Community discussions

MikroTik App
 
EmEmz
just joined
Topic Author
Posts: 13
Joined: Thu May 07, 2020 8:55 am

Default Configuration

Tue Apr 06, 2021 3:19 pm

Hello,

Is it good/recommended to remove default configuration or is better to keep it ?
Also i can see the default configuration has some basic firewall rules like passthrough, fasttrack ,drop invalid, etc can i keep it ?

Best,
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Default Configuration

Tue Apr 06, 2021 3:53 pm

Default config is simple IP+DHCP you can easily reconfigure those from quickset
If the WAN interface of your network is connected to the internet directly, Then definitely keep the default firewall rules. and if you disable those then the FASTTRACK connectivity won't work ( FASTTRACK traffic will not pass through the firewall lower CPU usage)

I incurred you not to disable any firewall rules.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Default Configuration

Tue Apr 06, 2021 4:38 pm

As @own3r1138 noticed: default settings are quite good and it's advisable to keep them. It's much better than most of what you can find on internet.
If you need some other functionality (e.g. some ports forwarded), then add needed rules, no need to remove anything. Study defaults, understand them before you change anything. If you have some questions (how, why, ...), come back and ask them here, we'll try to explain things to you.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Default Configuration

Tue Apr 06, 2021 6:01 pm

What is important to understand is that the default firewall rules let you work out of the box safely.
The input chain rules are for traffic to and from the router from LAN or Internet (think changing router configuration or accessing router services (DNS, NTP, IPSEC, etc.....).
The forward chain is pretty much anything across the router (to and fro internet from LANS, LAN to LAN etc...).

The default rules work on the premise of drop a whole bunch of potentially unsafe traffic and then let everything else flow. This means that the rules are basically allow everything you have not specifically disallowed. To do this they have one funky rule in the input chain and one funky rule in the forward chain. These rules can be confusing and basically perform duplicate functions within a single rule.
However with minimal changes one can change the rule method too one of -> block everything and only allow what I specifically state. This is much easier for the admin to articulate as I know what traffic I want but I have no idea of the types of traffic I want to block so a blanket block simply works!.

In the forward chain this rule is
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

Which basically states drop all coming from the WAN (headed to the LAN) except for any traffic that is intended for port forwarding and everything else whatever it may be is allowed!
So this is a great broad brush rule to stop traffic coming in from the WAN but for example does nothing to block any unwanted LAN to LAN traffic at Layer 3, such as vlan to vlan or subnet to subnet traffic, so one would have to add additional rules to block such traffic OR if you didnt want subnet to Internet traffic (lan to wan)(, as that is not blocked either.

I dont like multiple rules within a rule and rules should be clear...... So split the two above into two rules, and then add a third rule for internet access.
add action=allow chain=forward comment="allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface-list=WAN {can disable if not port forwarding}
add action=allow chain=forward comment="allow lan to wan traffic" in-interface-list=LAN out-interface-list=WAN
add action=drop comment="drop all else"

In this manner you have 1 rule that deals specifically with port forwarding to allow it (or not and disable it) and one rule to allow LAN to WAN traffic.
The last rule blocks all other traffic, whether you know what that traffic may look like or not, examples are it blocks all WAN to LAN traffic, it blocks all Lan subnet traffic to LAN subnet traffic.

AS MKX stated, once you start understanding the rules and how they affect traffic flow you can make changes to allow the traffic you need. YOu can ignore the good ideas club on youtube, I would say for at least 2 years LOL. Then you may wish to start trying stuff.

Who is online

Users browsing this forum: Sailwebwifi, teleport and 33 guests