Hi, posting my first question here (from Malaysia), after starting my Mikrotik journey with a hAP^ac2. I have read through a lot of the wiki and created my first firewall config and would love some simple and quick feedback on whether they are ordered correctly, and whether I can optimise further. My goal is to be secure, reduce number of services running and maximise the router settings for my fast Internet speed (Malaysia "TM-Unifi" 800MBit/s DOWN | 200MBit/s UP).

I prioritize video calling (skype, google meet, facetime) and web browsing. Currently only running IPv4. I am unsure about my ICMP rules and the order but please read the below as if I don't know what I am doing and I will do my best to improve!

Thanks in advance!

So far I have:

• disabled wifi

• disabled telnet,ftp,web,api-api-ssl

• disabled some mac-telnet services

• disabled bandwidth server

• removed admin user and created another full access user

• created and self-signed a certificate which is trusted on one device for web-ssl login

• enabled strong ssh crypto, switched SSH port and uploaded SSH key for my main user

• configured the NTP Client to fetch time from cloudflare time

Here's my simple network setup – currently without server:
Broadband Fiber Modem > Router: hAP^ac2 (192.168.0.1) > Switch: TP-Link SG1008PE > Access points: 3x HP Aruba IAP-225 (wifi 5 AC) > going to a handful of laptops and smartphones (range: 192.168.0.0/24).

Here are my firewall rules:
ip firewall export
# may/10/2020 12:35:33 by RouterOS 6.46.6
# software id = W18H-RWL8
#
# model = RBD52G-5HacD2HnD
# serial number = B4A10B676823
/ip firewall address-list
add address=192.168.0.0/24 comment="whitelist (support) internal IP range for local LAN devices" list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A" list=bogons
add address=100.64.0.0/10 comment="Carrier-grade NAT [RFC 1812]" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private [RFC 1918] - CLASS B" list=bogons
add address=192.0.0.0/24 comment="IETF protocol assignments" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons
add address=192.168.128.0/17 comment="Upper Half of Private [RFC 1918] - CLASS C" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/3 comment="MC, Class D, IANA" list=bogons
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=WAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="Drop to Syn_Flooder list" src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except to support list" dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" connection-state=established
add action=accept chain=input comment="Accept to related connections" connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood, adjust the limit as needed" icmp-options=8:0 limit=2,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" disabled=yes dst-port=22 protocol=tcp src-address-list=ssh_blacklist
/ip firewall mangle
add action=set-priority chain=postrouting comment="Set DSCP to interface priority for WMM" disabled=yes new-priority=from-dscp-high-3-bits passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=Unifi
add action=dst-nat chain=dstnat dst-port=8080 in-interface=Unifi protocol=tcp to-addresses=192.168.0.100 to-ports=8080

Your firewall rules IMHO are a bloated mess. The results are common in that you have duplicates especially in the input chain.
Keep it simple is best.

Here is what I would do differently.........
/ip firewall address-list
add address=192.168.0.22 comment="admin desktop" list=support source
add address=192.168.0.23 comment="admin laptop" list=support source
Note: Only the admin should access the router not the entire LAN!! Above are just examples of PCs with fixed static IPs that I would add to an admin access list!
Note: Bogons removed, dont see any significant gain/value in listing them

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN source-address-list=support source
add action=accept chain=input in-interface-list=LAN comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input in-interface-list=lan comment="Accept DNS - TCP" port=53 protocol=tcp
Note: The only lan requirements are to access specific services provided by the router normally just DNS.

add action=drop chain=input comment="Drop All Else"
Note: Last rule removes need for drop al !LAN and anything else not already stated above as allowed.

add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN comment= "internet access"
add action=drop chain=forward comment="Drop all else"
Note: Drop all rule drops all forward traffic not allowed above ( just needed slight adjustment on port forwarding rule which reads clearer anyways)

/ip firewall mangle
add action=set-priority chain=postrouting comment="Set DSCP to interface priority for WMM" disabled=yes new-priority=from-dscp-high-3-bits passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=Unifi
add action=dst-nat chain=dstnat dst-port=8080 in-interface=Unifi protocol=tcp to-addresses=192.168.0.100
note: to port not required if same as destination port (implied)

I really appreciate your reply, thanks a lot for spending the time! I assume that the list you provided is the full list of all rules, NAT, Mangle and Address Lists, meaning I should remove everything I have in my settings and replace them with yours? Obviously I will change the admin IP addresses as you mentioned in your notes, but apart from that I can start from a clean slate (delete all) and run your commands? So all ICMP and BOGON stuff is not needed for general use?

That is correct, for general use, a clean simple slate gets the job done.
Where one needs to add complexity is in things like
VPNs.
MultiWans
Load balancing/queues
VLANs
etc...........

As was explained to me, much of the rules you had wont do much (attacks etc,) because they are so significant and that if not handled by the ISP, one little router at home aint going to save the day,
Ensure that people are not abusing your internet with porn, and other activies and then all one need worry about is phishing errors, clicking or opening the wrong links,,,,, etc........
THis assumes each pc is running a decent antivirus type program.
What I do is segment my network by vlans. So the wife works from home so her PC is on its own vlan to the internet. Another person plays poker so that is vlanned off the family network etc.....
All smart devices are on own vlan. and so forth.

One other addition. Keep all the rules in a particular chain together rather than mixing input, forward, output, whatever else you might add later. It does not make any difference to the router, but it makes it FAR easier for us human beings to read.

One other addition. Keep all the rules in a particular chain together rather than mixing input, forward, output, whatever else you might add later. It does not make any difference to the router, but it makes it FAR easier for us human beings to read.

and troubleshoot! I would add that its more than just being able to read it Since the order within a chain IS IMPORTANT, mixing them creates a headache.

Thanks both for comments and recommendations. Of course I made the perfect noob mistake of deleting firewall rules in the wrong order, so I locked myself out from the router – the DropAll rule stopped me from getting in After a successful reset and restore of saved settings (phew, lucky I saved a backup file) I'm now back online. I guess everyone goes through this when starting out!

I had some issues with anav's rules (some of the recommended lines ended with 'source' and some spelling errors I needed to correct), but apart from that I managed to get all rules into place! Here is my new export command – a lot cleaner than when I started out. Let me know if the below is what you both were expecting, and again thanks for your support!

Hi henisk........ yes I dont always type exactly the write syntax and I ASSuME the reader knows the correct syntax and my apologies for that.
I also should have warned you about drop all else rules being installed LAST, and to use the SAFE MODE button at the top left of WINBOX, its a life saver literally.

You have a great simple efficient firewall setup. Something to build upon or play with (as the core is solid). Whenever you come back for assitance as you move along and try more complicated setups it will be much easier because your firewall is clearly laid out without any fluff.
The only comment is the too ports in the dstnat rule is implied if left out (if the same as your dst=port. The reason to add to-ports is if you are doing port translation.

@anav (or others) is there a way to run profiling on firewall rules to see how much of a burden it is on the HW? For example, the. original question from the OP it looks like a lot of rules to continuously process. But how do you quality if you have gone over the board?

Well if you look at the test results on any router page, there is a significant difference in throughput when you start adding filter rules and other things.
Thus in general I think its more efficient not to go overboard and stick to essential.
If one is running into issues where firewall rules may help then its easier to add to a clean setup then add more to a bloated mess.