MikroTik: Firewall – Default Config & Basics For Dummies

MikroTik RouterOS has a very powerful firewall implementation and for ones who are not very familiar with networking it may be complex to figure out how to configure it properly.

In this note you will find a basic information that can help you to understand better how MikroTik firewall works.

Also, on the example of the default MikroTik firewall config, I will explain each of the rules.

Cool Tip: List MikroTik RouterOS firewall rules! Read more →

MikroTik Firewall

To show the current MikroTik firewall filter rules, execute:

[admin@MikroTik] > /ip firewall filter print
[admin@MikroTik] > /ipv6 firewall filter print

To list the commands that have been used to configure that rules, execute:

[admin@MikroTik] > /ip firewall filter export
[admin@MikroTik] > /ipv6 firewall filter export

To show all the MikroTik firewall settings, execute:

[admin@MikroTik] > /ip firewall export verbose
[admin@MikroTik] > /ipv6 firewall export verbose


The MikroTik firewall operates by means of firewall rules.

Each rule consists of two parts:

  1. The matcher, which matches traffic flow against given conditions, e.g. CONNECTION-STATE, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, etc.
  2. The action which defines what to do with the matched packet.

Connection States

In each MikroTik firewall, there are 5 connection states which can be applied to a particular network packet:

Connection State Description
NEW A packet requesting a new connection, such as a SYN packet in TCP.
ESTABLISHED A packet that is a part of an existing connection. The NEW connection gets into the ESTABLISHED state upon receiving the reply packet to or through the firewall.
RELATED A packet that is requesting a new connection while being a part of another ESTABLISHED connection. For example, FTP establishes connection on port 21, but to transfer data it spawns a new connection (typically on port 20) that will be considered as RELATED.
INVALID A packet that is not part of any connections. It is suggested to DROP everything in this state.
UNTRACKED A packet that has been marked not to be tracked in a firewall RAW table. The RAW table allows to exempt certain packets from connection tracking, that significantly reduces load on CPU and is very useful for DOS attack mitigation.


MikroTik firewall filtering rules are grouped together in chains.

It allows a packet to be matched against one common criteria in one chain and then pass over for processing against some other common criteria to another chain (using JUMP action).

There are 3 predefined chains:

Firewall Chain Description
INPUT Used to process packets entering the router (DST address – one of the router’s addresses).
FORWARD Used to process packets passing through the router. (SRC and DST addresses are not on the router.
OUTPUT Used to process packets originated from the router (SRC address – one of the router’s addresses).

ℹ️ Packets passing through the router (FORWARD chain) are not processed against the rules of the INPUT and OUTPUT chains.

When processing a chain, rules are taken from the chain in the order they are listed there from top to bottom.


If a packet matches the criteria of the rule, then the specified action is performed on it and no more rules are processed in that chain (the exception is the PASSTHROUGH action).

If the packet is matched by the rule, one of the following actions can be taken:

Action Description
ACCEPT Accept the packet. Accepted packet won’t be passed to the next firewall rule.
ADD-DST-TO-ADDRESS-LIST Add a DST address to an address list specified by the address-list parameter.
ADD-SRC-TO-ADDRESS-LIST Add a SRC address to an address list specified by the address-list parameter.
DROP Silently drop the packet.
FASTTRACK-CONNECTION Process packets from a connection using FastPath by enabling FastTrack for the connection.
JUMP Jump to the user defined chain specified by the value of the jump-target parameter.
LOG Add a message to the system log containing the following data: IN-INTERFACE, OUT-INTERFACE, SRC-MAC, PROTOCOL, SRC-IP:PORT → DST-IP:PORT and a length of the packet. After the packet is matched it will be passed to the next rule in the list (similar to PASSTHROUGH).
PASSTHROUGH If the packet is matched by the rule, increase a counter and go to the next rule (useful for statistics).
REJECT Drop the packet and send an ICMP reject message.
RETURN Passes control back to the chain from where the JUMP took place.
TARPIT Captures and holds TCP connections (replies with SYN/ACK to the inbound TCP SYN packet).

