Configuring the Firewall in RouterOS

mutluit · Mon Apr 27, 2020 3:04 am

My MikroTik switch ( https://mikrotik.com/product/CRS326-24G-2SplusRM ) has RouterOS, operating in Bridge Mode.
I'm just learning the RouterOS Firewall. I already have some iptables experience.

On this wiki page is an intro with an example config: https://wiki.mikrotik.com/wiki/Manual:I ... all/Filter ,
but my requirements for all traffic (WAN-to-LAN, LAN-to-ANY) are different (much more stringent):
by default block everything, explicitly define each protocol/port that shall be allowed/opened.

Let's say my LAN is 192.168.0.0/17 and I have to put the following items into the firewall:

srcIP        srcLoc   srcPort destIP       destLoc  destPort  Protocol  Comments
-------      -------  ------  -------      -------  --------  --------  --------
any          LAN      any     any          any      80        tcp       http   
any          LAN      any     any          any      443       tcp       https
any          LAN      any     any          any      22        tcp       ssh
any          LAN      any     1.2.3.4      WAN      465       tcp       smtps(ssmtp)
any          LAN      any     1.2.3.4      WAN      995       tcp       pop3s
any          LAN      any     192.168.10.1 LAN      53        udp+tcp   DNS
192.168.11.x LAN      any     192.168.10.1 LAN      1234      tcp       blafoo

How to best do/organize this in this firewall? This FW has no entries defined yet.

Could someone show me a skeleton example script on how best to do this?

Thx

Zacharias · Mon Apr 27, 2020 4:12 am

This is the default Firewall Filter:

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

You can see the structure etc... For more info https://wiki.mikrotik.com/wiki/Manual:I ... ter#Chains

Take a look and let us know if you have any questions...

mutluit · Mon Apr 27, 2020 5:05 am

This is the default Firewall Filter:
...

Thanks, but what does "default Firewall Filter" mean? Should it be available in the device by default?
When I issue this command then it prints nothing but the header, so, I'm a little bit confused (btw, the device has the 7.0beta5 installed):
[xxxxx@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid; D - dynamic
[xxxxx@MikroTik] >

mutluit · Mon Apr 27, 2020 12:28 pm

MikroTik on the page https://wiki.mikrotik.com/wiki/Manual:S ... r#Firewall says:

We strongly suggest to keep default firewall on. Here are few adjustment to make it more secure, ...

Unfortunately I just don't understand why my device does not know anything of this said default firewall settings.
I myself did not delete any firewall stuff yet. I only did a software upgrade to the latest 7.0beta5 from the latest 6.x release version.
So far I didn't configure the firewall of this device (my two uplink-routers of alien brand have firewalls of their own, I so far used them, but now will use also the FW of this switch).

So, why is this mentioned default firewall not present in my switch device, and: where can I find these default firewall settings to study & use?

mutluit · Mon Apr 27, 2020 12:39 pm

@Zacharias, again thanks for posting the default firewall settings, but I wonder wherefrom you got them yourself? Did you find it in your device or is that from a MikroTik document/webpage?
As said above, in my device there are no such default firewall entries present, as far as I can see; I hope I haven't overlooked anything.

mozerd · Mon Apr 27, 2020 1:13 pm

As said above, in my device there are no such default firewall entries present, as far as I can see; I hope I haven't overlooked anything.

@mutluit
Your switch CRS326-24G-2SplusRM does not have the same default Firewall rules like a Router would have.

Your switch default CONFIGURATION is a switch not a Router. Your Switch does have L3 capabilities that you would have to configure yourself. BUT like I mentioned in another of your threads the CRS326-24G-2SplusRM performance as a L3 device is poor.

To configure your CRS as a Router + Switch use the following guide

For the CRS3xx series of switches MikroTik do have Default Firewall Rules they suggest as an example guide that you would need to modify

mutluit · Mon Apr 27, 2020 2:18 pm

@mozerd, thanks for clarification and the links. I want to keep this device as is by default: a switch with RouterOS in Bridge Mode, but will need to use its firewall as well.

