Correctly configuring the firewall on a MikroTik router is essential to protect your network from unauthorized access and other types of security threats. Although specific rules may vary depending on the needs and configuration of each network, there are certain general rules and principles that are recommended for most environments.

Below are some of the rules and best practices for the firewall filter, NAT, and other relevant configuration sections in MikroTik RouterOS.

FirewallFilter

The purpose of the firewall filter is to control the traffic that passes through the router, allowing you to block or allow traffic based on certain criteria.

1. Block unauthorized access to the router:

Be sure to restrict access to the router from outside your local network. This is typically done by blocking management ports, such as 22 (SSH), 23 (Telnet), 80 (HTTP), 443 (HTTPS), and 8291 (Winbox).

/ip firewall filter
add action=drop chain=input in-interface=ether1 protocol=tcp dst-port=22 comment="Bloquear acceso SSH externo"
add action=drop chain=input in-interface=ether1 protocol=tcp dst-port=23 comment="Bloquear acceso Telnet externo"
add action=drop chain=input in-interface=ether1 protocol=tcp dst-port=80 comment="Bloquear acceso HTTP externo"
add action=drop chain=input in-interface=ether1 protocol=tcp dst-port=443 comment="Bloquear acceso HTTPS externo"
add action=drop chain=input in-interface=ether1 protocol=tcp dst-port=8291 comment="Bloquear acceso Winbox externo"

2. Protect against common attacks:

Implement rules to protect your network from common attacks, such as SYN flood, ICMP flood, and port scanning.

SYN Flood Attack

/ip firewall filter
add action=add-src-to-address-list address-list="syn_flooders" address-list-timeout=1d chain=input connection-state=new dst-limit=30,60,src-address/1m protocol=tcp tcp-flags=syn comment="Detectar SYN flood"
add action=drop chain=input src-address-list="syn_flooders" comment="Bloquear SYN flooders"

ICMP Flood Attack

/ip firewall filter
add action=add-src-to-address-list address-list="icmp_flooders" address-list-timeout=1d chain=input protocol=icmp limit=10,20 comment="Detectar ICMP flood"
add action=drop chain=input protocol=icmp src-address-list="icmp_flooders" comment="Bloquear ICMP flooders"

3. Allow necessary traffic:

Configure rules to allow legitimate traffic necessary for your network. This includes internal traffic and traffic to and from the Internet based on your specific needs.

Assuming you want to allow SSH access only from your local network:

/ip firewall filter
add action=accept chain=input protocol=tcp dst-port=22 src-address=192.168.1.0/24 comment="Permitir acceso SSH interno"

4. Drop everything else:

As a security practice, any traffic that has not been explicitly allowed previously should be blocked. This is typically done at the end of your firewall filter rules with a rule that rejects or drops all other traffic.

This rule should be placed at the end of your filter rules to act as a default deny policy.

/ip firewall filter
add action=drop chain=input comment="Descartar el resto de tráfico no permitido"

NAT (Network Address Translation)

NAT is commonly used to translate private IP addresses on your local network to a public IP address for Internet access.

1. Masquerade:
   • Use the action masquerade in the chain srcnat to allow multiple devices on your local network to share a public IP address for Internet access. This is essential for networks that access the Internet through a broadband connection with a single public IP.
2. DNAT for internal services:
   • If you need to access internal services from outside your network, you can use Destination NAT (DNAT) to redirect incoming traffic to the corresponding private IPs. Make sure you only do this for necessary services and consider the security implications.

Other Safety Considerations

1. Software updates:
   • Keep your MikroTik router updated with the latest version of RouterOS and firmware to protect against known vulnerabilities.
2. Layer 7 Security:
   • For application-specific traffic, you can configure Layer 7 rules to block or allow traffic based on patterns in data packets.
3. IP Address Range Limitation:
   • Restricts access to certain router services to specific IP address ranges only, thereby reducing the risk of unauthorized access.

Remember that these are only general guidelines. Your specific firewall configuration should be based on a detailed evaluation of your security needs, network policies, and performance considerations. Additionally, it is advisable to perform network security testing regularly to identify and mitigate potential vulnerabilities.