Portal Networks Logo

+44 (0)1745 369922

support@portal-networks.co.uk

Mikrotik Basic Firewall Configuration

This is a basic firewall configuration used by Mikrotik with some extra's that are related to our general configuration

These are 2 rules related to LetsEncrypt for SSL related updates these rules are enabled and disabled depending on SSL certificate update.

add action=accept chain=input comment=LetsEncrypt disabled=yes dst-port=80 in-interface-list=WAN protocol=tcp src-address-list=LE
add action=accept chain=input comment=LetsEncrypt disabled=yes dst-port=80 in-interface-list=WAN protocol=tcp

This is usually only active for remote access while the initial

add action=accept chain=input comment="Remote Access" dst-port=8291 protocol=tcp

Allow Ping: there is always a debate to should you or should you not allow ping response

add action=accept chain=input  protocol=icmp

These rules block IP's listed via src-address-list. This means we can block a good percentage of bad IP's via the a script we can run on the router to grab these IP blocks. click here

add action=drop chain=input in-interface-list=WAN src-address-list=SPAMHAUS_DROP
add action=drop chain=input in-interface-list=WAN src-address-list=SPAMHAUS_EDROP
add action=drop chain=input in-interface-list=WAN src-address-list=FIREHOL_LEVEL1
add action=drop chain=input in-interface-list=WAN src-address-list=FIREHOL_LEVEL2
add action=drop chain=input in-interface-list=WAN src-address-list=FIREHOL_LEVEL3

Full Firewall Rules

/ip firewall filter
add action=accept chain=input comment=LetsEncrypt disabled=yes dst-port=80 in-interface-list=WAN protocol=tcp src-address-list=LE
add action=accept chain=input comment=LetsEncrypt disabled=yes dst-port=80 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="Remote Access" dst-port=8291 protocol=tcp
add action=accept chain=input  protocol=icmp
add action=drop chain=input comment="Drop Bad DNS" dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=input in-interface-list=WAN src-address-list=SPAMHAUS_DROP
add action=drop chain=input in-interface-list=WAN src-address-list=SPAMHAUS_EDROP
add action=drop chain=input in-interface-list=WAN src-address-list=FIREHOL_LEVEL1
add action=drop chain=input in-interface-list=WAN src-address-list=FIREHOL_LEVEL2
add action=drop chain=input in-interface-list=WAN src-address-list=FIREHOL_LEVEL3
add action=accept chain=input in-interface-list=WAN protocol=gre
add action=accept chain=input in-interface-list=WAN protocol=ipsec-ah
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input dst-port=500 in-interface-list=WAN protocol=udp
add action=accept chain=input dst-port=1701 in-interface-list=WAN protocol=udp
add action=accept chain=input dst-port=4500 in-interface-list=WAN protocol=udp
add action=accept chain=input connection-state=established,related in-interface-list=WAN
add action=drop chain=input in-interface-list=WAN
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=accept chain=forward connection-state=established,related in-interface-list=WAN out-interface-list=LAN
add action=accept chain=forward connection-state=established,related in-interface-list=LAN out-interface-list=LAN
add action=drop chain=forward connection-state=invalid in-interface-list=WAN out-interface-list=LAN
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN out-interface-list=LAN