Another quick question @mkx So does all traffic that passed through RAW also gets checked by INPUT and FORWARD chain, or if there is a match in RAW it stops processing or If there is a match in RAW for accept or drop, it proceed to INPUT or FORWARD chain for matching? In other words, if a packet pas...

IMO most of rules you posted are pretty useless ... because connection tracking machinery will assign connection state "invalid" to those. So the default rule "drop invalid" will adequately get rid of them. Adding rules in raw means that some packets will get dropped before they...

One of uses for custom chains is to reduce number of rules which packets have to be matched against. In your particular case: the chain=prerouting protocol=tcp matches all TCP packets and executes chain=bad_tcp. Rules in chain=bad_tcp then don't have to match against protocol type (because only TCP...

Hello everyone, I have been practicing and experimenting with some firewall rules lately and I come across some of these rules that baffles me. This firewall rules were copied from Mikrotik website. for example, when the RAW rules below is applied, something strange happens. In this testing, I have ...

Here I have any question. Below is the default configuration. As you can see, it started with "connection established, related....". I know anav and others have said in the past that golden rules is to start will default 1. add chain=input action=accept connection-state=established,related...

It's about interface list membership. Both LAN and WAN list membership has to be (manually) maintained ... and as long as certain interface is not made member of either of interface lists, traffic ingressing via that interface gets dropped (second and third rule from the end don't get triggered, so...

Hello All Good day from this side. please, I have a question about the advanced firewall rules posted on MikroTik page. I'm still learning about firewall in general, why would the last 3 rules below say "accept all coming in from WAN and LAN", then drop the rest. Isn't this contradicting? ...

Will this configuration automatically switch back to pi-hole whenever it comes up or do I need to manually switch DNS back to pihole?

@Anav OP detailed post: Assuming one uses a drop all rule at the end of the input and forward chains, one recognizes that we have to create "allow" rules for wireguard traffic. In any Mikrotik device (client or server) and more accurately (local or remote) there are two cases that may occ...

Please, I'm not an expert here but I need some guidance. I have noticed that whenever I add "drop all other traffic" on the forward chain, It cuts off my internet. add action=drop chain=forward comment="Drop all other Traffic on the Foward Chain." disabled=no However if I add the...