Is this configuration/setup choice a good/acceptable one, or would there be a better configuration/setup in terms of security and performance?
(as was already mentioned in one of the other threads, it shall serve just about 20x 1G clients and 2x 10G servers, all inside the LAN, and where this switch is placed behind 2 uplink-WAN-routers. Security is the most important requirement, then network performance. Currently still testing/configuring/learning the device in a non-productive test environment with 7.0beta5 firmware)

Thx.

mozerd · Mon Apr 27, 2020 3:08 pm

@mozerd, thanks for clarification and the links. I want to keep this device as is by default: a switch with RouterOS in Bridge Mode, but will need to use its firewall as well.

Is this configuration/setup choice a good/acceptable one, or would there be a better configuration/setup in terms of security and performance?
(as was already mentioned in one of the other threads, it shall serve just about 20x 1G clients and 2x 10G servers, all inside the LAN, and where this switch is placed behind 2 uplink-WAN-routers. Security is the most important requirement, then network performance. Currently still testing/configuring/learning the device in a non-productive test environment with 7.0beta5 firmware)

Since you will be attaching 2 10G servers ... how will your users use these servers? what sort of access privileges will be needed? will anyone on the WAN side need access to these servers? Have you or your team given user access privileges any thought? Always remember that simplicity is your best friend .... its not the number of rules that is important .... it's the least number of rules needed to meet your objectives. always keep it simple..

The most important RULE in Router/Switch Security is being pro-active .... so you must define the user privileges first then write the rules to fit that need.

The following MikroTik Manuel on Securing your Router is the one I follow and its logic also applies to MikroTik L3 Capable Switches ...

mutluit · Mon Apr 27, 2020 3:20 pm

The most important RULE in Router/Switch Security is being pro-active .... so you must define the user privileges first then write the rules to fit that need.

The following MikroTik Manuel on Securing your Router is the one I follow and its logic also applies to MikroTik L3 Capable Switches ...

Yes, thanks, I already have applied the above recommendations for protecting the admin access to the device, and access from WAN to the LAN is limited to a few admin users only.
Regarding users accessing the local servers: they access only a few special applications serving from certain ports using the tcp protocol, and these applications have their own user management with password.
Ok, I'll take a closer look at the user privilege settings in RouterOS, but I think these are device admin users only, not the normal users in LAN. Never mind, I'll see. Thx again.

Btw, is it possible to contact you here via PM?

Zacharias · Mon Apr 27, 2020 6:59 pm

This is the Default Firewall a Mikrotik Router has configured...
Your CRS does not have it because it is intended to be used as a switch, that is the reason...
I just informed you of the Mikrotik's suggested firewall.. which ofcorse you can make it more strict...

The Link that @mozerd posted has the same Firewall Rules i posted on my earlier post...

mutluit · Mon Apr 27, 2020 7:10 pm

This is the Default Firewall a Mikrotik Router has configured...
Your CRS does not have it because it is intended to be used as a switch, that is the reason...
I just informed you of the Mikrotik's suggested firewall.. which ofcorse you can make it more strict...

The Link that @mozerd posted has the same Firewall Rules i posted on my earlier post...

Ok, all right, I finally grasped it as follows: only on the router models is a default firewall pre-configured, not on the switch devices like mine, but on the switch devices one can configure and use the firewall as well, but then the performance of the device can slightly degrade.
Thanks everybody kindly helping me to understand my MT device better.

Zacharias · Mon Apr 27, 2020 7:17 pm

Exactly...
All the CRS Series models are Router-Switches, you might use it as a Switch only or a Router or both... It is up to you...
So in case you choose to use it as a Routing Device you must setup a Firewall...

