Hi All,

New the MikroTik devices and trying to learn more about them. I have written up a quick firewall and wanted to some suggestions and opinions. any help would be much appreciated.

/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
d this subnet before enable it" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
need this subnet before enable it" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
list=Bogons
add address=192.168.1.0/24 comment=HomeLAN list=local
add address=10.1.1.0/24 comment=GuestLAN list=local
add address=192.168.88.0/24 comment="Management LAN" list=local

/ip firewall filter
add action=drop chain=forward comment="Block GuestLAN Access to HomeLAN" \
in-interface=GuestLAN out-interface=ether2-LAN
add action=drop chain=forward comment=\
"Drop All Packets From PPPoE With No DSTNAT Header" connection-nat-state=\
!dstnat connection-state=new in-interface=PPPoE
add action=fasttrack-connection chain=forward comment=\
"fasttrack Established & Related Packets (Excluding GuestLAN)" \
connection-state=established,related packet-mark=!GuestLAN-MP
add action=accept chain=forward comment=\
"Accept Established & Related Packets" connection-state=\
established,related
add action=drop chain=forward comment="Drop Invalid Packets" \
connection-state=invalid
add action=drop chain=forward comment="Drop Bogons Address List" \
dst-address-list=Bogons
add action=accept chain=input comment="Accept ICMP Packets" protocol=icmp
add action=accept chain=input comment="Accept Established & Related Packets" \
connection-state=established,related
add action=accept chain=input comment="Allow Router Access From LAN" \
src-address-list=local
add action=drop chain=input comment="Drop All Other Packets" in-interface=\
PPPoE

Hi,

I would suggest to move your allow, fastrack and related/ established rules to the top of the list, otherwise even already established sessions (trusted) will be checked against bogons lists rules etc.
Also consider moving rules which check against bogons list to the raw table
more about raw table:
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Raw

You can also build your bogons list based on: https://www.team-cymru.org/bogon-reference.html
or there is interesting topic here: viewtopic.php?t=98804

Hi,

I would suggest to move your allow, fastrack and related/ established rules to the top of the list, otherwise even already established sessions (trusted) will be checked against bogons lists rules etc.
Also consider moving rules which check against bogons list to the raw table
more about raw table:
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Raw

You can also build your bogons list based on: https://www.team-cymru.org/bogon-reference.html
or there is interesting topic here: viewtopic.php?t=98804

i am new using mikrotik, i am using firewall filter rules
today i read bout firewall raw and interesting with it. i have read the wiki but didn't understand. can you give me script your firewall raw? thank you