/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
Code: Select all
script: :global ssid;
#| * WAN port is protected by firewall and enabled DHCP client
#| * Wireless and Ethernet interfaces (except WAN port ether1)
#| are part of LAN bridge
#| wlan1 Configuration:
#| mode: ap-bridge;
#| band: 2ghz-b/g/n;
#| ht-chains: 0,1;
#| ht-extension: 20/40mhz-Ce;
#| LAN Configuration:
#| IP address 192.xxx.xx.x/xx is set on bridge (LAN port)
#| DHCP Server: enabled;
#| WAN (gateway) Configuration:
#| gateway: ether1 ;
#| ip4 firewall: enabled;
#| ip6 firewall: enabled;
#| NAT: enabled;
#| DHCP Client: enabled;
#| DNS: enabled;
:log info Starting_defconf_script_;
-- [Q quit|D dump|down]
It depends on by which RouterOS version was your current config originally created. In case it was something old, you would not have LAN and WAN interface lists.Isn't the interface list already defined in the firewall?
Short answer, no. Long answer, the "all" and "dynamic" lists get updated automatically, but the rest is up to you.Doesn't the firewall update itself once you create a new interface?
Thanks for the reply. How do I export only the non-firewall part of my cfg. ? Do I have to use the command ip address> export file=address or something else? For the factory reset I can do it in the winbox right? I don't need to use the button on the routerboard right?Either you,
1. Be very careful to understand what parts constitute every component of your firewall from the Default Configuration, then re-apply them to your customized setup, OR
2. Export your config, save the non-firewall parts that you changed from default, then factory reset the router and start over with the default firewall config.
Honestly, almost no home user needs to touch the default firewall on SOHO devices, except to either fully stealth their router if its Internet-facing (remove ICMP) and/or add a high level Accept exception for a Management subnet or VLAN, so that you cannot lock yourself out of the router. It is very well designed, simple and more than secure enough to guarantee nothing will get through the router from the WAN side that falls under the control of the firewall.
Most of these custom rules you have been looking at are specialisms to clean up traffic or log unexpected behavior that is to be treated by some other more advanced ways. The few remaining more useful ones are extremely situational. None of the rules improve your security more than what you get from the default configuration. They are just different types of monitors and protections.
Finally, you can really mess up your router configuration, waste a TON of time or expose your network to harm by getting the firewall rules wrong without knowing what you are doing.
Ok, thanks. Then how do I update the interfaces lis? What is the command I should use?It depends on by which RouterOS version was your current config originally created. In case it was something old, you would not have LAN and WAN interface lists.Isn't the interface list already defined in the firewall?Short answer, no. Long answer, the "all" and "dynamic" lists get updated automatically, but the rest is up to you.Doesn't the firewall update itself once you create a new interface?
Oh, ok then. My interface list is already updated with the interface (the bridge) I configured. I thought that something else was needed.To export config, just use "/export file=oldconfig" and you'll get everything. There won't be too much, if you didn't do extensive changes. And it should be clear what parts of it you want to keep.
Reset can be done from System->Reset Configuration.
Interface lists are defined in Interfaces->Interface List.
I already did the firmware reset + upgrade + reset when I got the router, so I guess I'm fine with just the reset from the winbox and the edit of the config file with the notepad.Before anything else. I just want to clarify your initial post for other new people:
The best additional protections for your new Mikrotik router are simply everything on "Manual:Securing Your Router" page before the "Firewall" section.
Absolutely stop reading past this point: "We strongly suggest to keep default firewall on. Here are few adjustment to make it more secure, make sure to apply the rules, when you understand what are they doing."
Proceed beyond that point only if you are an IT pro at a business or other organisation. Period.
Ok, now that's answered.
As you say, you can export via the Terminal command:
You can reset to the default configuration, without factory resetting, using the Terminal command of "/system reset-configuration" or System -> Reset Configuration.
However, I'm a firm believer or performing firmware reset + firmware upgrade then firmware reset again when you receive a brand new router, for other reasons (to clear your device of any tampering, check the upgrade process, then clear to default configuration). All Mikrotik devices should come with some instructions on a piece of paper in their box for resetting the router - it is very straightforward. If you are missing those instructions, the general instructions are in the Wiki.
If you have not made any changes to the default ports, bridges, wireless, VLANs, portforwarding etc, then you are done and have a nice, clean, shiny up-to-date router to work with.
If you have made the non-firewall changes mentioned above, then you'll have to pick out those commands from the "whatever.rsc" exported file. They are all very clear text commands, so should not be difficult to just copy and paste them into the Terminal (or a new file and then the Terminal, for future documentation). Just ignore anything that says "firewall".
If you have indirectly fiddled with the Firewall, e.g. by port forwarding or making/modifying Firewall Address Lists, but know or have documented what you have done, then you can just start over. Done.
If you have indirectly fiddled with the Firewall AND forgotten what you've done, then for port forwarding, you would need to pick out any "srcnat" and "dstnat" "/ip firewall" commands to re-apply. Similarly, for Firewall Address Lists, you would need to pick out any changes via "/ip firewall address-list add list=something". Re-apply the commands and test them. Done.
Thanks for the tutorial!
Hi Sob ,i have some concern about the point i quote from your well explain reply , if i want to add a vpn conecction from some of the vps servers like nordvpn or other so i only will use it for traffic out , with the default setup, they could access to my local lan hosts? in this case how will be a good way to allow only outgoin traffic or nat, set the vpn interface as wan one? could work? should i add some rule to block new incoming traffic from vpn tunel or just default config is correcto to handle this scenary relative well.if you connect to VPN, anything from there will be allowed to access LAN. On the other hand, connecting to VPN is extra step. If you don't do it, there's only LAN and WAN, nothing else. And it's safe, because if you don't forward any port inside, router won't let anything pass from WAN to LAN. So again, nothing much to improve for simple setups.
add chain=input comment="Accept all connections from local network" in-interface=LAN
add chain=input comment="Accept all connections from local network" in-interface=GUEST
add action=drop chain=forward comment="Drop all packets from local network to internet which should not exist in public network" dst-address-list=NotPublic in-interface=LAN add action=drop chain=forward comment="Drop all packets in local network which does not have local network address" in-interface=LAN src-address=!192.168.88.0/24