MikroTik RouterOS has a very powerful firewall implementation and for ones who are not very familiar with networking it may be complex to figure out how to configure it properly.
In this note you will find a basic information that can help you to understand better how MikroTik firewall works.
Also, on the example of the default MikroTik firewall config, I will explain each of the rules.
Cool Tip: List MikroTik RouterOS firewall rules! Read more →
MikroTik Firewall
To show the current MikroTik firewall filter rules, execute:
[admin@MikroTik] > /ip firewall filter print [admin@MikroTik] > /ipv6 firewall filter print
To list the commands that have been used to configure that rules, execute:
[admin@MikroTik] > /ip firewall filter export [admin@MikroTik] > /ipv6 firewall filter export
To show all the MikroTik firewall settings, execute:
[admin@MikroTik] > /ip firewall export verbose [admin@MikroTik] > /ipv6 firewall export verbose
Basics
The MikroTik firewall operates by means of firewall rules.
Each rule consists of two parts:
- The matcher, which matches traffic flow against given conditions, e.g.
CONNECTION-STATE,SRC-ADDRESS,DST-ADDRESS,PROTOCOL, etc. - The action which defines what to do with the matched packet.
Connection States
In each MikroTik firewall, there are 5 connection states which can be applied to a particular network packet:
| Connection State | Description |
|---|---|
NEW |
A packet requesting a new connection, such as a SYN packet in TCP. |
ESTABLISHED |
A packet that is a part of an existing connection. The NEW connection gets into the ESTABLISHED state upon receiving the reply packet to or through the firewall. |
RELATED |
A packet that is requesting a new connection while being a part of another ESTABLISHED connection. For example, FTP establishes connection on port 21, but to transfer data it spawns a new connection (typically on port 20) that will be considered as RELATED. |
INVALID |
A packet that is not part of any connections. It is suggested to DROP everything in this state. |
UNTRACKED |
A packet that has been marked not to be tracked in a firewall RAW table. The RAW table allows to exempt certain packets from connection tracking, that significantly reduces load on CPU and is very useful for DOS attack mitigation. |
Chains
MikroTik firewall filtering rules are grouped together in chains.
It allows a packet to be matched against one common criteria in one chain and then pass over for processing against some other common criteria to another chain (using JUMP action).
There are 3 predefined chains:
| Firewall Chain | Description |
|---|---|
INPUT |
Used to process packets entering the router (DST address – one of the router’s addresses). |
FORWARD |
Used to process packets passing through the router. (SRC and DST addresses are not on the router. |
OUTPUT |
Used to process packets originated from the router (SRC address – one of the router’s addresses). |
ℹ️ Packets passing through the router (FORWARD chain) are not processed against the rules of the INPUT and OUTPUT chains.
When processing a chain, rules are taken from the chain in the order they are listed there from top to bottom.
Actions
If a packet matches the criteria of the rule, then the specified action is performed on it and no more rules are processed in that chain (the exception is the PASSTHROUGH action).
If the packet is matched by the rule, one of the following actions can be taken:
| Action | Description |
|---|---|
ACCEPT |
Accept the packet. Accepted packet won’t be passed to the next firewall rule. |
ADD-DST-TO-ADDRESS-LIST |
Add a DST address to an address list specified by the address-list parameter. |
ADD-SRC-TO-ADDRESS-LIST |
Add a SRC address to an address list specified by the address-list parameter. |
DROP |
Silently drop the packet. |
FASTTRACK-CONNECTION |
Process packets from a connection using FastPath by enabling FastTrack for the connection. |
JUMP |
Jump to the user defined chain specified by the value of the jump-target parameter. |
LOG |
Add a message to the system log containing the following data: IN-INTERFACE, OUT-INTERFACE, SRC-MAC, PROTOCOL, SRC-IP:PORT → DST-IP:PORT and a length of the packet. After the packet is matched it will be passed to the next rule in the list (similar to PASSTHROUGH). |
PASSTHROUGH |
If the packet is matched by the rule, increase a counter and go to the next rule (useful for statistics). |
REJECT |
Drop the packet and send an ICMP reject message. |
RETURN |
Passes control back to the chain from where the JUMP took place. |
TARPIT |
Captures and holds TCP connections (replies with SYN/ACK to the inbound TCP SYN packet). |
⚠️ Warning: If a packet hasn’t matched any of the rules within the built-in chains, then it will be ACCEPTED!
