MikroTik

Hello alltogether,

I like to add a firewall to my system. Therefor I have made a script to run on the RB3011. The thing is, I do not have a clue about this topic. I copied some entries from other scripts and made some adjustments. Would you be so kind to check and give feedback, if changes are necessary? Your help is really appreciated. Thank you very much in advance.

Some facts right in front of the script.

1. Internet acces is done by a Fritzbox 7490.
2. Behind the Fritzbox is the DMZ and then the Mikrotik router RB3011.
3. The RB3011 makes some VLANs for different situations (work, home, kids, ...).
4. The different VLANs are distributed via two Mikrotik switches to the clients.
5. The VLANs are also distributed via access ponts WAPac.

This all works fine at the moment.

Now I like to activate the RB3011 firewall.Here is the script.
I am not sure about the sequence and of course about the content.
Please ask, if there are some informations missing, which are needed to check this script.

Thanks again.
Looking forward to your answers.

Best regards
Thorsten

You have spammers inside your house or you host smtp servers?

The default firewall rules are enough for everything.

If your RouterBOARD do not have any public IP, near all of the rules are useless

Too many copy and paste, without know what you do, will kill you...

1. Internet acces is done by a Fritzbox 7490.
2. Behind the Fritzbox is the DMZ and then the Mikrotik router RB3011.

....there is no such thing as a DMZ with a Fritz, not even the concept of this available from AVM.
With a Fritz you cannot disable its Firewall and NAT.
The next best thing you could do is to enable the RB3011 as the "exposted host" (being still behind Fritz NAT).
The standard Firewall in the Firmware of the MT is something like this: https://help.mikrotik.com/docs/display/ ... d+Firewall
As already stated, with being behind NAT in any case, there is not much to add.
With VLANs enabled, just some things like guest or public/zoned networks....
All you need to do is to decide, which VLANs are part of the LAN interface-list, really.

KISS.........
viewtopic.php?t=180838

If the MT was not providing any dhcp and just being used as a switch/AP
viewtopic.php?t=182276

Thank you very much for your feedback.

I am a little bit confused now. In some other forum, they say it is necessary to have an additional firewall on the RB3011, even if it is behind a Fritzbox.

Is there a standard firewall script regarding VLANs?
I also want to know, if the order in my script is ok or is there something to correct?

You have two options.
1. Use MT as a full router.
2. Use MT as switch/AP

Since the fritzbox is just acting as an intermediary to your ISP and the end result is you get a Private IP address, I would, to be on the safe side, go with the MT acting as a router.
Since the MT is creating and providing VLANs as well, it makes more sense.

However as a starting point for your firewall rules, get rid of all the junk and start with this as the basic required firewall.
All you need to do is add any additional rules for ALLOWED TRAFFIC.

/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN

@anav

Thanks for posting this. I am fairly new to configuring firewalls, always left the default in place, and just added a little to it.

However, for whatever reason, the new CR2116 I got did not have the typical "default" rules in it.

So, thankfully I found your post about the 'standard' rules. Definitely will be adding more, but this was much appreciated.

Novice question here, did you list the rules in the exact order they should be in?

Hi BWP

Order within a chain is important YES!
The router starts at the top and works its way down.

It does not matter if input chain or forward chain is first ( the order of chains is not critical, the order within a chain is critical and thus always best to group together for easy viewing).