Beginner’s Guide: Setting Up a Basic Firewall on MikroTik Print

Hello again! It’s Emmanuel Corels from Emmanuel Corels Creatives. In this guide, we’ll cover one of the most essential aspects of securing your network—setting up a basic firewall on your MikroTik router. We’ll focus on everyday scenarios for home or small office environments, using WinBox for an easy, step-by-step configuration.

Why a Firewall?

A firewall acts as a gatekeeper for your network. It filters incoming and outgoing traffic based on rules you define, protecting your devices from unwanted access or malicious traffic. For a typical home setup, you might want to:

• Block unsolicited inbound traffic from the internet.
• Allow only essential services (like web browsing and email).
• Protect your private LAN from external threats while allowing your devices to communicate freely.

Understanding Firewall Basics

Before we dive into configuration, here are a few key concepts:

• Chains:

  • Input: Traffic destined for the router itself.
  • Forward: Traffic passing through the router (from one network to another).
  • Output: Traffic originating from the router.

• Connection States:

  • Established/Related: Traffic that is part of an existing connection.
  • New: Traffic that initiates a new connection.
  • Invalid: Packets that don’t belong to any known connection.

• Default Policies:
  Most setups use a “default deny” strategy for inbound connections and allow established/related traffic.

Step 1: Review Default Configuration

MikroTik’s default configuration usually includes basic firewall rules. To check:

1. Open WinBox and go to IP → Firewall → Filter Rules.
2. Look for rules that:
   • Accept established/related traffic.
   • Drop invalid packets.
   • Allow necessary services (such as WinBox, if needed).

If you’re starting from a default configuration, you might already see something like:

• A rule in the input chain allowing established and related connections.
• A rule dropping all other inbound traffic on the WAN interface.

Step 2: Create Your Own Basic Firewall Rules

For a home network, let’s create a simple set of rules that you can modify as needed.

1. Allow Established and Related Connections

This rule ensures that once a connection is initiated, the return traffic is allowed without rechecking all conditions.

• Chain: input
• Connection State: established,related
• Action: accept
• Comment: “Allow established/related connections”

CLI equivalent:

/ip firewall filter add chain=input connection-state=established,related action=accept comment="Allow established/related connections"

2. Drop Invalid Packets

Invalid packets can be a sign of network issues or malicious activity.

• Chain: input
• Connection State: invalid
• Action: drop
• Comment: “Drop invalid packets”

CLI equivalent:

/ip firewall filter add chain=input connection-state=invalid action=drop comment="Drop invalid packets"

3. Allow Specific Management Access

If you need remote access for management (like WinBox or SSH), specify rules to allow them from trusted IP ranges only.

• Chain: input
• Protocol: tcp
• Dst. Port: 8291 (for WinBox) or 22 (for SSH)
• Src. Address: Your trusted IP or IP range (e.g., 192.168.88.0/24 or your office IP)
• Action: accept
• Comment: “Allow management access”

CLI equivalent:

/ip firewall filter add chain=input protocol=tcp dst-port=8291 src-address=192.168.88.0/24 action=accept comment="Allow WinBox from trusted LAN"

4. Drop All Other Inbound Traffic on the WAN

This is your “default deny” rule. It ensures that any traffic not explicitly allowed is dropped.

• Chain: input
• In. Interface: Your WAN interface (e.g., ether1 or pppoe-out1)
• Action: drop
• Comment: “Drop all other inbound traffic”

CLI equivalent:

/ip firewall filter add chain=input in-interface=ether1 action=drop comment="Drop all other inbound traffic"

Note: Adjust the interface name as needed. If you’re using PPPoE, reference that interface.

Step 3: Apply and Test Your Rules

1. Order Matters:
   In MikroTik, firewall rules are processed top-to-bottom. Make sure your “allow” rules are placed above the general “drop” rule.

2. Testing:

   • From a device inside your network, try accessing services (like browsing or using WinBox) to confirm that allowed traffic passes through.
   • From an external connection (if possible), check that unsolicited traffic is blocked.
   • Use the Log (found under System → Logging) to monitor firewall activity. You can temporarily add a logging action to a rule to see when it fires.

3. Adjust as Needed:
   The above rules are a starting point. Depending on your network’s needs, you might want to add rules to allow VPN traffic, email servers, or other services.

Troubleshooting Tips

• No Internet Access:
  If devices on your LAN can’t access the internet, double-check that your NAT (masquerade) rule is still active and that your “drop” rules aren’t too aggressive.

• Management Access Blocked:
  If you accidentally lock yourself out, use the MikroTik’s console port (via serial or Netinstall) to reset firewall rules.

• Logging:
  Enable logging temporarily on a rule to diagnose if and when it’s firing. For example:

  /ip firewall filter add chain=input protocol=tcp dst-port=8291 action=accept log=yes comment="Log management access"
  

Final Thoughts

Setting up a basic firewall on your MikroTik is all about starting simple. With these foundational rules, you secure your router against unwanted inbound traffic while allowing necessary management and local communications. As your network grows or your needs change, you can always refine and expand your firewall rules.

Remember, a well-configured firewall is a critical part of network security. Take the time to review your rules periodically, test them thoroughly, and adjust them as needed. With practice, you’ll have a robust setup that protects your home or small office with ease.

Guided with simplicity by
Emmanuel Corels – Admin, Emmanuel Corels Creatives