the device new, the first time you plug it in it loads the default firewall rules for the RouterOS that was installed by the factory (maybe half a year ago) and then when you click "Check for Updates" in the Quick Set and it updates the RouterOS, the new firewall is never loaded unless you then again click Reset to Defaults.
Which most people never do because they already started from defaults.
Similar, once you have owned the device for some time and you upgrade RouterOS, the new firewall is never loaded and you won't Reset to Defaults anymore because you have already configured it.
It would be great when there was an additional "Reset only Firewall to Defaults" button on Quick Set that just resets the firewall. Maybe it should even hint to do that when you first access the router after an upgrade and it sees it does not have the current defaults yet.
 
vortex
Forum Guru
Forum Guru
Posts: 1010
Joined: Sat Feb 16, 2013 6:10 pm

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Fri Mar 27, 2020 2:11 pm

Resetting just the firewall is not great either, except for totally casual users.

A firewall analyzer would be nice.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6333
Joined: Mon Jun 08, 2015 12:09 pm

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Fri Mar 27, 2020 4:06 pm

I think most casual users would be totally fine with the default firewall as it is today.
Of course it is not a button you must click without knowing what you are doing, but that is the case for almost any setting in a router like this.
 
vortex
Forum Guru
Forum Guru
Posts: 1010
Joined: Sat Feb 16, 2013 6:10 pm

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Fri Mar 27, 2020 4:34 pm

You have to be careful because the WAN might not be connected to the first port.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8370
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Fri Mar 27, 2020 5:14 pm

You have to be careful because the WAN might not be connected to the first port.
That's why Interface Lists were introduced: no more "ether1" in firewall rules!
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6333
Joined: Mon Jun 08, 2015 12:09 pm

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Fri Mar 27, 2020 5:22 pm

You have to be careful because the WAN might not be connected to the first port.
That's why Interface Lists were introduced: no more "ether1" in firewall rules!
Indeed, that is one of the reasons the new default firewall is so much better.
Of course, resetting the firewall should also create and populate the interface lists when they were not yet present.
(as the defaults script does as well)
 
vortex
Forum Guru
Forum Guru
Posts: 1010
Joined: Sat Feb 16, 2013 6:10 pm

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Fri Mar 27, 2020 5:37 pm

How would the router know which ports are WAN in the general case to create those lists?
 
pe1chl
Forum Guru
Forum Guru
Posts: 6333
Joined: Mon Jun 08, 2015 12:09 pm

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Fri Mar 27, 2020 5:45 pm

It can look at the existing configuration. E.g. check where the default route is pointing.
Remember this is only for the simple "NAT router on a consumer internet connection" case.
It manages quite well when you use QuickSet to configure a router, e.g. when you configure PPPoE client that interface is automatically added to the WAN list.
It does not matter so much when it makes wrong decisions because of the clever use of WAN and !LAN in the firewall.
 
Valerio5000
Frequent Visitor
Frequent Visitor
Posts: 55
Joined: Fri Dec 06, 2013 2:38 am

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Sat Mar 28, 2020 1:34 am

I would very much agree to include a very simplified entry under Quick setup to open a certain port or service to a specific IP address. I believe that the Quick Setup page could be made a separate package of ROS so that it is installed only by novice users and those who do not want it do not install it.
 
aoakeley
newbie
Posts: 48
Joined: Mon May 21, 2012 11:45 am

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Sat Mar 28, 2020 6:43 am


If you are not using a “standard configuration“ then you likely don’t want to use a firewall rule or wizard.
Sorry - what's a standard configuration?

I'm serious... what you consider to be standard will not be what someone else does.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8370
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Sat Mar 28, 2020 11:12 am

"Standard" means "the configuration you have after configuration reset", the default one
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6333
Joined: Mon Jun 08, 2015 12:09 pm

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Sat Mar 28, 2020 11:37 am


If you are not using a “standard configuration“ then you likely don’t want to use a firewall rule or wizard.
Sorry - what's a standard configuration?

I'm serious... what you consider to be standard will not be what someone else does.
I consider a "standard configuration" to be the consumer NAT router with one internet interface (be it ethernet, VLAN, PPPoE or what you can think of) and a local LAN bridge that has the remainder of the ethernet ports and possible wifi interfaces as ports.
This is what QuickSet already can setup and what Reset to Defaults installs (except on CCR and RB1100, but those are not the intended audience).

Additional to this "standard configuration" the user may want to add a VPN or wants to open some port to an internal system.
This is also what other consumer type routers do support.

Anything beyond that is not covered by this and will have to be configured manually. I operate a lot of routers that would not be covered by this, but I think I am not within the majority group of router users and I do not require such functionality for myself.
That does not mean that it would not be useful for others. Probably not for you, but it would be useful for the typical home user.

Of course the question always is: what group of users do you want to support as a manufacturer. It appears (from recent product introductions) that MikroTik is trying to shift more from "a router for the network expert" towards the "canned solution for specific situation" including the use in households. Easier configuration is a part of that. But of course they should not lock the expert out of configuring the router exactly to their request.