Here you can see the performance results of the Device either for Switching or Routing...
In case it will be used as a Router, the performance in terms of speed will be at a Max of about 270 Mbps...

mutluit · Mon Apr 27, 2020 8:06 pm

@Zacharias, I'm going to use your above posted default firewall settings.
As said, I'll use this CRS router-switch device as a switch (not as a router), but with RouterOS. It is in Bridge Mode instead of Router Mode.

Forgive me, but I even don't know yet what this CAPsMAN thing is

Do I really need the following action? :
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

And: I don't use any ipsec yet, maybe later. Can I safely skip these two? :
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec

And: what is this fasttrack thing?
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related

Zacharias · Mon Apr 27, 2020 8:22 pm

But as said earlier, if you use it as a switch you do not need any Firewall...

Fastrack handler helps packets bypass some procedures that would otherwise slowdown the Routing Process...
https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack

mutluit · Mon Apr 27, 2020 8:30 pm

But as said earlier, if you use it as a switch you do not need any Firewall...

Hmm. that I unfortunately don't understand, b/c I want to use the firewall on the switch as this has many advantages in my use case: centrally configuring firewall rules for all attached devices/clients...

Zacharias · Mon Apr 27, 2020 8:33 pm

If that's the case then configure your CRS as a Router-Switch...
That means, all the important facilities must be running on the CRS, DHCP, DNS, Firewall, Routing etc...

Ofcrorse the above is not important... You can enable IP Firewall in the Bridge Settings and Filter the Traffic passing through the Bridge... But i do not consider such configuration ideal for your case...

anav · Mon Apr 27, 2020 8:38 pm

IM posts are temporarily ON,,,,,, just click on the users name on the left hand margin to send message

Zacharias · Mon Apr 27, 2020 8:46 pm

IM posts are temporarily ON,,,,,, just click on the users name on the left hand margin to send message

Why are they ON? And why temporarily?

mutluit · Mon Apr 27, 2020 9:33 pm

IM posts are temporarily ON,,,,,, just click on the users name on the left hand margin to send message

Yes, indeed, IM/PM has been activated by a MT admin; I already tried it out: it works

mutluit · Mon Apr 27, 2020 9:48 pm

Hi folks, can you please check whether my below draft firewall script is ok.
Not all the said tcp ports are entered yet, but for testing it should suffice.
There is one important question open: how do I cover the ARP packets the devices do send and receive between each other, esp. to/from the router, in the LAN?

### My firewall script (draft/experimental; not tested yet):

/ip firewall filter
add chain=input  connection-state=established,related,untracked action=accept
add chain=input  connection-state=invalid action=drop
#add chain=input protocol=icmp            action=accept  # see below
#add chain=input dst-address=127.0.0.1    action=accept  # CAPsMAN
#add chain=input  in-interface-list=!LAN   action=drop   # drop all not coming from LAN

#add chain=forward ipsec-policy=in,ipsec  action=accept
#add chain=forward ipsec-policy=out,ipsec action=accept
add chain=forward  connection-state=established,related  action=fasttrack-connection
add chain=forward  connection-state=established,related,untracked action=accept
add chain=forward  connection-state=invalid action=drop
add chain=forward  connection-nat-state=!dstnat connection-state=new in-interface-list=WAN action=drop  # drop all from WAN not DNATed

### Block "bogon" IP addresses:
add chain=forward src-address=0.0.0.0/8   action=drop  
add chain=forward dst-address=0.0.0.0/8   action=drop  
add chain=forward src-address=127.0.0.0/8 action=drop 
add chain=forward dst-address=127.0.0.0/8 action=drop 
add chain=forward src-address=224.0.0.0/3 action=drop 
add chain=forward dst-address=224.0.0.0/3 action=drop 

### Make jumps to new chains:
add chain=forward protocol=tcp action=jump jump-target=tcp
add chain=forward protocol=udp action=jump jump-target=udp
add chain=forward protocol=icmp action=jump jump-target=icmp
#...
add chain=forward action=drop comment="deny anything other"    # CHECK: what about ARP etc.?

