Hello all,

I'm new. I got an RB3011UiAS-RM, my first ever Mikrotik device, to replace my OpenBSD router. I had heard horror stories of how hard it is to set up a Mikrotik device, but it was actually quite simple to set up the ports, ip routes and nat and failover connections.

But the firewall was hard for me. I am quite comfortable with pf but never used other firewalls much. So I made a lot of novice mistakes not understanding the chains. Also the rules order is the reverse of how I write pf. I also use a lot of macros in pf, but couldn't see a way to do those in RouterOS.

Rule 5 doesn't seem to work as I intended which is why I added rule 6. A minor issue.

Anyhoo, it seems to be working as intended. I'd appreciate any feedback in case I've missed anything obvious or insecure. Goal is a default deny policy and this is my home network.

Thanks
- Reno

Filter rules:
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes
connection-state=established,related log=no log-prefix=""

2 ;;; accept established,related
chain=forward action=accept connection-state=established,related log=no
log-prefix=""

3 ;;; To access modem/router
chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
dst-address=192.168.2.1 in-interface-list=LAN dst-port=80 log=yes
log-prefix="modem-access"

4 ;;; Drop connections to rfc6890
chain=forward action=drop dst-address-list=rfc6890 log=no log-prefix=""

5 ;;; Block DNSoHTTPS for LAN
chain=forward action=reject reject-with=icmp-port-unreachable
protocol=tcp src-address=!192.168.88.2 dst-address-list=DNSoHTTPS
in-interface-list=LAN dst-port=443 log=no log-prefix=""

6 chain=forward action=drop protocol=tcp src-address=!192.168.88.2
dst-address-list=DNSoHTTPS in-interface-list=LAN dst-port=443 log=no
log-prefix=""

7 X ;;; Accept DSTNATed
chain=forward action=accept connection-state=new
connection-nat-state=dstnat in-interface-list=WAN log=no log-prefix=""

8 ;;; ssh
chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=22 log=no log-prefix=""

9 ;;; smtp
chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=25 log=no log-prefix=""

10 chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=465 log=no log-prefix=""

11 chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=587 log=no log-prefix=""

12 ;;; http
chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=80 log=no log-prefix=""

13 ;;; https
chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=443 log=no log-prefix=""

14 ;;; ntp
chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=123 log=no log-prefix=""

15 ;;; imaps
chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=993 log=no log-prefix=""

16 ;;; apple push
chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=2197 log=no log-prefix=""

17 ;;; Whatsapp
chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=5222 log=no log-prefix=""

18 ;;; iMessage
chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=5223 log=no log-prefix=""

19 ;;; Zoom
chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=8801-8802 log=no log-prefix=""

20 chain=forward action=accept protocol=udp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=3478-3479 log=no log-prefix=""

21 chain=forward action=accept protocol=udp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=8801-8810 log=no log-prefix=""

22 ;;; Minecraft
chain=forward action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=25565 log=no log-prefix=""

23 chain=forward action=accept protocol=udp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=19132 log=no log-prefix=""

24 chain=forward action=accept protocol=udp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=25565 log=no log-prefix=""

25 ;;; Quic
chain=forward action=accept protocol=udp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=443 log=no log-prefix=""

26 ;;; Facetime
chain=forward action=accept protocol=udp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=3478-3498 log=no log-prefix=""

27 chain=forward action=accept protocol=udp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=16384-16387 log=no log-prefix=""

28 chain=forward action=accept protocol=udp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=16393-16402 log=no log-prefix=""

29 ;;; wren dns
chain=forward action=accept protocol=udp src-address=192.168.88.2
in-interface-list=LAN out-interface-list=WAN dst-port=53 log=no
log-prefix=""

30 chain=forward action=accept protocol=tcp src-address=192.168.88.2
in-interface-list=LAN out-interface-list=WAN dst-port=53 log=no
log-prefix=""

31 ;;; ; don't forward connections from rfc6890
chain=forward action=drop connection-nat-state=""
src-address-list=rfc6890 log=no log-prefix=""

32 ;;; Drop everything
chain=forward action=drop log=no log-prefix=""

33 ;;; drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""

34 ;;; Handy for troubleshooting
chain=input action=accept protocol=icmp src-address=192.168.88.0/24
in-interface-list=LAN log=no log-prefix=""

35 ;;; Don't use CAPsMAN but also dont usually filter lo. Added src in hope>
don't get weird routing glitches
chain=input action=accept src-address=127.0.0.0/8 dst-address=127.0.0.1
log=no log-prefix=""

36 ;;; accept established,related
chain=input action=accept connection-state=established,related log=no
log-prefix=""

37 ;;; winbox
chain=input action=accept protocol=tcp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=8291 log=no log-prefix=""

38 ;;; DNS service
chain=input action=accept protocol=udp src-address=192.168.88.0/24
in-interface-list=LAN dst-port=53 log=no log-prefix=""

39 ;;; default deny
chain=input action=drop log=no log-prefix=""

Did you color all that by hand?

As for functionality, it's a bit paranoid for my taste (filtering of outgoing traffic), but otherwise seems ok. Some things could be optimized, for example, instead of repeating src-address=192.168.88.0/24 in-interface-list=LAN in some many rules, you could have one with these conditions and jump to another chain, and individual rules would be in that other chain and you could omit these common conditions. Or you could move this filtering in raw table, block everything from LAN and not from 192.168.88.0/24, and then you wouldn't these condition in filter at all.

I don't see why rule #5 shouldn't work, conditions are exactly same as in #6 and reject is as reliable as drop.

Did you color all that by hand?

Goodness, no. A few find & replace rules. (which is probably how I created the missing space between the chain and action. *facepalm*)

Some things could be optimized...you could have one with these conditions and jump to another chain... Or you could move this filtering in raw table, block everything from LAN and not from 192.168.88.0/24, and then you wouldn't these condition in filter at all.

That's actually quite helpful. I will look into doing that.

I don't see why rule #5 shouldn't work, conditions are exactly same as in #6 and reject is as reliable as drop.

I'll rerun my tests, then. Must've made a mistake when I tested it. Thanks for the advice.

-Reno