10 Mikrotik Firewall Rules Best Practices

In this article, we will go over 10 best practices for Mikrotik firewall rules. By following these best practices, you can improve the security of your network and make it more difficult for attackers to gain access to your systems.

1. Use Fasttrack

Fasttrack is a Mikrotik firewall feature that allows you to bypass the firewall for certain types of traffic. This can be useful if you want to improve performance or reduce the load on your firewall.

However, Fasttrack can also be dangerous if you’re not careful. That’s because it can allow malicious traffic to bypass your firewall rules.

Therefore, it’s important to use Fasttrack wisely. Only use it for traffic that you trust, and make sure that your other firewall rules are still in place to protect your network.

2. Use Layer7 Protocols

Layer7 protocols allow you to match traffic based on the application that is generating it. This is important because it means you can allow or deny traffic based on the specific application, rather than just the port that it is using.

For example, you could allow all web traffic but block all BitTorrent traffic. This would be much more effective than just blocking all traffic on port 80 (which would also block legitimate web traffic).

Layer7 protocols are not enabled by default in Mikrotik, so you will need to enable them before you can use them. To do this, go to System > Routerboard > Settings and check the “Enable Layer7 Protocols” box.

3. Block Unwanted Traffic

When you allow all traffic through your firewall, you’re also allowing malicious traffic. By blocking unwanted traffic, you can help protect your network from attacks.

There are a few different ways to block unwanted traffic. One way is to use Mikrotik’s built-in address lists. Address lists are groups of IP addresses that you can add to your firewall rules.

For example, you could create an address list for known malicious IP addresses and then block all traffic from those IP addresses.

You can also use Mikrotik’s built-in content filter to block traffic based on certain keywords or phrases. For example, you could block all traffic that contains the word “viagra”.

Finally, you can also use Mikrotik’s built-in layer 7 protocol to block traffic based on certain applications or protocols. For example, you could block all traffic that uses the BitTorrent protocol.

All of these methods can be used to block unwanted traffic and help protect your network.

4. Protect Your Router from DoS Attacks

A DoS attack is an attempt to make a service or network resource unavailable by flooding it with requests. If successful, the target will be unable to process legitimate requests, and may even crash entirely.

Mikrotik routers are particularly vulnerable to DoS attacks because they use a stateful firewall. This means that the router keeps track of all connections passing through it, in order to be able to correctly route replies.

However, this also means that if an attacker can send a large number of connection requests, the router’s memory will quickly fill up, and it will start dropping legitimate traffic.

The best way to protect your Mikrotik router from DoS attacks is to use a rate limiting rule. This will limit the number of connection requests that can be made to the router per second, preventing the router’s memory from filling up.

It’s also a good idea to use a firewall filter rule to drop all traffic from sources that have been known to launch DoS attacks in the past.

5. Limit the Number of Connections per IP Address

If an attacker is able to establish a large number of connections to your network, they can easily overwhelm your bandwidth and resources, causing a denial of service. By limiting the number of connections per IP address, you can help prevent this type of attack.

To do this, simply create a rule that limits the number of connections from each IP address. For example, you could limit each IP address to 10 connections. If an attacker tries to establish more than 10 connections, their additional connections will be blocked.

This Mikrotik firewall rule best practice is simple to implement and can go a long way in protecting your network from denial of service attacks.

6. Filter Invalid Packets

Invalid packets are those that don’t conform to the TCP/IP standards, and as such, they can be used to exploit vulnerabilities in your network. By filtering them out, you can prevent attackers from using them to gain access to your network.

There are a few different ways to filter invalid packets, but the most common is to use the “drop-invalid” action. This will drop any invalid packets that are sent to your Mikrotik router.

You can also use the “reject-invalid” action, which will reject the connection attempt if an invalid packet is sent. However, this can cause problems if you have legitimate devices on your network that send invalid packets, so it’s not recommended.

Finally, you can use the “accept-invalid” action, which will accept the connection even if an invalid packet is sent. This is the least secure option, but it might be necessary if you have devices on your network that send invalid packets.

No matter which option you choose, make sure you add a rule to your firewall to filter invalid packets. It’s one of the most important things you can do to secure your network.

7. Logging and Monitoring

If you’re not logging and monitoring your firewall rules, then you have no way of knowing if they’re working as intended. Without this visibility, it’s impossible to troubleshoot issues or make changes to improve performance.

Fortunately, Mikrotik provides a built-in logging system that can be used to track all traffic passing through the firewall. This information can be invaluable when trying to identify problems or optimize rules.

To get started, simply enable logging for each rule you want to monitor. Then, use the Mikrotik Log Viewer tool to view the resulting logs. This tool allows you to filter and search the logs, making it easy to find the information you need.

8. Avoid Using NAT

When you use NAT, all of the traffic from your internal network is going through a single point – the Mikrotik router. This means that if there’s any issue with the router (or the internet connection), all of the devices on your network will be affected.

Additionally, NAT can cause problems with some applications and services, such as VoIP or gaming. And finally, it’s just not necessary in most cases – you can achieve the same security without using NAT.

9. Use Firewall Filters for Routing

When you use firewall filters for routing, you can more easily control the traffic that flows in and out of your network. By doing so, you can prevent malicious or unwanted traffic from entering your network, while still allowing the traffic that you want to pass through.

Additionally, using firewall filters for routing can help improve the performance of your network. By controlling the traffic that flows through your network, you can reduce the amount of traffic that needs to be processed by your router. This can lead to improved speeds and reduced latency.

10. Enable Secure Winbox Access

Secure Winbox Access is a feature that allows you to restrict access to the Mikrotik router’s web interface (Winbox) to specific IP addresses. This is important because it prevents unauthorized users from accessing your router and making changes to its configuration.

To enable Secure Winbox Access, go to the Mikrotik router’s web interface and navigate to the “IP” menu. Under the “Firewall” tab, click on the “Filter Rules” option.

Click on the “+” sign to add a new firewall rule. In the “Action” drop-down menu, select the “Drop” option. This will block all traffic that does not originate from the IP addresses that you specify.

Next, in the “Source” field, enter the IP addresses that you want to allow access to the Mikrotik router’s web interface. You can specify multiple IP addresses by separating them with a comma.

Finally, click on the “Apply” button to save the changes.