### Create tcp chain and allow only some tcp ports, and at end drop all the rest:
add chain=tcp protocol=tcp dst-port=80  action=accept
add chain=tcp protocol=tcp dst-port=443 action=accept
add chain=tcp protocol=tcp dst-port=22  action=accept
add chain=tcp protocol=tcp dst-port=53  action=accept
add chain=tcp protocol=tcp dst-port=123 action=accept
#...
add chain=tcp action=drop comment="deny any other tcp"

### Create udp chain and allow only some udp ports, and at end drop all the rest:
add chain=udp protocol=udp dst-port=53  action=accept
add chain=udp protocol=udp dst-port=123 action=accept
#...
add chain=udp action=drop comment="deny any other udp"

### Create icmp chain and allow only needed icmp types:
add chain=icmp protocol=icmp icmp-options=0:0  action=accept comment="echo reply"
add chain=icmp protocol=icmp icmp-options=3:0  action=accept comment="net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1  action=accept comment="host unreachable"
add chain=icmp protocol=icmp icmp-options=3:4  action=accept comment="host unreachable fragmentation required"
add chain=icmp protocol=icmp icmp-options=4:0  action=accept comment="allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0  action=accept comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow parameter bad"
#...
add chain=icmp action=drop comment="deny all other icmp types"

mkx · Mon Apr 27, 2020 10:46 pm

Beware of the fact that rules are executed from top to bottom.

Which means that any rules below

add chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN action=drop # drop all from WAN not DNATed

are useless as they very likeky won't get hit at all.

And make yourself a favour: don't make such a fuss about ICMP ... your router won't get any more secure if it will block most ICMP messages ... instead you may break random connections because vital ICMP messages won't reach internal clients (e.g. PMTUD won't work).

Actually I suggest you to start off with default firewall posted by @zacharias and only add what you need and rules you understand. Meanwhile steer away from random tutorials found on internet, mostly they are either obsolete or plain wrong.

mutluit · Mon Apr 27, 2020 10:56 pm

Beware of the fact that rules are executed from top to bottom.
Which means that any rules below
add chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN action=drop # drop all from WAN not DNATed
are useless as they very likeky won't get hit at all.

Hmm. it looked fine to me. I'll recheck it. Thx.

And make yourself a favour: don't make such a fuss about ICMP ... your router won't get any more secure if it will block most ICMP messages ... instead you may break random connections because vital ICMP messages won't reach internal clients (e.g. PMTUD won't work).

That I got from this MT wiki page: https://wiki.mikrotik.com/wiki/Manual:I ... c_examples
But I tend to agree with your observation.

Actually I suggest you to start off with default firewall posted by @zacharias and only add what you need and rules you understand. Meanwhile steer away from random tutorials found on internet, mostly they are either obsolete or plain wrong.

Oh, come on, nothing else have I done here: this my own hard-worked whole day creation attempt of today

I consulted only the MT documentation web pages, incl. the MT wiki pages.

mutluit · Mon Apr 27, 2020 11:06 pm

Regarding ARP: this cannot be managed by iptables as it is layer 2, whereas iptables deals (mostly) with TCP/IP at layer 3 and higher layers.
For ARP usually the tool arptables (and similar ones) is used. Dunno whether that is possible on this MT device, but it's not that important ATM, I hope

S.a. https://security.stackexchange.com/ques ... p-requests

mutluit · Mon Apr 27, 2020 11:21 pm

Ok, I slightly extended and changed the initial version. Below is the new version which I'm now going to test on the device.