QuickSet is an approach to that, although I agree with Valerio5000 that is should be made possible to remove that package or at least disable its function, as it is too difficult to make a QuickSet that can safely be used after customization has been applied directly using the normal menus.
 
mducharme
Trainer
Trainer
Posts: 896
Joined: Tue Jul 19, 2016 6:45 pm

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Sat Mar 28, 2020 8:34 pm

For our home users we do customized webfig skins that limit the options shown to them to hide things that they don't care about and might confuse them.

The most user friendly way IMO of managing a home MikroTik is with the iOS or Android app. It might make more sense to have such wizards in there for home routers for the average user with the default config (ex. port forward wizard).
 
vortex
Forum Guru
Forum Guru
Posts: 1010
Joined: Sat Feb 16, 2013 6:10 pm

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Sat Mar 28, 2020 9:23 pm

The app is not friendly because you cannot download an apk anymore.
 
Valerio5000
Frequent Visitor
Frequent Visitor
Posts: 55
Joined: Fri Dec 06, 2013 2:38 am

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Sun Mar 29, 2020 4:09 am

For our home users we do customized webfig skins that limit the options shown to them to hide things that they don't care about and might confuse them.

The most user friendly way IMO of managing a home MikroTik is with the iOS or Android app. It might make more sense to have such wizards in there for home routers for the average user with the default config (ex. port forward wizard).
This is certainly true but why not do an identical procedure on ROS via WinBox or WebFig?
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 930
Joined: Tue Oct 11, 2005 4:53 pm

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Sun Mar 29, 2020 6:16 pm

This is certainly true but why not do an identical procedure on ROS via WinBox or WebFig?
Because it is a waste of developer resources.
MikroTik should focus on fixing bugs and introducing new features. Not cater to noobs that cannot be bothered to read the manual.

Seriously, the amount of posts asking for stuff like that is annoying.
Do you see cisco making it easier to use an ASA? No, there you have to bust your rear, to learn how to use it.
So, stop asking for MikroTik to waste their time on useless stuff, and read the manual.

Current UI and CLI are perfectly fine. Wizards and guides and quick setups are for losers. :-P
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8370
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Sun Mar 29, 2020 7:30 pm

Wizards and guides and quick setups are for home users. :-P
I fixed it for you
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6333
Joined: Mon Jun 08, 2015 12:09 pm

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Sun Mar 29, 2020 9:16 pm

MikroTik should focus on fixing bugs and introducing new features. Not cater to noobs that cannot be bothered to read the manual.

Seriously, the amount of posts asking for stuff like that is annoying.
Do you see cisco making it easier to use an ASA? No, there you have to bust your rear, to learn how to use it.
So, stop asking for MikroTik to waste their time on useless stuff, and read the manual.
Cisco is doing that under their Linksys brand.
And MikroTik is operating partly in the same market as Linksys, especially with the newly introduced products.
As MikroTik uses the same software across the product line, they should offer such features as well, and can benefit from them in
some higher-end products as well (not all, of course, nobody would buy a CCR1072 without knowledge how to configure it).
 
vortex
Forum Guru
Forum Guru
Posts: 1010
Joined: Sat Feb 16, 2013 6:10 pm

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Sun Mar 29, 2020 9:46 pm

Cisco sold Linksys in 2013.
 
Valerio5000
Frequent Visitor
Frequent Visitor
Posts: 55
Joined: Fri Dec 06, 2013 2:38 am

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Mon Mar 30, 2020 1:13 am

This is certainly true but why not do an identical procedure on ROS via WinBox or WebFig?
Because it is a waste of developer resources.
MikroTik should focus on fixing bugs and introducing new features. Not cater to noobs that cannot be bothered to read the manual.

Seriously, the amount of posts asking for stuff like that is annoying.
Do you see cisco making it easier to use an ASA? No, there you have to bust your rear, to learn how to use it.
So, stop asking for MikroTik to waste their time on useless stuff, and read the manual.

Current UI and CLI are perfectly fine. Wizards and guides and quick setups are for losers. :-P
Oh yes ? so why Mikrotik produces and releases new products suitable for "home and office" use? I love Mikortik products but currently it doesn't make sense to have a QuikSetup page with simplified options just for home users and then to open a door on a firewall do I have to go and read manuals and command line? So why was QuikSetup developed at the time? I don't understand answers like "not convenient"; Wouldn't opening Mikrotik to home users and selling more devices be good for a money-making company?
 
mducharme
Trainer
Trainer
Posts: 896
Joined: Tue Jul 19, 2016 6:45 pm

Re: FEATURE REQUEST: Add Basic Firewall Rule Wizard

Mon Mar 30, 2020 5:06 am

One of the biggest complaints that I hear about MikroTik is the interface for things like wireless CPEs. UBNT has a nice interface for wireless configuration, very easy to use - but obviously it is limited in terms of what you can do with the device overall. With MikroTik you can do anything, you can configure anything you can think of, but the interface is so overloaded that for a specific device type you are presented with many options and features that you usually don't care about for that device, and this can be really confusing for people who are not tech wizards. I'm not sure what the solution is for this - I love the fact that you can take any RouterOS device and have full configuration abilities for any ROS features, and wouldn't want to lose that. But it would be nice to have a targeted alternate UI for a certain deployment type - ex. a UI specifically for configuring wireless CPEs. I know QuickSet is supposed to do this but part of the issue is that you don't know what QuickSet will do if you have changed anything else in the config from the factory default.

Who is online

Users browsing this forum: No registered users and 11 guests