Before you plunge into the firewall you need to know how Mikrotik firewall works. First of all and VERY important, the firewall rules are checked from top to bottom. When a packet arrives it is checked by all rules until it finds a match to let it through, if a match is not found it is dropped by the last DROP ALL rule.
In the picture below you see the basic firewall rules that are added by default.
If you look at them those rules look very alike. The first rule is to allow ping. The other six rules allow:
- Allow new connections originating from internal network trough INPUT CHAIN
- Allow related connections originating from internal network trough INPUT CHAIN
- Drop invalid connections originating from internal network trough INPUT CHAIN
- Allow new connections originating from internal network trough FORWARD CHAIN
- Allow related connections originating from internal network trough FORWARD CHAIN
- Drop invalid connections originating from internal network trough FORWARD CHAIN
So to work with firewall you need to know the difference between INPUT CHAIN and FORWARD CHAIN.
Input chain is basically traffic intended for the router. Like the Winbox access of FTP access if activated on the router.
Forward chain is traffic intended for the internal network (computers and devices behind the router)
Example: If you would like to setup remote desktop to your home computer the rule would have to be in forward chain, so the router would know that is not intended for him. Every firewall rule starts with choosing the chain.
The second thing about default rules are the NEW, RELATED and INVALID connections.
Let’s try making this simple:
If you open google as a web page, the router interpreters this as a NEW connections originating from internal network and headed for the internet, so this is for him something in the FORWARD chain. The rules state, that this is allowed, so the traffic goes through the router to the internet. But that is not all, the router “remembers” this allowed connection so when data comes back in it is automatically allowed in since it is a part of the allowed new connection. If in the same page (google.com) you click a link to your Gmail this is considered a related connection and is allowed by the second rule to go out and the data to go back in. Invalid connections are all connections that router has not initiated and are dropped in the forward and input chain.
To make this clearer, we will now crate a rule, to allow WinBox access only from our internal network (the default 126.96.36.199/24)
In WinBox you click on the IP/FIREWALL and click on the FILTER RULES tab and click ADD (the big PLUS)
New you can configure your rule. As you can see there are TONS of options for Firewall rules in Mikrotik but we are doing basics now.
So, if we want to allow WinBox access we firstly need to identify what chain it is. In this case it’s a traffic intended for the router so it is the INPUT chain.
The source address of the data/packets will be our internal network 192.168.88.0/24 protocol is TCP and the destination port is the WinBox port 8291
On the action tab we select the action we want the router to do when receiving a packet that matches all the above criteria. In your case that will be accept since we want to allow this kind of connection.
That’s OK but since we don’t have any DENY rule for this kind off connection this rule is pointless until we deny all other access to WinBox. Next you need to do another rule that will DENY all other connections to the router.
And it would look like this:
As you can see there is no source address specified so the router will basically deny all WinBox access. But as we talked earlier it is the ORDER of the rules in the firewall that is important. The first allow rule must be ABOVE the deny rule. When you try to connect to your WinBox from your network the firewall will see that the source address is 192.168.88.something, and the first rule will allow the access. The traffic will never “hit” the second deny rule. On the other hand, if someone from the internet port scans your router and sees the open WinBox port and tries to connect to it, the first rule that allows access will not apply to him since his source IP address will be something from the public IP range (let us say - 188.8.131.52) and the second rule would be deny all WinBox access, his packets/data would be dropped by the router.
MikroTik has a useful option in the firewall rules called IF NOT. Meaning, if connection is not from this IP drop it. As you can see for every port you need an ALLOW and DENY rule. When using IF NOT option you can simply solve the problem with one rule. Here is an example.This rule is the same as our previous rule for allowing access to our WinBox. Translating this rule would say: If the connection does not come from this subnet and is headed to that port. DROP IT. The action tab looks like this just to clear it up.
This was just an example to illustrate the workings of the firewall and the logic behind it.
In our next blog we will setup a couple of more advanced things on the firewall. Like port scan detection and some port redirections with NAT translation. And maybe some more thing that pop up in my mind.
If you readers have some questions, you can simply pop them in the comment section below. Or maybe some things you have trouble with configuring.
May the force be with you all :D