I used these MT sources plus Zacharias and mozerd's replies here in this thread:
https://wiki.mikrotik.com/wiki/Manual:I ... c_examples
https://wiki.mikrotik.com/wiki/Manual:S ... r#Firewall
https://wiki.mikrotik.com/wiki/Manual:C ... r#Firewall

### My firewall script v0.2a (draft/experimental; not tested yet):

/ip firewall filter
add chain=input  connection-state=established,related action=fasttrack-connection       
add chain=input  connection-state=established,related,untracked action=accept
add chain=input  connection-state=invalid action=drop
add chain=input  protocol=icmp action=accept  # check and s.a. below     
#add chain=input dst-address=127.0.0.1    action=accept  # CAPsMAN
#add chain=input in-interface-list=!LAN   action=drop    # drop all not coming from LAN

#add chain=forward ipsec-policy=in,ipsec  action=accept
#add chain=forward ipsec-policy=out,ipsec action=accept
add chain=forward  connection-state=established,related action=fasttrack-connection
add chain=forward  connection-state=established,related,untracked action=accept
add chain=forward  connection-state=invalid action=drop
add chain=forward  connection-nat-state=!dstnat connection-state=new in-interface-list=WAN action=drop  # drop all from WAN not DNATed
add chain=forward  src-address-list=bogon_IPs action=drop    # drop invalid src IPs 
add chain=forward  dst-address-list=bogon_IPs action=drop    # drop invalid dst IPs 

### Make jumps to new chains:
add chain=forward protocol=tcp action=jump jump-target=tcp
add chain=forward protocol=udp action=jump jump-target=udp
add chain=forward protocol=icmp action=jump jump-target=icmp
#...
add chain=forward action=drop comment="deny all other"    # CHECK: what about ARP etc.?

### Create tcp chain and allow only some tcp ports, and at end drop all the rest:
add chain=tcp protocol=tcp dst-port=80  action=accept
add chain=tcp protocol=tcp dst-port=443 action=accept
add chain=tcp protocol=tcp dst-port=22  action=accept
add chain=tcp protocol=tcp dst-port=53  action=accept
add chain=tcp protocol=tcp dst-port=123 action=accept
#...
add chain=tcp action=drop comment="deny all other"

### Create udp chain and allow only some udp ports, and at end drop all the rest:
add chain=udp protocol=udp dst-port=53  action=accept
add chain=udp protocol=udp dst-port=123 action=accept
#...
add chain=udp action=drop comment="deny all other"

### Create icmp chain and allow only needed icmp types:
add chain=icmp protocol=icmp action=accept    # TEST: FOR NOW SIMPLY ACCEPT ALL ICMP TYPES
#add chain=icmp protocol=icmp icmp-options=0:0  action=accept comment="echo reply"
#add chain=icmp protocol=icmp icmp-options=3:0  action=accept comment="net unreachable"
#add chain=icmp protocol=icmp icmp-options=3:1  action=accept comment="host unreachable"
#add chain=icmp protocol=icmp icmp-options=3:4  action=accept comment="host unreachable fragmentation required"
#add chain=icmp protocol=icmp icmp-options=4:0  action=accept comment="allow source quench"
#add chain=icmp protocol=icmp icmp-options=8:0  action=accept comment="allow echo request"
#add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow time exceed"
#add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow parameter bad"
#...
add chain=icmp action=drop comment="deny all other"


### address-list bogon_IPs:
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=bogon_IPs
add address=172.16.0.0/12 comment=RFC6890 list=bogon_IPs
add address=192.168.0.0/16 comment=RFC6890 list=bogon_IPs
add address=10.0.0.0/8 comment=RFC6890 list=bogon_IPs
add address=169.254.0.0/16 comment=RFC6890 list=bogon_IPs
add address=127.0.0.0/8 comment=RFC6890 list=bogon_IPs
add address=224.0.0.0/4 comment=Multicast list=bogon_IPs
add address=198.18.0.0/15 comment=RFC6890 list=bogon_IPs
add address=192.0.0.0/24 comment=RFC6890 list=bogon_IPs
add address=192.0.2.0/24 comment=RFC6890 list=bogon_IPs
add address=198.51.100.0/24 comment=RFC6890 list=bogon_IPs
add address=203.0.113.0/24 comment=RFC6890 list=bogon_IPs
add address=100.64.0.0/10 comment=RFC6890 list=bogon_IPs
add address=240.0.0.0/4 comment=RFC6890 list=bogon_IPs
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=bogon_IPs

mkx · Mon Apr 27, 2020 11:35 pm

Your chain=input is not complete ... some vital rules are commented out, but you didn't replace them with your own like you did for chain=forward . Which means that router with such firewall is an easy target for an attacker.

