Welcome back to my Mikrotik section
This time I am going to tell you a little about how the Mikrotik firewall works.
The RouterOs firewall implements packet filtering that provides security features that are used to manage the flow of data to, from, and through the router.
Properly configured it plays a key role in implementing an efficient and secure network infrastructure. RouterOs firewall has very powerful features, I am going to explain some of the most common ones to keep your Router safe.
Chains or Chains
By default RouterOs, brings three predefined chains, namely:
- INPUT: It is used to mark all the packets that are destined for the router. Example:
Suppose we have:
WAN 1 = 220.127.116.11
We want to prevent them from pinging us by placing the following command: / ip firewall filter add chain = input protocol = icmp action = drop in-interface = ”1 – ADSL”
- FORWARD: It is used to mark all the packets that pass through the router, that is, they are all the packets that go to our LAN. Example:
We are going to block youtube and facebook using this chain throughout the LAN.
First we are going to create LAYER7 for facebook and youtube
/ ip firewall layer7-protocol add name = Youtube regexp = ”^. * (Youtube.com). * $”
/ ip firewall layer7-protocol add name = Facebook regexp = ”^. * (Facebook.com). * $”
We can continue adding domains in the following way (Facebook.com | Youtube.com) and thus we can have it in a single sentence.
Now, we block it
/ ip firewall filter
add chain = forward layer7-protocol = Facebook action = drop
add chain = forward layer7-protocol = Youtube action = drop
ImportantBefore blocking any page you have to check exactly where you are looking to connect, for example:
facebook and youtube have other subdomains that allow you to connect without problem.
- OUTPUT: This chain is used to mark all the packets that leave Mikrotik; everything that goes to the internet or to other LANs that we have connected. Example:
Suppose we want to block CloudFlare’s DNS so that our network does not query them.
/ ip firewall filter chain = output dst-address = 18.104.22.168 action = drop
- INPUT: All connections that are directed to the Mikrotik.
- FORWARD: All the connections that go through our Mikrotik.
- OUTPUT: All the connections that come out of our Mikrotik.
We go with a simple configuration, quite useful for home routers.
Protecting our Router
Assuming our LAN is 192.168.0.0/24:
- we are going to add it to a list
- additionally we will add some Mikrotik ip (to be able to update it and maintain contact with the Mikrotik cloud)
- to finish we add the DNS that we will use most frequently.
/ ip firewall address-list
add address = 192.168.0.0 / 24 list = allowed_to_router
add address = download.mikrotik.com list = allowed_to_router
add address = cloud.mikrotik.com list = allowed_to_router
add address = 22.214.171.124 list = DNS
add address = 126.96.36.199 list = DNS
/ ip firewall filter
add chain = input src-address-list = allowed_to_router action = accept
add chain = input src-address-list = DNS action = accept
add action = accept chain = input in-interface = ”ether1 ″ protocol = udp src-address-list = DNS src-port = 53
add action = drop chain = input in-interface = ”ether1 ″ protocol = icmp src-address-list =! DNS
add action = drop chain = input src-address-list =! DNS
add action = accept chain = forward comment = ”Protection for Clients” connection-state = established, related
add action = drop chain = forward connection-state = invalid
add action = drop chain = forward comment = ”Drop new connections from internet which are not dst-natted” connection-nat-state =! dstnat connection-state = new in-interface = ”ether1 ″
/ ip firewall nat
add action = masquerade chain = srcnat
With this simple configuration, we will have our Mikrotik protected and only what is actually requested from our internal network will be connecting.
Until next time! @Network_DKnight