Configuring MikroTik Firewall – Best Practices

Table of Contents

1. Introduction
2. Establish a Clear Rule Order
3. Use Address Lists
4. Implement Connection Tracking
5. Drop Invalid Packets
6. Utilize FastTrack
7. Limit Connection Rates
8. Comment on Rules
9. Test Rules Before Deployment
10. Regularly Review and Update Rules
11. Protect Against Specific Threats
12. Conclusion

Introduction

Configuring MikroTik Firewall is crucial for maintaining network security and performance. Properly set firewall rules can protect your network from unauthorized access and various cyber threats. This guide outlines best practices for configuring MikroTik firewall to optimize security and efficiency.

Establish a Clear Rule Order

The order of firewall rules significantly impacts their effectiveness, as MikroTik processes rules sequentially from top to bottom.

Best Practices:

1. Allow Established and Related Connections: Start your rule set with a rule that permits established and related connections to ensure that return traffic is allowed for ongoing sessions.
   • Example:

     /ip firewall filter add chain=input connection-state=established,related action=accept
     

2. Specific Allow Rules: Follow up with specific allow rules for trusted sources, such as your management IP or trusted networks. For instance, if you need to allow SSH access from a specific IP:
   • Example:

     /ip firewall filter add chain=input protocol=tcp dst-port=22 src-address=192.168.1.100 action=accept
     

3. Drop Invalid Packets: Create a rule to drop invalid packets right after allowing necessary traffic.
   • Example:

     /ip firewall filter add chain=input connection-state=invalid action=drop
     

4. Final Drop Rule: End with a catch-all drop rule that blocks all other traffic not explicitly allowed.
   • Example:

     /ip firewall filter add chain=input action=drop
     

Use Address Lists

Organizing IP addresses into address lists simplifies rule management and enhances readability.

Best Practices:

• Creating Address Lists: Use address lists to group IP addresses based on roles or functions, such as trusted clients, servers, or specific geographic locations.
  • Example:

    /ip firewall address-list add list=trusted_clients address=192.168.1.0/24
    

• Applying Address Lists in Rules: You can then reference these lists in your firewall rules, making it easier to manage permissions.
  • Example:

    /ip firewall filter add chain=input src-address-list=trusted_clients action=accept
    

Implement Connection Tracking

Utilizing connection tracking allows the firewall to maintain stateful rules effectively.

Best Practices:

• Enable Connection Tracking: Ensure that connection tracking is enabled by default in MikroTik RouterOS.
• Stateful Rules: Create stateful rules that allow return traffic for established connections while blocking new unsolicited requests.
  • Example:

    /ip firewall filter add chain=input connection-state=established action=accept
    

Drop Invalid Packets

Create a rule to drop invalid packets that do not conform to standard TCP/IP protocols.

Best Practices:

• Invalid Packet Rule: Implement a rule specifically designed to drop invalid packets, which helps prevent exploitation of vulnerabilities within your network.
  • Example:

    /ip firewall filter add chain=input connection-state=invalid action=drop
    

Utilize FastTrack

Enable FastTrack for high-performance traffic handling, especially for established connections.

Best Practices:

• FastTrack Configuration: Use FastTrack to speed up the processing of established connections while ensuring it does not interfere with critical protocols like IPsec.
  • Example:

    /ip firewall filter add chain=forward connection-state=established action=fasttrack-connection
    

• Considerations: Be cautious when using FastTrack with VPNs or other sensitive applications; test thoroughly to ensure no disruptions occur.

Limit Connection Rates

Implement connection limits per IP address to mitigate denial-of-service (DoS) attacks.

Best Practices:

• Rate Limiting Rules: Set up rate limiting on specific services or ports to prevent abuse.
  • Example:

    /ip firewall filter add chain=input protocol=tcp dst-port=80 connection-limit=10,32 action=drop
    

This rule limits each IP address to a maximum of 10 simultaneous connections on port 80 (HTTP).

Comment on Rules

Adding comments to your firewall rules is essential for clarity and future reference.

Best Practices:

• Use Descriptive Comments: Always include comments that describe the purpose of each rule.
  • Example:

    /ip firewall filter add chain=input protocol=tcp dst-port=22 src-address=192.168.1.100 action=accept comment="Allow SSH from trusted management IP"
    

This practice aids in future troubleshooting and helps others understand the rationale behind each configuration.

Test Rules Before Deployment

Always test new configurations in “Safe Mode” to maintain access during changes.

Best Practices:

• Safe Mode Usage: Use Safe Mode when making significant changes to your configuration, allowing you to revert if something goes wrong without losing access.
• Testing Environment: If possible, set up a testing environment where you can trial new configurations before applying them in production.

Regularly Review and Update Rules

Periodically audit your firewall rules to remove outdated entries and adjust configurations based on evolving network needs and security threats.

Best Practices:

• Scheduled Reviews: Set regular intervals (e.g., monthly or quarterly) for reviewing your firewall rules.
• Log Analysis: Analyze logs regularly to identify any unusual patterns or unauthorized access attempts that may necessitate rule adjustments.

Protect Against Specific Threats

Implement specialized rules to guard against common threats.

Best Practices:

1. Block Unnecessary DNS Requests: If DNS is handled internally, block external DNS requests.
   • Example:

     /ip firewall filter add chain=input protocol=udp dst-port=53 action=drop comment="Block external DNS requests"
     

2. Drop Bogon IPs: Create rules to drop packets from known bogon IP ranges (unallocated IP addresses).
   • Example:

     /ip firewall filter add chain=input src-address-list=bogon_ips action=drop comment="Drop bogon IPs"
     

3. Layer7 Protocols: For deeper inspection of traffic patterns, consider using Layer7 protocol matching but be aware of potential performance impacts.
   • Example:

     /ip firewall layer7-protocol add name="http" regexp="^GET|POST"
     /ip firewall filter add chain=input layer7-protocol=http action=accept comment="Allow HTTP traffic"
     

Conclusion

By following these best practices for configuring MikroTik firewall, you can enhance your network’s security while maintaining optimal performance. Implementing a clear structure, using address lists, and regularly reviewing your configurations are essential steps in protecting your network from potential threats.

For more detailed discussions or examples, consider visiting MikroTik forums or community resources where experienced users share their insights and configurations.

This expanded blog post provides more depth and practical examples for each best practice, making it suitable for readers looking to enhance their understanding of MikroTik firewalls effectively!