You did not show it in posted fragment, so it's not possible to guess if it's really missing ... make sure that /interface list member config is kept up-to-date with actual interface usage ... some firewall filter rules rely on that.

mutluit · Mon Apr 27, 2020 11:41 pm

Your chain=input is not complete ... some vital rules are commented out, but you didn't replace them with your own like you did for chain=forward . Which means that router with such firewall is an easy target for an attacker.

Thx for the warning; I'll check. In case you mean the commented-out line with "LAN": connections from WAN to LAN (via portforwarding) shall be allowed, and no SNAT shall be applied as we need the original public IP of the remote side in our logs.

You did not show it in posted fragment, so it's not possible to guess if it's really missing ...

Hmm. I posted it completely, not just a fragment. Can you check the latest version (v0.2a)?

make sure that /interface list member config is kept up-to-date with actual interface usage ... some firewall filter rules rely on that.

Do you mean this list? Yes, "WAN" and "LAN" are referenced in the script:

[xxxxx@MikroTik] > /interface list member print
Columns: LIST, INTERFACE
# LIS INTERFACE
0 WAN ether1
1 LAN ether2
2 LAN ether3
3 LAN ether4
4 LAN ether5
5 LAN ether6
6 LAN ether7
7 LAN ether8
8 LAN ether9
9 LAN ether10
10 LAN ether11
11 LAN ether12
12 LAN ether13
13 LAN ether14
14 LAN ether15
15 LAN ether16
16 LAN ether17
17 LAN ether18
18 LAN ether19
19 LAN ether20
20 LAN ether21
21 LAN ether22
22 LAN ether23
23 LAN ether24
24 LAN sfp-sfpplus1
25 LAN sfp-sfpplus2

mutluit · Mon Apr 27, 2020 11:58 pm

Now I have to figure out how scripts are created or installed in RouterOS...

I think I read in some other thread or the MT doc pages somewhere that it has its own script editor or something that.
No problem, I can search it in the MT doc pages.

Found: https://wiki.mikrotik.com/wiki/Manual:S ... g#Comments
Hmm. it says "Whitespace or any other symbols are not allowed before hash symbol" (comment char #) --> need to modify my posted script accordingly...

Zacharias · Tue Apr 28, 2020 12:05 am

Mikrotik default firewall uses Lists, to make things easier... Also it is a good practice the use of Lists because the less firewall rules the better performance we have and it is easier to "read" as well...
So, list LAN consists of your Local Networks, your Bridge or Bridges in simple words...
The WAN list consists of your WAN (Internet) interfaces, it can be eth1..ethX ports, PPPoE Client or whatever...

As for the ARP Protocol, yes indeed it is a Layer 2 protocol, but is used to assist Layer 3 Services...
A switch for example (L2 Device) does not need the ARP Protocol... A switch has a MAC-Port Table and thats it...

mutluit · Tue Apr 28, 2020 5:51 am

Ok, now tested, and it works:

Zacharias · Tue Apr 28, 2020 1:23 pm

No one can test your rules through a picture since not all parameters are visible...
But i did stop at the very first rule anyways, where did you find a fasttrack rule on the Input Chain ?

mutluit · Tue Apr 28, 2020 3:15 pm

No one can test your rules through a picture since not all parameters are visible...
But i did stop at the very first rule anyways, where did you find a fasttrack rule on the Input Chain ?

