Featured image for security/firewalls/antivirus topics

How to Set Up MikroTik as a Transparent Firewall

Byadmin
Share
Tweet
Share
Pin
0 Shares

A transparent firewall filters network traffic without acting as a gateway. It works in Layer 2, meaning it processes packets without changing their destination or source IP addresses. This setup is common in enterprise networks where stealthy packet filtering is required between internal and external segments.

MikroTik RouterOS offers a powerful and cost-effective way to deploy a Layer 2 firewall using its bridge interface and bridge firewall rules.

This guide shows how to configure MikroTik RouterOS as a transparent firewall, from planning to deployment.

What Is a Transparent Firewall?

  • Operates at Layer 2 (Data Link)
  • Does not perform routing or NAT
  • Has no IP address on filtering interfaces
  • Uses bridge interfaces to inspect traffic

Key Use Cases

  • Inline packet filtering between two networks
  • Passive security enforcement
  • Blocking unauthorized MAC or IP traffic
  • Filtering traffic between VLANs

Why Use MikroTik for Transparent Firewalling?

MikroTik is widely used in small to medium enterprise environments because it provides:

  • Full-featured firewall capabilities
  • Layer 2 filtering through bridge firewall rules
  • High performance at a low cost
  • Advanced traffic tools like Torch and Sniffer

Supported Features

  • Stateful firewall rules (using connection tracking)
  • Filtering by MAC, IP, port, protocol
  • Traffic logging
  • FastPath and FastTrack for performance tuning

Prerequisites and Planning

Hardware Requirements

  • MikroTik router with at least two Ethernet interfaces
  • RouterOS v6.41+ (latest RouterOS 7.x recommended)
  • CPU and RAM suitable for expected throughput

Topology Planning

[LAN Segment] <--> [MikroTik Transparent Firewall] <--> [Internet Gateway]

Checklist

  • Router is reset to factory defaults
  • No IP addresses on bridge interfaces
  • Backup access available via management port
  • System backup completed

Step-by-Step: MikroTik Transparent Firewall Setup

1: Create Bridge and Add Interfaces

/interface bridge add name=bridge1
/interface bridge port add bridge=bridge1 interface=ether1
/interface bridge port add bridge=bridge1 interface=ether2
/interface bridge settings set use-ip-firewall=yes

2: Set Admin MAC Address

/interface bridge set bridge1 admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no

3: Remove IP Addresses from Interfaces

/ip address remove [find interface=ether1]
/ip address remove [find interface=ether2]

4: Enable Bridge Firewall and Connection Tracking

/interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip firewall connection tracking set enabled=yes

5: Add Bridge Filter Rules

Allow Specific MAC:

/interface bridge filter
add action=accept chain=forward src-mac-address=00:11:22:33:44:55
add action=drop chain=forward

Block Telnet:

add action=drop chain=forward protocol=tcp dst-port=23

Allow Only DNS and HTTP(S):

add action=accept chain=forward protocol=udp dst-port=53
add action=accept chain=forward protocol=tcp dst-port=80,443
add action=drop chain=forward

Log and Drop Invalid Packets:

add action=log chain=forward connection-state=invalid log-prefix="Invalid Packet"
add action=drop chain=forward connection-state=invalid

6: Monitor and Log Traffic

/tool torch interface=bridge1
/system logging add topics=firewall action=memory
/tool sniffer set interface=bridge1 filter-ip-address=192.168.1.1 filter-port=80
/tool sniffer start

7: Performance Tuning

/ip settings set fasttrack-connection-tracking=no
/tool profile

Testing and Verification

  • Use ping to verify connectivity on both sides
  • Check bridge rule counters: /interface bridge filter print stats
  • Review logs for dropped packets
  • Monitor live traffic with Torch

Real-World Deployment Scenarios

  • Inline firewall between LAN and WAN
  • Transparent VLAN filtering between trunks
  • MAC-based filtering for guest isolation

Security Best Practices

  • Apply default deny rule: add action=drop chain=forward
  • Log before dropping during testing
  • Disable unused services: 
    /ip service disable [find name=telnet]
/ip service disable [find name=ftp]
  • Assign a strong admin password
  • Update RouterOS regularly

Common Mistakes to Avoid

Mistake Fix
IP address on bridged ports Remove IPs from bridge-connected ports
No default drop rule Add drop rule at the bottom
Using IP firewall chains Use bridge filter chains only
FastPath interfering Disable FastPath in bridge settings
Blocking management access Keep a separate port for management

Conclusion

MikroTik can function as a transparent firewall using bridge interfaces and bridge firewall rules. This allows Layer 2 filtering without changing routing or IP addressing. This setup is ideal for securing traffic between network zones with minimal disruption.

Bonus: MikroTik Transparent Firewall Script

/interface bridge
add name=bridge1 protocol-mode=none
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip firewall connection tracking
set enabled=yes
/interface bridge filter
add action=accept chain=forward src-mac-address=00:11:22:33:44:55
add action=drop chain=forward
add action=drop chain=forward connection-state=invalid
/ip address
add address=192.168.88.1/24 interface=ether5

FAQs

Q: Can MikroTik act as a bridge and still filter packets?
A: Yes. Enable use-ip-firewall to apply bridge filter rules.

Q: Does this affect VLAN traffic?
A: No, unless explicitly filtered. Use use-ip-firewall-for-vlan=yes if needed.

Q: Will this introduce latency?
A: Minimal. Disabling FastPath and enabling tracking slightly increases CPU usage.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *