Community discussions

MikroTik App
 
Wolvyreen
just joined
Topic Author
Posts: 4
Joined: Thu Aug 29, 2024 4:24 pm

Default SOHO Firewall Rules

Thu Aug 29, 2024 5:05 pm

Hello All,

I recently bought myself a new MK router. This was ENTIRELY as a new project and I am excited to be getting my hands dirty. I have an intermediate understanding of networking and firewall rules and I have followed this guide to setting up my new router:

https://help.gowifi.co.nz/support/solut ... -to-finish

The firewall rules section are about halfway down the page.

This is the firewall rules that I finally have according to that page. Is this acceptable for a SOHO setup?

Image

I don't want to block any LAN devices to the internet. ALL devices must have full access to the WAN. I just want to make sure my LAN is protected from naughty people.

Can anyone confirm if this is all ok?

Thanks in advance
Last edited by Wolvyreen on Thu Aug 29, 2024 5:43 pm, edited 2 times in total.
 
erlinden
Forum Guru
Forum Guru
Posts: 2367
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Default SOHO Firewall Rules

Thu Aug 29, 2024 5:16 pm

The default rules are enough for protection. Because your picture is no showing (better post /ip/firewall export), it is hard to say what you did. And I'm not going to read some website.
 
Wolvyreen
just joined
Topic Author
Posts: 4
Joined: Thu Aug 29, 2024 4:24 pm

Re: Default SOHO Firewall Rules

Thu Aug 29, 2024 5:33 pm

Hi,

I didn't expect you to read the website page. I only put it there so that others could see why I used the rules in the screenshot. I'm also not sure why the screenshot didnt show. I have now changed it to a url.

Here is the export as requested:
---
/ip firewall address-list
add address=10.0.0.0/24 list=LAN
/ip firewall filter
add action=drop chain=forward connection-state=invalid
add action=drop chain=input connection-state=invalid
add action=accept chain=input src-address-list=LAN
add action=accept chain=input connection-state=established
add action=drop chain=input connection-state=new
add action=accept chain=forward connection-state=new src-address-list=LAN
add action=accept chain=forward connection-state=related
add action=accept chain=forward connection-state=established
add action=drop chain=forward
/ip firewall mangle
# no interface
add action=change-mss chain=forward new-mss=1452 out-interface=*C protocol=tcp tcp-flags=syn tcp-mss=1453-65535
/ip firewall nat
# pppoe-out1 not ready
add action=masquerade chain=srcnat out-interface=pppoe-out1
 
jaclaz
Forum Guru
Forum Guru
Posts: 1576
Joined: Tue Oct 03, 2023 4:21 pm

Re: Default SOHO Firewall Rules

Thu Aug 29, 2024 6:50 pm

Only as a side note:
The default rules that come with Mikrotik SOHO devices have two features that your ones miss:
1) they are marked in comment as "defconf" which is useful when/if you want to change some of them
2) they have a comment summing up what the rule does
As well, the generic advice is to group rules by their chain, to make them more readable.

Now imagine yourself in 1, 2, 3 months time needing to modify the firewall rules and having them without a reference or explanation, and even if you have good memory and learned by heart all the intricacies of firewall filters, and you manage to add or change something successfully, what will happen after another 3 or 6 months?

I have not the competence to give you advice on the specific rules, but they do seem different from the default ones (that are considered on the forum to be good enough) or with the ones that usually are suggested on the forum alternatively, *like*:
https://web.archive.org/web/20230524131 ... p?t=180838
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12425
Joined: Thu Mar 03, 2016 10:23 pm

Re: Default SOHO Firewall Rules

Thu Aug 29, 2024 6:52 pm

.. it is hard to say what you did.
I just had a quick glance at the page ... the first chapter is titled "Remove all configuration:" .. which makes me turn away from this thread. If @OP follows such a "cook book", then he should trust the author of the cookbook and discuss any minor issues he might have with the cookbook. Or @OP should turn away from that article, stick to default and ask here for advice on how to improve default.
 
Wolvyreen
just joined
Topic Author
Posts: 4
Joined: Thu Aug 29, 2024 4:24 pm

Re: Default SOHO Firewall Rules

Thu Aug 29, 2024 7:06 pm

Thank for your replies :-D

I can always perform a hard reset of the router and start again. I just liked the idea of going through everything and learning how everything was set up.

I don't want to detract from the context of this post but one of the reasons I wanted to start from scratch is because I have never worked with MK before and I wanted to use the SFP port as my WAN port and had no idea how to do that. The tutorial explained how to set up one of the ports as the WAN port and all I did was I chose the SFP instead of ether1.

Anyways, now that I have my hands dirty, I can hard reset and change the setup accordingly and leave the firewall rules in place.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20918
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Default SOHO Firewall Rules

Thu Aug 29, 2024 8:02 pm

When I saw that rules and you have your chains mixed up, I threw up and left for awhile.
Just came back to say, put chain rules together, makes it much easier to read and troubleshoot issues, as rules are processing within a chain, in the order they are presented and order is important.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20918
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Default SOHO Firewall Rules

Thu Aug 29, 2024 8:12 pm

examples of firewall rules
viewtopic.php?t=153581#p855249

simply in the forward chain, prior to the last rule ( Drop all else )
Add in the traffic required device A to Subnet B or Subnet C to device D for example.........
 
Wolvyreen
just joined
Topic Author
Posts: 4
Joined: Thu Aug 29, 2024 4:24 pm

Re: Default SOHO Firewall Rules

Fri Aug 30, 2024 12:26 am

Firstly, thank you all for your comments and input :-D

Ok, so what I did is took everyone's advice and reset the unit back to factory defaults. I made some changes to the IP ranges and the interfaces and everything is working as it was before but this time I never touched the Firewall. So now the firewall is still standard out of the box.

Is this acceptable for a SOHO environment?

Image

Are there any rules I should add or remove?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20918
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Default SOHO Firewall Rules

Fri Aug 30, 2024 6:10 am

 
jahu
just joined
Posts: 12
Joined: Thu Aug 22, 2024 1:33 am

Re: Default SOHO Firewall Rules

Sat Aug 31, 2024 5:53 pm

examples of firewall rules
viewtopic.php?t=153581#p855249

simply in the forward chain, prior to the last rule ( Drop all else )
Add in the traffic required device A to Subnet B or Subnet C to device D for example.........
given that you are referring to the other thread in your post -> Default firewall config, do you have any insights on my question in that thread?

Who is online

Users browsing this forum: Ahrefs [Bot], Fogga, stbotev, Tix and 25 guests