Default MikroTik Firewall Rules
Cool Tip: Factory reset of a MikroTik router! Read more →
To show the default MikroTik firewall rules, execute:
[admin@MikroTik] > /system default-configuration print
The command above returns the default MikroTik configuration, that includes the default MikroTik firewall rules.
If you want to export it, you can do it using the following command:
[admin@MikroTik] > /system default-configuration print file=defConf.txt
Then you can copy the exported file from the MikroTik router to your computer:
C:\> sftp admin@192.168.88.1:defConf.txt
Alternatively, you can download it from a “Files” menu through a WinBox/WebFig interface.
Example
Here are the default IPv4 firewall rules on my MikroTik hAP AX³:
Let’s see what each of these default rules is doing 🤔.
🔄 A dummy rule that simply counts packets passing through the router:
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
This rule serves for passing the matching packets to the FORWARD chain (and bypassing the other chains to speedup the processing) where they might be marked as FastTracked.
To display the counters, execute:
[admin@MikroTik] > /ip firewall filter print stats - or - [admin@MikroTik] > /ip firewall filter print follow stats - sample output - Flags: D - DYNAMIC Columns: CHAIN, ACTION, BYTES, PACKETS # CHAIN ACTION BYTES PACKETS ;;; special dummy rule to show fasttrack counters 0 D forward passthrough 29 320 602 344 22 976 648 ...
✔️ Allow packets entering the router, that are a part of the already ESTABLISHED or RELATED connections, as well as allow packets that have been marked as UNTRACKED:
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
❌ Drop INVALID packets entering the router:
2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
✔️ Allow ICMP packets (incl. ping) entering the router:
3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
✔️ The next firewall rule is required for CAPsMAN (Controlled Access Point system Manager) feature, that allows a MikrRotik router to manage multiple wireless access points:
4 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
❌ Drop all packet entering the router, that are not coming from a LAN interface list:
5 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
To display interface members in each interface list, execute:
[admin@MikroTik] > /interface list member print - sample output - Columns: LIST, INTERFACE # LIST INTERFACE ;;; defconf 0 LAN bridge ;;; defconf 1 WAN ether1
To list the interface that are the members of the bridge, execute:
[admin@MikroTik] > /interface bridge port print value-list - sample output - interface: ether2 ether3 ether4 ether5 wifi1 wifi2 ...
✔️ Check all packets passing through the router if they match IPsec (Internet Protocol Security) policies, that decide which traffic should go to what peer and how it should be encrypted:
6 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
7 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
⏩ Mark packets passing through the router as FastTracked if they are a part of the already ESTABLISHED or RELATED connections:
8 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related
When the first packet matches action=fasttrack-connection, all subsequent packets will just fly through, bypassing firewall, connection tracking, simple queues, etc., that can significantly improves the performance.
ℹ️ Note that not all packets in a connection can be FastTracked, so it is likely to see some packets going through a slow path even though connection is marked for FastTrack. This is the reason why fasttrack-connection is followed by the identical action=accept rule (see below).
✔️ Allow packets passing through the router, if they are a part of the already ESTABLISHED or RELATED connections, as well as allow the UNTRACKED packets:
9 ;;; defconf: accept established,related,untracked
chain=forward action=accept connection-state=established,related,untracked
❌ Drop INVALID packets passing through the router:
10 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
❌ DROP packets passing through the router and requesting a NEW connection, if they are coming from one of the WAN interfaces and they are not DSTNATed (Destination NATed):
11 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
ℹ DSTNAT: Destination NAT changes the destination address in IP header of a packet. It may also change the destination port in the TCP/UDP headers. The typical usage of DSTNAT is to redirect incoming packets with a destination of a public IP-address:port to a private IP-address:port inside LAN.