This is just the beginning, not the end

I'll post an updated script later today.
Regarding fasttrack in the input chain: just imagination based on logic; I'm not 100% sure yet whether fasttrack is possible in input and output too, but I simply was thinking: hey, this performance step makes very much sense, so, why not?

I think there are missing these IMO important additional steps, which other people probably would just say they are alternative/optional only:
1) filtering chain input, and explicitly drop'ping at end
2) filtering chain output, and explicitly drop'ping at end
much like how the forward chain is handled (ie. with an explicit drop at end).

I'm sure, with these additions this will become a top firewall solution!

Zacharias · Tue Apr 28, 2020 3:21 pm

This is just the beginning, not the end

Exactly, i did not go any further, i stopped when i saw that rule...
No it does not make sense...

mutluit · Tue Apr 28, 2020 3:40 pm

This is just the beginning, not the end
Exactly, i did not go any further, i stopped when i saw that rule...
No it does not make sense...

Can you substantiate your argument with possibly some facts?

In my OP I stated this:
"... my requirements for all traffic (WAN-to-LAN, LAN-to-ANY) are different (much more stringent):
by default block everything, explicitly define each protocol/port that shall be allowed/opened."

Ie. this is possibly a diametrically opposed method to what most people do. But to each his own, I've my own experience and view on these things and so my own practical requirements regarding network security.

Zacharias · Tue Apr 28, 2020 3:54 pm

viewtopic.php?t=123251#p606537
FastTrack works only for forwarded traffic over the router, so there is no point adding fasttrack-connection in input chain.

Ofcorse you have your experience but that does not change the way things work...

mutluit · Tue Apr 28, 2020 4:01 pm

viewtopic.php?t=123251#p606537
FastTrack works only for forwarded traffic over the router, so there is no point adding fasttrack-connection in input chain.

Ofcorse you have your experience but that does not change the way things work...

My experience with iptables in general I meant, not MikroTik's solution on top of iptables.
I'll remove fasttrack from the input chain when I see a verification in an official MT document. Any other link?

Zacharias · Tue Apr 28, 2020 4:02 pm

I'll remove fasttrack from the input chain when I see a verification in an official MT document.

Did you click the Link i posted ? That answer is from Mikrotik Support member...
But sure, you know...

mozerd · Tue Apr 28, 2020 4:09 pm

by default block everything, explicitly define each protocol/port that shall be allowed/opened."

Ie. this is possibly a diametrically opposed method to what most people do. But to each his own, I've my own experience and view on these things and so my own practical requirements regarding network security.

Yes your approach is exactly correct ....

BTW @ Zacharias is correct that when @mrz makes comments .... its official

mutluit · Tue Apr 28, 2020 4:12 pm

I'll remove fasttrack from the input chain when I see a verification in an official MT document.
Did you click the Link i posted ? That answer is from Mikrotik Support member...
But sure, you know...

Support people sometimes err too, unfortunately, very much like any of us humans

Logic says that there is nothing against it to have fasttrack available in all of the 3 MT chains: input, output, forward.
On some routers/switches/NAS systems users can also install their own server application(s), then it surely would make much sense to use fasttrack also in such situations (ie. for the input and output chains as well).

And, hey, it is said that RouterOS can also be licenced to be used even on a PC, ie. on own hardware. At least for such use-cases it makes very much sense, then logically RouterOS should have fasttrack built-in also for the input and output chains. If not yet, then this should be put onto the TODO list at MT

[aka Feature Request].

mutluit · Tue Apr 28, 2020 4:28 pm

by default block everything, explicitly define each protocol/port that shall be allowed/opened."

Ie. this is possibly a diametrically opposed method to what most people do. But to each his own, I've my own experience and view on these things and so my own practical requirements regarding network security.
Yes your approach is exactly correct ....

BTW @ Zacharias is correct that when @mrz makes comments .... its official

In that case I'll make a Feature Request to get fasttrack added also into the input and output chains

Who is online