Community discussions

 
roswitina
newbie
Topic Author
Posts: 26
Joined: Tue Mar 12, 2013 8:12 am

Mikrotik Firewall Basics

Wed Nov 16, 2016 9:00 am

Where can I find a good tutorial which explains me firewall rules.

Concretely, I am concerned about the order of the rules. Which rules belong to the beginning and which to the end. Include INPUT, OUTPUT or FORWARD. In other words, they should all be (following) together?

thank you
Rosi
 
jarda
Forum Guru
Forum Guru
Posts: 7604
Joined: Mon Oct 22, 2012 4:46 pm

Re: Mikrotik Firewall Basics

Wed Nov 16, 2016 11:39 am

 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mikrotik Firewall Basics

Wed Nov 16, 2016 6:53 pm

Order or rules is important, because it influences the amount of processing required for each packet. The most often used rules should be before rarely used ones. So in most cases, your very first rule should be the one for accepting established and related connections, because it will catch vast majority of packets. This is for rules in one chain.

Order of rules between different chains does not matter, because packet will only go into one (packet which gets in input chain won't ever go in forward or output, etc...). So you can mix it together (input, forward, forward, output, input, forward, output) but I think it's more clear when you keep rules for individual chains together (forward, forward, forward, input, input, output, output).
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
mpreissner
Member
Member
Posts: 356
Joined: Tue Mar 11, 2014 11:16 pm
Location: Columbia, MD

Re: Mikrotik Firewall Basics

Wed Nov 16, 2016 7:38 pm

If you use Winbox, you can actually filter your rules by chain, so you can work with only one chain at a time. Makes things a little easier to see.
Michael Preissner
CISSP, CCSP, CEH, PMP
 
pe1chl
Forum Guru
Forum Guru
Posts: 5928
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mikrotik Firewall Basics

Wed Nov 16, 2016 7:53 pm

This is possible in Webfig as well!
Still, I normally keep the rules together by table (by moving them up after adding).
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mikrotik Firewall Basics

Wed Nov 16, 2016 9:38 pm

I know about filtering by chain and I sometimes use it when I have large chains. But usually configs I work with are simpler and all rules fit on a page or two. Plus if there are subchains, it's more convenient to see it all together. But yeah, it's all just a personal preference.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
acsepal1
just joined
Posts: 6
Joined: Sat Jan 07, 2017 10:36 am

Re: Mikrotik Firewall Basics

Sat Jan 07, 2017 11:00 am

Greetings everybody. I need a little help. I bought my first mikrotik a few days ago (rb941-2nd-tc). I have very very basic knowledge about networking, i managed to set up the rb941 as a pppoe client (my current isp router is in bridge mode now, its only job is to provide its modem for the internet connection and for my telephone-voip). The only thing i need help with for now is with firewall. i want to make the rb941 secure, as well as the rest of the pc-s that are connected to it. i used this tutorial to set up the connection and basics https://www.youtube.com/watch?v=qH2qHGMCAQU . i also used the firewall rules in that tutorial. After that i additionally set up the firewall by using this tutorial: http://wiki.mikrotik.com/wiki/Manual:IP ... protection

will that be enough for everyday usage of my pc-s (torrents, games, regular surfing, windows homegroup, etc...)?
Thank you
 
acsepal1
just joined
Posts: 6
Joined: Sat Jan 07, 2017 10:36 am

Re: Mikrotik Firewall Basics

Wed Jan 11, 2017 12:30 pm

Anyone?
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: Mikrotik Firewall Basics

Wed Jan 11, 2017 8:44 pm

It's safe to start with default firewall (*), it blocks everything from WAN and that's the main thing you need. You can see what your device had using:
/system default-configuration print
Look for stuff under "/ip firewall", it's just few rules, it should be easy to understand what they do. I think they were also listed somewhere in MikroTik wiki.

(*) There's one important thing to watch for - default firewall has ether1 interface as WAN. If you connect to internet using PPPoE, client interface is your real WAN, so it needs to be changed in rules.

If you want to improve it, I suggest to not blindly follow random tutorials found online. Not that they would be necessarily bad, but it's always good to know what exactly are you doing and why.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: Majestic-12 [Bot] and 18 guests