Versions Compared

Old Version 2

changes.mady.by.user Artūrs C.

Saved on

compared with

New Version 3

changes.mady.by.user Artūrs C.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

We strongly suggest keeping the default firewall on. Here are a few adjustments to make it more secure, make sure to apply the rules, when you understand what are they doing.
IPv4 firewall to a router

work with new connections to decrease load on a router;
create address-list for IP addresses, that are allowed to access your router;
enable ICMP access (optionally);
drop everything else,

...

languageros
titleROS Highlight

log=yes

...

might be added to log packets that hit the specific rule;

We strongly suggest keeping the default firewall on. Here are a few adjustments to make it more secure, make sure to apply the rules, when you understand what are they doing.
IPv4 firewall to a router

work with new connections to decrease load on a router;
create address-list for IP addresses, that are allowed to access your router;
enable ICMP access (optionally);
drop everything else, log=yes might be added to log packets that hit the specific rule;

...

Code Block
languageros
/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related

...


add action=accept chain=input src-address-list=allowed_to_router

...


add action=accept chain=input protocol=icmp

...


add action=drop chain=input

...


/ip firewall address-list

...


add address=192.168.88.2-192.168.88.254 list=allowed_to_router

IPv4 firewall for clients

...

/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet


IPv6

Currently , IPv6 package is disabled by default. Please enable package with care, as RouterOS will not create any default firewall rules for IPv6 at the moment.
IPv6 ND

...

/ipv6 firewall filter
add action=accept chain=forward comment=established,related connection-state=established,related
add action=drop chain=forward comment=invalid connection-state=invalid log=yes log-prefix=ipv6,invalid
add action=accept chain=forward comment=icmpv6 in-interface=!sit1 protocol=icmpv6
add action=accept chain=forward comment="local network" in-interface=!sit1 src-address-list=allowed
add action=drop chain=forward log-prefix=IPV6

IPv4 firewall for clients

  • Established/related packets are added to fasttrack for faster data throughput, firewall will work with new connections only;
  • drop invalid connection and log them with prefix invalid;
  • drop attempts to reach not public addresses from your local network, apply address-list=not_in_internet before, bridge1 is local network interface, log attempts with !public_from_LAN;
  • drop incoming packets that are not NATed, ether1 is public interface, log attempts with !NAT prefix;
  • drop incoming packets from Internet, which are not public IP addresses, ether1 is public interface, log attempts with prefix !public;
  • drop packets from LAN that does not have LAN IP, 192.168.88.0/24 is local network used subnet;

...

"

...

in

...

-interface=!

...

IPv6

Currently IPv6 package is disabled by default. Please enable package with care, as RouterOS will not create any default firewall rules for IPv6 at the moment.

IPv6 ND

Disable IPv6 Neighbour Discovery

/ipv6 nd set [find] disabled=yes

IPv6 firewall to a router

  • work with new packets, accept established/related packets;
  • drop link-local addresses from Internet interface;
  • accept access to a router from link-local addresses, accept multicast addresses for management purposes, accept your address for router access;
  • drop anything else;

...

sit1

...

src-address-list=allowed

...

IPv6 firewall for clients

Enabled IPv6 puts your clients available for public networks, set proper firewall to protect your customers.

  • accept established/related and work with new packets;
  • drop invalid packets and put prefix for rules;
  • accept ICMP packets;
  • accept new connection from your clients to the Internet;
  • drop everything else.

...

add

...

action=drop

...

chain=forward

...

log-prefix=IPV6