Ok thanks,
While Im at it,
What other important firewall rules should I have on my router?
Block TCP and UDP port=0.
No valid traffic ever uses them, but malicious one that tries to do a DDoS attack does.
Also, and this is more optional... perhaps block echo (and other ICMP) requests to your inner devices from the outside? You can still do that AND still allow yourself to do ping FROM the inside to the outside.
In total, my rules look a little something like:
ros code
/ip firewall filter
add action=reject chain=forward icmp-options=8 \
in-interface=!local out-interface=local protocol=icmp reject-with=icmp-host-unreachable
add action=drop chain=forward icmp-options=17 \
in-interface=!local out-interface=local protocol=icmp
add action=drop chain=forward icmp-options=15 \
in-interface=!local out-interface=local protocol=icmp
add action=drop chain=forward port=0 protocol=tcp
add action=drop chain=forward port=0 protocol=udp
With the exception of the last two, you'll again need to duplicate those rules for each public interface, instead of using "!local".
Note: The first rule blocks ping requests, and instead of dropping them, returns "host unreachable", so that to an attacker, it looks the same as if you didn't had a local network... dropping ping requests would alert them something is going on IF they also try various other IPs at your router, only to see some of them go "host unreachable" and others "timeout" due to the drop.... Actually, come to think of it... maybe I could just drop them, since I'm blocking ALL ping requests, and not just some... but if you need more fine grained control, you'll need to use "reject" instead of "drop".