I'm attempting to move to CHR from pfSense/OPNsense but I'm having a hard time dealing with firewall rules.
In pfSense filtering is only done on the inbound direction of each interface. While filtering can be done on the outbound too it's rarely used, mostly by traffic shaping or a package that can do automatic upkeep of its rules, like pfBlockerNG, a IP-reputation/[ASN/DNS]-filtering and DNS integration thing.
I know what I need filtered where and from; I thought that was going to be enough to translate the rulesets over to CHR but here there's a lot more concepts, like having to think about CPU usage in order to decide what type or filtering to use. (!) There's none of that on pfSense and it's also a full blown IPS/IDS analyzing over a dozen interfaces, caching proxy, reverse proxy and it barely uses CPU on a 3- or 4-core VM. To be honest I don't think it's going to be an issue on CHR either, since most of the load is consumed by the IPS/IDS which I don't think CHR has, plus, CHR seems MUCH more efficient than pfSense, memory and disk usage is tiny compared to pfSense.
I really want to make it work so I'll try to take it slow relying on pfSense for what I still don't know how to accomplish in CHR, or use pfSense to firewall and have CHR be only a plain, unfiltered router. Either way, I guess the first thing I'd like to know is: (1) can I ignore the forward, output, pre/postrouting, mangle and whatnot and keep it simple only filtering on the inbou…input or is the other stuff really necessary?
Also, I've been reading the wikis https://wiki.mikrotik.com/wiki/Manual:IP/Firewall and https://help.mikrotik.com/docs/display/ROS/Firewall as well as exploring Winbox trying to wrap my head around this and I keep noticing or rather not noticing any indication of attention to rule order other than just being unceremoniously numbered in Winbox and when using print on the terminal. Rule order is extremely important in the platform I'm coming from, as the first rule that matches the traffic will be the one and only rule that will be applied to it -- if none applies then it's blocked by default. (2) Is rule order important in RouterOS/Cloud Hosted Router?
I hope you can clear this up for me, I'm really looking forward to the feature set of CHR, the supported interface types alone is very impressive, but y'know… filtering is still paramount and it sort of invalidates the point of licensing it if I have to result to another firewall out of sheer ignorance/stupidity. :/