Simple & Basic Home Firewall with Mikrotik

One of the most common mistakes I’ve seen from technicians setting up MikroTik routers is leaving the firewall completely empty. The assumption seems to be that a strong password is enough protection. It isn’t. A password protects your router’s management interface — it does nothing to stop malicious traffic from flowing through it, scanning your network, or exploiting services running behind it. A firewall is not optional. It’s the foundation.

This post walks you through a simple but solid home firewall ruleset for MikroTik. It’s designed to be approachable — you don’t need to be a network engineer to follow it — but it covers the right bases and explains the reasoning behind each decision.

A few things to keep in mind before we start:

  • This assumes your firewall is currently empty. If it isn’t, read through the rules carefully and apply what makes sense for your setup.
  • I group rules by purpose rather than by chain. I find this easier to reason about, especially when troubleshooting.
  • MikroTik processes firewall rules in sequential order — the position of each rule matters.
  • I’m using ether1-wan as the WAN interface and bridge.home as the LAN bridge throughout. Adjust these to match your actual interface names.
  • This post does not cover NAT configuration — that deserves its own post.

The Ruleset

1. Accept established and related traffic

/ip firewall filter
add action=accept chain=input comment="Accept established & related inputs" \
    connection-state=established,related
add action=accept chain=forward connection-state=established,related

These go first and they’re critical for performance. Once a connection is established, there’s no need to re-evaluate every subsequent packet against the full ruleset. Accepting established and related traffic early means the router only does the heavy lifting once per connection, not once per packet. Skip these and your CPU will suffer for it.


2. Drop invalid packets

add action=drop chain=input comment="Drop invalid inputs & forwards" \
    connection-state=invalid
add action=drop chain=forward connection-state=invalid

Invalid packets are those that don’t belong to any known connection and don’t make sense as the start of a new one — malformed headers, out-of-sequence packets, and similar garbage. There’s no legitimate reason to accept them. Drop them early.


3. Reject blacklisted sources

add action=reject chain=input comment="Reject blacklisted" in-interface=\
    ether1-wan reject-with=icmp-network-unreachable src-address-list=\
    Blacklist

This rule rejects any traffic from IPs that have been added to a Blacklist address list. The list itself gets populated later by the blacklisting rules — this rule just enforces it. The order matters: this needs to come before any accept rules so blacklisted IPs get stopped regardless of what they’re trying to do.


4. Drop unsolicited inbound forwards

add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface=ether1-wan

This rule blocks any new inbound connection from the WAN that hasn’t been explicitly port-forwarded via DNAT. Without this, your router would happily forward unsolicited traffic from the internet toward your internal devices. Unless you’ve set up a DNAT rule for a specific service, nothing from the outside should be initiating connections to your network.


5. Accept traffic from a whitelist (optional)

add action=accept chain=input comment="Accept inputs from the whitelist" \
    in-interface=ether1-wan src-address-list=Whitelist

This is optional. It allows specific trusted external IPs to reach the router directly — useful if you manage the router remotely from a known static IP. Use it carefully. If you don’t have a stable public IP or aren’t sure you need it, skip it. A WireGuard VPN is a much better way to manage your router remotely.


6. Log and track access attempts on the Winbox port

add action=add-src-to-address-list address-list="Unknown Admin" \
    address-list-timeout=1w chain=input comment="Log unknown admins" \
    dst-port=8291 in-interface=ether1-wan log=yes log-prefix="Unknown Admin" \
    protocol=tcp src-address=0.0.0.0/0
add action=accept chain=input comment="Accept unknown admins" dst-port=8291 \
    in-interface=ether1-wan protocol=tcp src-address=0.0.0.0/0

Port 8291 is the default Winbox port. If you’re keeping it accessible from the WAN — and I’d strongly recommend against it — these rules at least log who’s trying to connect so you can see it happening.

More importantly: change this port. Leaving it at 8291 means every automated scanner on the internet knows exactly where to knock. Moving it to a non-standard port won’t make you invisible, but it will dramatically reduce the noise. You can change it in WinBox under IP → Services → Winbox.

Better yet, block it from the WAN entirely and only access your router from your local network or over a VPN.


7. Accept traffic from your LAN

add action=accept chain=input comment="Accept inputs from home" in-interface=\
    bridge.home src-address=192.168.88.0/24
add action=accept chain=forward comment=\
    "Accept internet access for home devices" in-interface=home-bridge \
    out-interface=ether1-wan src-address=192.168.88.0/24

These rules allow your local devices to reach the router and access the internet. Adjust the subnet and interface names to match your LAN configuration.


8. Blacklist port scanners

add action=add-src-to-address-list address-list=Blacklist \
    address-list-timeout=1w chain=input comment=\
    "Add forbidden attempts to the blacklist" dst-port=\
    21-23,25,53,80,110,135,139,443,445,587,1025,1352 in-interface=ether1-wan \
    protocol=tcp src-address=0.0.0.0/0 src-address-list=!Whitelist
add action=add-src-to-address-list address-list=Blacklist \
    address-list-timeout=1w chain=input dst-port=\
    1433,1521,3306,3389,5060,5900,6001,8000-8080 in-interface=\
    ether1-wan protocol=tcp src-address=0.0.0.0/0 src-address-list=!Whitelist
add action=add-src-to-address-list address-list=Blacklist \
    address-list-timeout=1w chain=input dst-port=\
    53,69,161,135-139,445,593,1433-1434,1900 in-interface=ether1-wan \
    protocol=udp src-address=0.0.0.0/0 src-address-list=!Whitelist

Any external IP that probes these ports gets added to the Blacklist for one week. These ports cover the most commonly abused attack vectors: FTP, SSH, Telnet, SMTP, DNS, NetBIOS, SMB, RDP, SIP, VNC, SQL Server, MySQL, SNMP, and UPnP among others.

The logic is simple: if you’re not deliberately exposing any of these services to the internet, there is no legitimate reason for an outside IP to be probing them. Anyone who does is either scanning opportunistically or targeting you specifically — either way, they go on the list. Rule 3 then blocks them from that point forward for the entire week.


9. Drop everything else

add action=reject chain=input comment="Drop all from WAN" in-interface=\
    ether1-wan reject-with=icmp-network-unreachable
add action=reject chain=forward comment="Drop everything else" reject-with=\
    icmp-network-unreachable

These are your catch-all rules. Anything from the WAN that hasn’t been explicitly accepted by a previous rule gets dropped here. Never skip these — without them, unmatched traffic falls through to RouterOS defaults, which is not a firewall policy you want to rely on.


Complete Rule Order at a Glance

#ChainActionPurpose
1input / forwardAcceptEstablished & related traffic
2input / forwardDropInvalid packets
3inputRejectBlacklisted sources
4forwardDropUnsolicited WAN inbound
5inputAcceptWhitelisted sources (optional)
6inputLog + AcceptWinbox port tracking
7input / forwardAcceptLAN traffic
8inputAdd to listBlacklist port scanners
9input / forwardRejectEverything else

Final Thoughts

This ruleset won’t make your router impenetrable, but it will make it vastly more resilient than an empty firewall with just a password on it — which, again, is a setup I see far more often than I should.

Start with these rules, watch your logs, and watch your blacklist populate. You’ll quickly get a sense of what’s being thrown at your network from the outside every single day. It’s eye-opening, and it makes a strong case for never leaving a MikroTik without a proper firewall again.