Hello,

I've recently bought a RB4011iGS+ for my home network. I'm using it for my home devices like phones, laptops etc. as well as for my KVM server with 10-20 Linux virtual machines that i create, use and then remove after i'm finished with my excersises, software testing etc. There are servers running on them and may need to be made available on the outside of my network, so i will be forwarding some ports from time to time.
I have not yet divided my network into VLANs.

The attached diagram shows my home network.

I wish to establish a solid, base firewall to use the router's potential, not overload it by useless or too many rules and still make it work the way i'd like to.
After reading information on many websites and trying to understand how the firewall filter works i've been trying to merge that information together in a set of rules that i'd like to show below.

I'd also like to ask for any advice about improving it, make it more effecient, remove rules that exclude one another, eliminate useless rules. Anything that looks suspicious for more experienced users.
I'm exploring it's features and am trying to learn as much as i can. I still make mistakes.

Please ask for whatever i may have missed.

Thank you in advance.

My suggestion: reset firewall filter rules to default rule set, it is a very good starting point (pretty safe and pretty high performance) which you decided to throw away. You don't have to reset whole device, you can see default config by running command /system default-configuration print (make sure terminal window is wide enough to accomodate whole lines or else they will be truncated).

After you reset the firewall to defaults, you only have to make changes in /ip firewall nat zo forward some ports to internal hosts, you don't have to touch filter rules.

And generally stay away from random on-line tutorials. Most of them are either outdated (ROS evolves), incomplete or are plain wrong.

Concur with MKX, lots of extra fluff not required.

Hi,

In that case what is the source of information i should stick to while learning ?

My current configuration came from the default configuration, MUM presentations, Mikrotik wiki and some random online tutorials as this was where i was able to get any information.
This is why i need to polish what i already have. I will also try your suggestion. I appreciate it, thank you.

I agee as well...
Best source for studying is always the wiki and not random tutorials around...

Your selection of knowledge sources is not entirely wrong, just ditch the "random online tutorials".

But it's the order you used which made your config a weird mess. So start off with default config and only change or add things you know you need. And things you understand. Official docs should help you understand how certain settings affect router's behaviour and performance. And whatever knowledge source you're using, make sure it is about up-to-date ROS version. That's true both for MUM presentations (if they're more than 18 months old, they may not apply any more) and posts in this forum.

While I'm talking about thus forum: there are quite a few very friendly, helpful and knowledgeable people around here (a few users are even all of them) and I guess you'll always get good advice if you describe your problem well enough and give the information needed (which includes export of complete settings of device making you problems ... some people hesitate at this point which leaves them with mediocre advices).

Its called tag team assistance approach.
I grab the easy questions and let the others handle the difficult people or difficult cases.
When we are all stuck we call on god Sindy to the rescue.

I also saw some stuff on Udemy. I enrolled for one course, where i got some stuff that were in my rules ( MikroTik RouterOS Hardening LABS ). I'm not saying it's bad. I might have gotten something wrong.

Anyway i reverted to default firewall rules, then the whole router and configured it again. I'll be adding stuff one by one and test. Since some servers are going to be available on the Internet whatever protection the router may be able to give me is welcome.

Awesome, great plan! You can always check in here if you have any questions on server config setup etc.....

If a Server has services available on the Internet without a VPN then there is always a security Risk...

One suggestion would be to use the PSD value on the Firewall, which actually detects TCP and/or UDP Scans...
A nice explanation is here: viewtopic.php?t=108749#p539590

Also make sure you do not open any RDP ports for public use... Even if you change the Public Port does not make any big difference...

Port Knocking is also a well known technique, where actually you first need to reach a Port X that will give you access to a port Y...

You don't have to reset whole device, you can see default config by running command /system default-configuration print (make sure terminal window is wide enough to accomodate whole lines or else they will be truncated).

Sorry for this OT, but I just want to thank you for the tip on how to view the default config for my hap lite. Now I can recreate the default ipv6 firewall rules that are missing from my setup.