Keep it simple.....
Start with this,
/ip firewall filter
{Input Chain}
(good default rules)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
(Admin Rules)
add action=accept chain=input in-interface-list=LAN src-address-list=Admin comment="Admin to Config Router" ***
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp comment="DNS services"
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp comment="DNS services"
add action=drop chain=input comment="drop all else"
{forward chain}
(Default rules)
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec { not required if not doing ipsec }
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec { not required if not doing ipsec }
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(Admin Rules)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat comment="port forwarding" { not required if not doing port forwarding }
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
*** NOTE: Admin is a firewall address list- example:
add address=IP_Desktop list=Admin
add address=IP_Laptop-wired list=Admin
add address=IP_Ipad/Iphone-wired list=Admin
add address=IP_Wireguard-laptop-remote list=Admin
add address=IP_Wireguard-ipad/iphone-remote list=Admin
If you have additional accept traffic requirements then put them under the user rules, before the drop rule.
Ex. Router is acting as wireguard server for initial handshake.
add action=accept chain=input dst-port=wirguard_listening_port protocol=udp
Ex. You have three vlans all separated, but a shared printer on one of the vlans......
add action=accept chain=forward in-interface-list=LAN dst-address=IP_Printer
Thanks for the post, it was really helpful.
It took me some time to reply, had many issues to handle and preferred to study it better instead of writing a meaningless reply.
Two questions:
1.
Regarding the command that you have written:
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
I noticed that "hw-offload=yes" is missing from it.
Meaning, it could be changed to:
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
Was it intentional?
Source:
https://help.mikrotik.com/docs/display/ ... onnections
2. For input chain, I want to allow Admin only on a specific interface, e.g. 'ether1'.
The problem is that 'ether1' is associated to the LAN bridge (which includes additional ports).
How this kind of thing is normally solved?
Should I create a dedicated bridge for the admin?
(and assign a dhcp-client for that bridge etc.)
Regarding scripting it (for anyone that reads it in the future):
I need to remove all firewall rules before trying to build my own firewall.
The following command removes the firewall rules:
Either:
/ip firewall filter remove [/ip firewall filter find dynamic=no]
or:
/ip firewall filter remove [find dynamic=no]
Source:
viewtopic.php?t=181357#p898691