Learning Mikrotik: Basic Mikrotik Firewall – In this article, Mikrotik Networking will discuss the basic features of Firewall on Mikrotik Router. Previously let’s first learn what Firewall is.
What is a Firewall?
A firewall is a device that serves to check and determine the data packets that can exit or enter from a network. With these capabilities, the firewall plays a role in protecting the network from attacks originating from external networks (outside network). The firewall implements packet filtering and thus provides the security functions used to manage the data stream to, from and through the router. For example, the firewall is enabled to protect the local network (LAN) from possible attacks coming from the Internet. In addition to protecting the network, the firewall is also enabled to protect the user’s computer or host (host firewall).
Firewalls are used as a means to prevent or minimize the inherent security risks in connecting to other networks. Firewall if properly configured will play an important role in efficient network deployment and secure infrastructure. MikroTik RouterOS has a very powerful firewall implementation with features including:
- stateful packet inspection
- Layer-7 protocol detection
- peer-to-peer protocols filtering
- traffic classification by:
- source MAC address
- IP addresses (network or list) and address types (broadcast, local, multicast, unicast)
- port or port range
- IP protocols
- protocol options (ICMP type and code fields, TCP flags, IP options, and MSS)
- interface the packet arrived from or left through
- internal flow and connection marks
- DSCP bytes
- packet content
- rate at which packets arrive and sequence numbers
- packet size
- packet arrival time
You can access the Mikrotik Firewall via Winbox via the IP menu -> Firewall
Chain on Mikrotik Firewall
Firewalls operate by using firewall rules. Each rule consists of two parts – matcher that matches the traffic flow to the given condition and the action that defines what to do with the matching package. Firewall filtering rules are grouped together in a chain. This allows packets to be matched against one common criterion in a single chain and then passes for processing against some other common criteria for another chain.
For example, the packet must match the IP address: port. Of course, that can be accomplished by adding some rules with the IP address: the corresponding port uses chain forward, but a better way might be to add one rule that matches the traffic from a particular IP address, for example, firewall filter / IP add src-address = 184.108.40.206/32 jump-target = “mychain”.
There are three pre-defined chains on RouterOS Mikrotik:
- Input – used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router addresses. Chain input is useful for limiting the configuration access to the Mikrotik Router.
- Forward – used to process data packets that pass through the router.
- Output – used to process packets of data coming from the router and leave through one of the interfaces.
When processing chain, the rule is taken from the chain in the sequence list will be executed from top to bottom. If the packet matches the rule’s criteria, then a certain action is performed on it, and no more rules are processed in the chain. If the packet does not match any of the rules in the chain, then the packet will be accepted.
Connection State (The status of the data packets through the router)
- Invalid: package not owned by any connection, useless.
- New: The package that is the opening of a connection / first packet of a connection.
- Established: is a continuation package of packages with the new status.
- Related: the opening package of a new connection, but still connected with the previous connection.
Action Filter RouterOS Mikrotik Firewall
In Mikrotik firewall configuration there are several Action options, including:
- Accept: packets are accepted and do not continue reading the next line
- Drop: refuses packets secretly (does not send ICMP rejection messages)
- Reject: reject the packet and send ICMP rejection message
- Jump: jump to another chain specified by the value of the jump-target parameter
- Tarpit: refused, but still keep the incoming TCP connection (reply with SYN / ACK for incoming TCP SYN packets)
- Passthrough: ignore this rule and go to the next rule
- log: add packet data information to the log
Example of Firewall Usage on Mikrotik Router
Let’s say our private network is 192.168.0.0/24 and public (WAN) interface ether1. We will set up a firewall to allow connections to the router itself only from our local network and drop the rest. Also, we will enable the ICMP protocol on an interface so that anyone can ping our router from the internet. Here’s the command:
/ ip firewall filter
add chain = input connection-state = invalid action = drop \
comment = "Drop Invalid connections"
add chain = input connection-state = established action = accept \
comment = "Allow Established connections"
add chain = input protocol = icmp action = accept \
comment = "Allow ICMP"
add chain = input src-address = 192.168.0.0 / 24 action = accept \
in-interface =! ether1
add chain = input action = drop comment = "Drop everything"
Enough to learn Mikrotik about Basic Firewall Mikrotik. For a more detailed explanation of Mikrotik firewall will be discussed in the next article. Thank you, hopefully, this article useful 🙂