MikroTik RouterOS has a very powerful firewall implementation and for ones who are not very familiar with networking it may be complex to figure out how to configure it properly.
In this note you will find a basic information that can help you to understand better how MikroTik firewall works.
Also, on the example of the default MikroTik firewall config, I will explain each of the rules.
Cool Tip: List MikroTik RouterOS firewall rules! Read more →
To show the current MikroTik firewall filter rules, execute:
[admin@MikroTik] > /ip firewall filter print [admin@MikroTik] > /ipv6 firewall filter print
To list the commands that have been used to configure that rules, execute:
[admin@MikroTik] > /ip firewall filter export [admin@MikroTik] > /ipv6 firewall filter export
To show all the MikroTik firewall settings, execute:
[admin@MikroTik] > /ip firewall export verbose [admin@MikroTik] > /ipv6 firewall export verbose
The MikroTik firewall operates by means of firewall rules.
Each rule consists of two parts:
- The matcher, which matches traffic flow against given conditions, e.g.
- The action which defines what to do with the matched packet.
In each MikroTik firewall, there are 5 connection states which can be applied to a particular network packet:
||A packet requesting a new connection, such as a
||A packet that is a part of an existing connection. The
||A packet that is requesting a new connection while being a part of another
||A packet that is not part of any connections. It is suggested to
||A packet that has been marked not to be tracked in a firewall RAW table. The RAW table allows to exempt certain packets from connection tracking, that significantly reduces load on CPU and is very useful for DOS attack mitigation.|
MikroTik firewall filtering rules are grouped together in chains.
It allows a packet to be matched against one common criteria in one chain and then pass over for processing against some other common criteria to another chain (using
There are 3 predefined chains:
||Used to process packets entering the router (
||Used to process packets passing through the router. (
||Used to process packets originated from the router (
ℹ️ Packets passing through the router (
FORWARD chain) are not processed against the rules of the
When processing a chain, rules are taken from the chain in the order they are listed there from top to bottom.
If a packet matches the criteria of the rule, then the specified action is performed on it and no more rules are processed in that chain (the exception is the
If the packet is matched by the rule, one of the following actions can be taken:
||Accept the packet. Accepted packet won’t be passed to the next firewall rule.|
||Silently drop the packet.|
||Process packets from a connection using FastPath by enabling FastTrack for the connection.|
||Jump to the user defined chain specified by the value of the
||Add a message to the system log containing the following data:
||If the packet is matched by the rule, increase a counter and go to the next rule (useful for statistics).|
||Drop the packet and send an
||Passes control back to the chain from where the
||Captures and holds
⚠️ Warning: If a packet hasn’t matched any of the rules within the built-in chains, then it will be
Default MikroTik Firewall Rules
Cool Tip: Factory reset of a MikroTik router! Read more →
To show the default MikroTik firewall rules, execute:
[admin@MikroTik] > /system default-configuration print
The command above returns the default MikroTik configuration, that includes the default MikroTik firewall rules.
If you want to export it, you can do it using the following command:
[admin@MikroTik] > /system default-configuration print file=defConf.txt
Then you can copy the exported file from the MikroTik router to your computer:
C:\> sftp email@example.com:defConf.txt
Alternatively, you can download it from a “Files” menu through a WinBox/WebFig interface.
Here are the default IPv4 firewall rules on my MikroTik hAP AX³:
Let’s see what each of these default rules is doing 🤔.
🔄 A dummy rule that simply counts packets passing through the router:
0 D ;;; special dummy rule to show fasttrack counters chain=forward action=passthrough
This rule serves for passing the matching packets to the
FORWARD chain (and bypassing the other chains to speedup the processing) where they might be marked as FastTracked.
To display the counters, execute:
[admin@MikroTik] > /ip firewall filter print stats - or - [admin@MikroTik] > /ip firewall filter print follow stats - sample output - Flags: D - DYNAMIC Columns: CHAIN, ACTION, BYTES, PACKETS # CHAIN ACTION BYTES PACKETS ;;; special dummy rule to show fasttrack counters 0 D forward passthrough 29 320 602 344 22 976 648 ...
✔️ Allow packets entering the router, that are a part of the already
RELATED connections, as well as allow packets that have been marked as
1 ;;; defconf: accept established,related,untracked chain=input action=accept connection-state=established,related,untracked
INVALID packets entering the router:
2 ;;; defconf: drop invalid chain=input action=drop connection-state=invalid
ICMP packets (incl.
ping) entering the router:
3 ;;; defconf: accept ICMP chain=input action=accept protocol=icmp
✔️ The next firewall rule is required for CAPsMAN (Controlled Access Point system Manager) feature, that allows a MikrRotik router to manage multiple wireless access points:
4 ;;; defconf: accept to local loopback (for CAPsMAN) chain=input action=accept dst-address=127.0.0.1
❌ Drop all packet entering the router, that are not coming from a
LAN interface list:
5 ;;; defconf: drop all not coming from LAN chain=input action=drop in-interface-list=!LAN
To display interface members in each interface list, execute:
[admin@MikroTik] > /interface list member print - sample output - Columns: LIST, INTERFACE # LIST INTERFACE ;;; defconf 0 LAN bridge ;;; defconf 1 WAN ether1
To list the interface that are the members of the bridge, execute:
[admin@MikroTik] > /interface bridge port print value-list - sample output - interface: ether2 ether3 ether4 ether5 wifi1 wifi2 ...
✔️ Check all packets passing through the router if they match IPsec (Internet Protocol Security) policies, that decide which traffic should go to what peer and how it should be encrypted:
6 ;;; defconf: accept in ipsec policy chain=forward action=accept ipsec-policy=in,ipsec 7 ;;; defconf: accept out ipsec policy chain=forward action=accept ipsec-policy=out,ipsec
⏩ Mark packets passing through the router as FastTracked if they are a part of the already
8 ;;; defconf: fasttrack chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related
When the first packet matches
action=fasttrack-connection, all subsequent packets will just fly through, bypassing firewall, connection tracking, simple queues, etc., that can significantly improves the performance.
ℹ️ Note that not all packets in a connection can be FastTracked, so it is likely to see some packets going through a slow path even though connection is marked for FastTrack. This is the reason why
fasttrack-connection is followed by the identical
action=accept rule (see below).
✔️ Allow packets passing through the router, if they are a part of the already
RELATED connections, as well as allow the
9 ;;; defconf: accept established,related,untracked chain=forward action=accept connection-state=established,related,untracked
INVALID packets passing through the router:
10 ;;; defconf: drop invalid chain=forward action=drop connection-state=invalid
DROP packets passing through the router and requesting a
NEW connection, if they are coming from one of the
WAN interfaces and they are not DSTNATed (Destination NATed):
11 ;;; defconf: drop all from WAN not DSTNATed chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
DSTNAT: Destination NAT changes the destination address in IP header of a packet. It may also change the destination port in the
UDP headers. The typical usage of
DSTNAT is to redirect incoming packets with a destination of a public
IP-address:port to a private