⚠️ Warning: If a packet hasn’t matched any of the rules within the built-in chains, then it will be ACCEPTED!

Default MikroTik Firewall Rules

Cool Tip: Factory reset of a MikroTik router! Read more →

To show the default MikroTik firewall rules, execute:

[admin@MikroTik] > /system default-configuration print

The command above returns the default MikroTik configuration, that includes the default MikroTik firewall rules.

If you want to export it, you can do it using the following command:

[admin@MikroTik] > /system default-configuration print file=defConf.txt

Then you can copy the exported file from the MikroTik router to your computer:

C:\> sftp admin@

Alternatively, you can download it from a “Files” menu through a WinBox/WebFig interface.


Here are the default IPv4 firewall rules on my MikroTik hAP AX³:

Let’s see what each of these default rules is doing 🤔.

🔄 A dummy rule that simply counts packets passing through the router:

 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough

This rule serves for passing the matching packets to the FORWARD chain (and bypassing the other chains to speedup the processing) where they might be marked as FastTracked.

To display the counters, execute:

[admin@MikroTik] > /ip firewall filter print stats
- or -
[admin@MikroTik] > /ip firewall filter print follow stats
- sample output -
Flags: D - DYNAMIC
 #   CHAIN    ACTION                         BYTES     PACKETS
;;; special dummy rule to show fasttrack counters
 0 D forward  passthrough           29 320 602 344  22 976 648

✔️ Allow packets entering the router, that are a part of the already ESTABLISHED or RELATED connections, as well as allow packets that have been marked as UNTRACKED:

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked

❌ Drop INVALID packets entering the router:

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid

✔️ Allow ICMP packets (incl. ping) entering the router:

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp

✔️ The next firewall rule is required for CAPsMAN (Controlled Access Point system Manager) feature, that allows a MikrRotik router to manage multiple wireless access points:

 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=

❌ Drop all packet entering the router, that are not coming from a LAN interface list:

 5    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN

To display interface members in each interface list, execute:

[admin@MikroTik] > /interface list member print
- sample output -
;;; defconf
0 LAN   bridge
;;; defconf
1 WAN   ether1

To list the interface that are the members of the bridge, execute:

[admin@MikroTik] > /interface bridge port print value-list
- sample output -
interface: ether2   ether3   ether4   ether5  wifi1   wifi2

✔️ Check all packets passing through the router if they match IPsec (Internet Protocol Security) policies, that decide which traffic should go to what peer and how it should be encrypted:

 6    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec

 7    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec

⏩ Mark packets passing through the router as FastTracked if they are a part of the already ESTABLISHED or RELATED connections:

 8    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related

When the first packet matches action=fasttrack-connection, all subsequent packets will just fly through, bypassing firewall, connection tracking, simple queues, etc., that can significantly improves the performance.

ℹ️ Note that not all packets in a connection can be FastTracked, so it is likely to see some packets going through a slow path even though connection is marked for FastTrack. This is the reason why fasttrack-connection is followed by the identical action=accept rule (see below).

✔️ Allow packets passing through the router, if they are a part of the already ESTABLISHED or RELATED connections, as well as allow the UNTRACKED packets:

 9    ;;; defconf: accept established,related,untracked
      chain=forward action=accept connection-state=established,related,untracked

❌ Drop INVALID packets passing through the router:

10    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid

DROP packets passing through the router and requesting a NEW connection, if they are coming from one of the WAN interfaces and they are not DSTNATed (Destination NATed):

11    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

DSTNAT: Destination NAT changes the destination address in IP header of a packet. It may also change the destination port in the TCP/UDP headers. The typical usage of DSTNAT is to redirect incoming packets with a destination of a public IP-address:port to a private IP-address:port inside LAN.

Was it useful? Share this post with the world!

Leave a Reply