Differences

This shows you the differences between two versions of the page.

--- networking:router:mikrotik_fw [2022/07/22 09:39]
gcooper
+++ networking:router:mikrotik_fw [2022/07/22 10:06] (current)
gcooper
@@ Line 1: / Line 1: @@
 ====== Mikrotik RouterOS Firewall ======
-FIXME Need evaluate these scripts:
-**Free**: https://rickfreyconsulting.com/rfc-mikrotik-firewall-6-1-for-ipv4-free-version/
-**Lite Free**: https://rickfreyconsulting.com/rick-freys-basic-mikrotik-firewall-rev-6-1-for-ipv4-lite-edition-3/
-http://wiki.mikrotik.com/wiki/Protecting_your_customers
 ===== Denial of Service =====
@@ Line 33: / Line 25: @@
 ===== Destination NAT (Port Forwarding) Examples =====
-:!: "Destination NAT" is often called "Port Forwarding".
+:!: ''Destination NAT'' is often called ''Port Forwarding''.
-:!: With Mikrotik RouterOS, you don't have to add a separate firewall rule for forwarded ports.
+:!: With Mikrotik RouterOS, you do not add an explicit ''accept'' firewall rule for forwarded ports as ''accept'' is implied.
 <file>
@@ Line 54: / Line 46: @@
 http://forum.mikrotik.com/viewtopic.php?f=2&t=11368
-Normal 'masquerade' source NAT uses the address of the outbound interface as the external IP:
+Normal ''masquerade'' source NAT uses the address of the outbound interface as the external IP:
 <file>
 /ip firewall nat
+add action=masquerade chain=srcnat comment="Masquerade (NAT) - Last NAT Rule" out-interface=ether1
-add action=masquerade chain=srcnat comment="Masquerade (NAT)" out-interface=ether1
 </file>
@@ Line 83: / Line 74: @@
 ===== Basic Firewall =====
+FIXME This basic firewall script needs modernization, probably based on the newer default Mikrotik firewall.
 Firewall/Router: http://gregsowell.com/?p=4013
@@ Line 152: / Line 145: @@
 ==== Country Code ====
-**Country Code List**: https://mikrotikconfig.com/firewall/
 :!: This is probably **for more powerful routers with lots of RAM** as it could add many rules.
-  - Create a script/list of countries to be blocked using the above web site
+:!: You probably want to put the rules **near the top** of the list.
-  - Copy the ''IP-Firewall-Address-List.rsc'' file to the Mikrotik
-  - Import the script
+**Country Code List**: https://mikrotikconfig.com/firewall/
-  - Create a firewall rule referencing the new address list
+  - **Create the script/list** of countries to be blocked using the above web site
+  - **Copy the ''IP-Firewall-Address-List.rsc'' file** to the Mikrotik
+  - **Import the script**
+  - **Create a firewall rule** referencing the new address list
 <file>
 /import IP-Firewall-Address-List.rsc
 /ip firewall filter
-add action=drop chain=input comment="Drop traffic by CC - Input chain" in-interface=ether1 log=yes log-prefix="DROP BY CC" \
+add action=drop chain=input comment="Drop traffic by CC - Input chain" in-interface=ether1 log=yes \
-    src-address-list=CountryIPBlocks
+    log-prefix="DROP BY CC" src-address-list=CountryIPBlocks
-add action=drop chain=forward comment="Drop traffic by CC - Forward chain" in-interface=ether1 log=yes log-prefix="DROP BY CC" \
+add action=drop chain=forward comment="Drop traffic by CC - Forward chain" in-interface=ether1 log=yes \
-    src-address-list=CountryIPBlocks
+    log-prefix="DROP BY CC" src-address-list=CountryIPBlocks
 </file>

Virtual Architects Support Wiki

User Tools

Site Tools

Differences

Page Tools