Community discussions

MikroTik App
User avatar
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Sun Mar 10, 2019 4:27 am
Location: The Internet

Need suggestions for WAF features and http traffic rules

Sat Feb 06, 2021 9:08 pm

I need a way to filter / see / block evil bots, I need to setup rules based on user agent, referrer, maybe geoip, etc. Having a referse proxy / cache server would be a plus. Basically most features that CloudFlare offers.

I think Mikrotik's features related to this are limited, no ? Mikrotik can ban individual IPs manually, it has a referse proxy / cache server, DNS cache is also nice, but other than that it looks like I need something else for the above needs.

Can someone recommend a setup for this ? I think what I need is a WAF like PfSense, OpnSense, Sophos. But is it possible to just have one of these and also do Mikrotik's job ?

I was thinking to create a fast desktop PC with more eth ports and use it instead of Mikrotik too.

Is that a bad ideea ? Is it more common to just separate these two (Mikrotik routing and WAF) so that they each have dedicated resources ?

It is harder to learn two different systems, that is also a reason to just build / use one.
// looks like I am not smashing my router after all :) Thanks to Sob, anav, mkx, etc
Forum Guru
Forum Guru
Posts: 5417
Joined: Thu Mar 03, 2016 10:23 pm

Re: Need suggestions for WAF features and http traffic rules

Sat Feb 06, 2021 11:26 pm

There's the all-in-one approach where one box does it all. And there's "building blocks" approach where a few specialized boxes are used, each doing part of a job. Each approach has its pros and cons. Whatever you choose, if you want job done properly, you'll have to master the setup. General knowledge is the same for both approaches. Personally I prefer building blocks approach over all-in-one.
User avatar
Forum Guru
Forum Guru
Posts: 6157
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Need suggestions for WAF features and http traffic rules

Sun Feb 07, 2021 3:54 am

No one gives a shit if you dont have anything of value..............
In other words people go after you if.
a.. you have something of value
b. you have crappy security (easy mark).

A default setup of an MT router is fine for 99% of folks.
Why are you so paranoid?

If you are running a business then one spends in an appropriate manner for security.
a. Edge router and then internal routers,
b. anti-spam email boxes
c. Control all users PCs (unable to add software, have to have updated antivirus)
d. etc.........

If you want to take your basic hex router for example and add some decent protection then just do this for pennies...........
So little time to enjoy life, just set it and go do something useful vice fretting for nothing.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!

Who is online

Users browsing this forum: Gongy and 78 guests