Mikrotik Securing Router With Firewall

Table of Contents

Fresh Start

Incase you mess up or want a fresh start, run these two commands to clear all firewall rules and address lists. Note that if you re-run the command to add a filter, it'll either error out or duplicate if it already exists.

/ip/firewall/filter remove [find dynamic=no]
/ip/firewall/address-list remove [find dynamic=no]

Default Firewall Rules

These are the default IPv4 firewall filters suggested by Mikrotik. They work very well and prevent unwanted connections from the WAN interface. Note that IPv6 is disabled by default on Mikrotiks and were it to be enabled, any firewall rules are not configured for it.

On the line last line of the first code block, replace src-address=! with your LAN IP range.

/ip/firewall/filter add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
/ip/firewall/filter add action=accept chain=forward comment="Established, Related"  connection-state=established,related
/ip/firewall/filter add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
/ip/firewall/filter add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN out-interface=!bridge1
/ip/firewall/filter add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
/ip/firewall/filter add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
/ip/firewall/filter add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge1 log=yes log-prefix=LAN_!LAN src-address=!192.168.1.0/24

/ip/firewall/address-list add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip/firewall/address-list add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
/ip/firewall/address-list add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
/ip/firewall/address-list add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip/firewall/address-list add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
/ip/firewall/address-list add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip/firewall/address-list add address=224.0.0.0/4 comment=Multicast list=not_in_internet
/ip/firewall/address-list add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
/ip/firewall/address-list add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
/ip/firewall/address-list add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
/ip/firewall/address-list add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
/ip/firewall/address-list add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
/ip/firewall/address-list add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
/ip/firewall/address-list add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
/ip/firewall/address-list add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet

Creating a New User Account

Here we'll create a new administrative user and delete the default admin account. The username should be unique to prevent dictionary attacks.

/user add name=SECURE_USER_NAME password=SUPER_SECURE_PASSWORD group=full
/user remove admin

Afterward, we can set WinBox to only allow the user to login on a specific subnet.

/user set USERNAME address=192.168.1.0/24

Changing SSH/Winbox Ports

Here we'll change the default SSH port to 1950 and the default Winbox port to 1951

/ip/service/set ssh port=1950
/ip/service/set winbox port=1951

Preventing Brute Force

Whitelisting a Trusted Host

To prevent accidental lockouts caused by the firewall filters we're about to create, whitelist your server IP address by running the following commands. This will create an IP Address list called TRUSTED, then add a firewall filter to always accept traffic.

# Our SERVER IP Address that get's whitlisted
/ip/firewall/address-list add address=192.168.1.10 disabled=no list=TRUSTED

# Creating a rule at INDEX 0 to always allow traffic from TRUSTED list
/ip/firewall/filter add chain=input action=accept connection-state=new src-address-list=TRUSTED place-before=0 comment="Allow Trusted"
/ip/firewall/filter add chain=input action=accept connection-state=new src-address-list=TRUSTED comment="Allow Trusted"
Prevent FTP Brute Force
After 3 failed login attempts, block the IP from using FTP for 20 minutes

/ip/firewall/filter add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
            comment="drop ftp brute forcers" disabled=no

/ip/firewall/filter add chain=input protocol=tcp dst-port=21 connection-state=new \
            src-address-list=ftp_stage3 action=add-src-to-address-list address-list=ftp_blacklist \
            address-list-timeout=20m comment="" disabled=no

/ip/firewall/filter add chain=input protocol=tcp dst-port=21 connection-state=new \
            src-address-list=ftp_stage2 action=add-src-to-address-list address-list=ftp_stage3 \
            address-list-timeout=1m comment="" disabled=no

/ip/firewall/filter add chain=input protocol=tcp dst-port=21 connection-state=new src-address-list=ftp_stage1 \
            action=add-src-to-address-list address-list=ftp_stage2 address-list-timeout=1m comment="" disabled=no

/ip/firewall/filter add chain=input protocol=tcp dst-port=21 connection-state=new action=add-src-to-address-list \
            address-list=ftp_stage1 address-list-timeout=1m comment="" disabled=no

Preventing SSH Brute Force

/ip/firewall/filter add chain=input protocol=tcp dst-port=1950 src-address-list=ssh_blacklist action=drop \
            comment="drop ssh brute forcers" disabled=no

/ip/firewall/filter add chain=input protocol=tcp dst-port=1950 connection-state=new \
            src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
            address-list-timeout=20m comment="" disabled=no

/ip/firewall/filter add chain=input protocol=tcp dst-port=1950 connection-state=new \
            src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
            address-list-timeout=1m comment="" disabled=no

/ip/firewall/filter add chain=input protocol=tcp dst-port=1950 connection-state=new src-address-list=ssh_stage1 \
            action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

/ip/firewall/filter add chain=input protocol=tcp dst-port=1950 connection-state=new action=add-src-to-address-list \
            address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

Preventing WinBox Brute Force

After 3 failed login attempts, block the IP from using Winboxfor 20 minutes

/ip/firewall/filter add chain=input protocol=tcp dst-port=1951 src-address-list=winbox_blacklist action=drop \
            comment="drop winbox brute forcers" disabled=no

/ip/firewall/filter add chain=input protocol=tcp dst-port=1951 connection-state=new \
            src-address-list=winbox_stage3 action=add-src-to-address-list address-list=winbox_blacklist \
            address-list-timeout=20m comment="" disabled=no

/ip/firewall/filter add chain=input protocol=tcp dst-port=1951 connection-state=new \
            src-address-list=winbox_stage2 action=add-src-to-address-list address-list=winbox_stage3 \
            address-list-timeout=1m comment="" disabled=no

/ip/firewall/filter add chain=input protocol=tcp dst-port=1951 connection-state=new src-address-list=winbox_stage1 \
            action=add-src-to-address-list address-list=winbox_stage2 address-list-timeout=1m comment="" disabled=no

/ip/firewall/filter add chain=input protocol=tcp dst-port=1951 connection-state=new action=add-src-to-address-list \
            address-list=winbox_stage1 address-list-timeout=1m comment="" disabled=no

Disabling Access Via MAC Address

Here we'll disable any form of login using the Mac Address rather than IP address.

/tool/mac-server set allowed-interface-list=none
/tool/mac-server print
/tool/mac-server mac-winbox set allowed-interface-list=none
/tool/mac-server mac-winbox print
/tool/mac-server ping set enabled=no
/tool/mac-server ping print
/ip neighbor discovery-settings set discover-interface-list=none

Disabling Services

Login Services

We only want SSH and WinBox services enabled. Here we'll disable everything except those

/ip/service disable telnet,ftp,www,api,api-ssl
/ip/service print

Miscellenous Services

These services should already be disabled, but let's do it explicitly.

# Disable Proxy Caching
/ip/proxy set enabled=no

# Disable Socks Proxy
/ip/socks set enabled=no

# Disable UPNP
/ip/upnp set enabled=no
/tool/bandwidth-server set enabled=no

Disabling DNS cache

The router will cache DNS records by default. To avoid this causing any potential issues anything, we'll disable it

/ip/dns set allow-remote-requests=no