One of the most common mistakes I’ve seen from technicians setting up MikroTik routers is leaving the firewall completely empty. The assumption seems to be that a strong password is enough protection. It isn’t. A password protects your router’s management interface \u2014 it does nothing to stop malicious traffic from flowing through it, scanning your network, or exploiting services running behind it. A firewall is not optional. It’s the foundation.<\/p>\n\n\n\n
This post walks you through a simple but solid home firewall ruleset for MikroTik. It’s designed to be approachable \u2014 you don’t need to be a network engineer to follow it \u2014 but it covers the right bases and explains the reasoning behind each decision.<\/p>\n\n\n\n
A few things to keep in mind before we start:<\/p>\n\n\n\n
ether1-wan<\/code> as the WAN interface and bridge.home<\/code> as the LAN bridge throughout. Adjust these to match your actual interface names.<\/li>\n\n\n\n- This post does not cover NAT configuration \u2014 that deserves its own post.<\/li>\n<\/ul>\n\n\n\n
\n\n\n\nThe Ruleset<\/h2>\n\n\n\n1. Accept established and related traffic<\/h3>\n\n\n\n\/ip firewall filter\nadd action=accept chain=input comment=\"Accept established & related inputs\" \\\n connection-state=established,related\nadd action=accept chain=forward connection-state=established,related\n<\/code><\/pre>\n\n\n\nThese go first and they’re critical for performance. Once a connection is established, there’s no need to re-evaluate every subsequent packet against the full ruleset. Accepting established and related traffic early means the router only does the heavy lifting once per connection, not once per packet. Skip these and your CPU will suffer for it.<\/p>\n\n\n\n
\n\n\n\n2. Drop invalid packets<\/h3>\n\n\n\nadd action=drop chain=input comment=\"Drop invalid inputs & forwards\" \\\n connection-state=invalid\nadd action=drop chain=forward connection-state=invalid\n<\/code><\/pre>\n\n\n\nInvalid packets are those that don’t belong to any known connection and don’t make sense as the start of a new one \u2014 malformed headers, out-of-sequence packets, and similar garbage. There’s no legitimate reason to accept them. Drop them early.<\/p>\n\n\n\n
\n\n\n\n3. Reject blacklisted sources<\/h3>\n\n\n\nadd action=reject chain=input comment=\"Reject blacklisted\" in-interface=\\\n ether1-wan reject-with=icmp-network-unreachable src-address-list=\\\n Blacklist\n<\/code><\/pre>\n\n\n\nThis rule rejects any traffic from IPs that have been added to a Blacklist<\/code> address list. The list itself gets populated later by the blacklisting rules \u2014 this rule just enforces it. The order matters: this needs to come before any accept rules so blacklisted IPs get stopped regardless of what they’re trying to do.<\/p>\n\n\n\n
\n\n\n\n4. Drop unsolicited inbound forwards<\/h3>\n\n\n\nadd action=drop chain=forward comment=\"Drop all from WAN not DSTNATed\" \\\n connection-nat-state=!dstnat connection-state=new in-interface=ether1-wan\n<\/code><\/pre>\n\n\n\nThis rule blocks any new inbound connection from the WAN that hasn’t been explicitly port-forwarded via DNAT. Without this, your router would happily forward unsolicited traffic from the internet toward your internal devices. Unless you’ve set up a DNAT rule for a specific service, nothing from the outside should be initiating connections to your network.<\/p>\n\n\n\n
\n\n\n\n5. Accept traffic from a whitelist (optional)<\/h3>\n\n\n\nadd action=accept chain=input comment=\"Accept inputs from the whitelist\" \\\n in-interface=ether1-wan src-address-list=Whitelist\n<\/code><\/pre>\n\n\n\nThis is optional. It allows specific trusted external IPs to reach the router directly \u2014 useful if you manage the router remotely from a known static IP. Use it carefully. If you don’t have a stable public IP or aren’t sure you need it, skip it. A WireGuard VPN is a much better way to manage your router remotely.<\/p>\n\n\n\n
\n\n\n\n6. Log and track access attempts on the Winbox port<\/h3>\n\n\n\nadd action=add-src-to-address-list address-list=\"Unknown Admin\" \\\n address-list-timeout=1w chain=input comment=\"Log unknown admins\" \\\n dst-port=8291 in-interface=ether1-wan log=yes log-prefix=\"Unknown Admin\" \\\n protocol=tcp src-address=0.0.0.0\/0\nadd action=accept chain=input comment=\"Accept unknown admins\" dst-port=8291 \\\n in-interface=ether1-wan protocol=tcp src-address=0.0.0.0\/0\n<\/code><\/pre>\n\n\n\nPort 8291 is the default Winbox port. If you’re keeping it accessible from the WAN \u2014 and I’d strongly recommend against it \u2014 these rules at least log who’s trying to connect so you can see it happening.<\/p>\n\n\n\n
More importantly: change this port<\/strong>. Leaving it at 8291 means every automated scanner on the internet knows exactly where to knock. Moving it to a non-standard port won’t make you invisible, but it will dramatically reduce the noise. You can change it in WinBox under IP \u2192 Services \u2192 Winbox<\/strong>.<\/p>\n\n\n\nBetter yet, block it from the WAN entirely and only access your router from your local network or over a VPN.<\/p>\n\n\n\n
\n\n\n\n7. Accept traffic from your LAN<\/h3>\n\n\n\nadd action=accept chain=input comment=\"Accept inputs from home\" in-interface=\\\n bridge.home src-address=192.168.88.0\/24\nadd action=accept chain=forward comment=\\\n \"Accept internet access for home devices\" in-interface=home-bridge \\\n out-interface=ether1-wan src-address=192.168.88.0\/24\n<\/code><\/pre>\n\n\n\nThese rules allow your local devices to reach the router and access the internet. Adjust the subnet and interface names to match your LAN configuration.<\/p>\n\n\n\n
\n\n\n\n8. Blacklist port scanners<\/h3>\n\n\n\nadd action=add-src-to-address-list address-list=Blacklist \\\n address-list-timeout=1w chain=input comment=\\\n \"Add forbidden attempts to the blacklist\" dst-port=\\\n 21-23,25,53,80,110,135,139,443,445,587,1025,1352 in-interface=ether1-wan \\\n protocol=tcp src-address=0.0.0.0\/0 src-address-list=!Whitelist\nadd action=add-src-to-address-list address-list=Blacklist \\\n address-list-timeout=1w chain=input dst-port=\\\n 1433,1521,3306,3389,5060,5900,6001,8000-8080 in-interface=\\\n ether1-wan protocol=tcp src-address=0.0.0.0\/0 src-address-list=!Whitelist\nadd action=add-src-to-address-list address-list=Blacklist \\\n address-list-timeout=1w chain=input dst-port=\\\n 53,69,161,135-139,445,593,1433-1434,1900 in-interface=ether1-wan \\\n protocol=udp src-address=0.0.0.0\/0 src-address-list=!Whitelist\n<\/code><\/pre>\n\n\n\nAny external IP that probes these ports gets added to the Blacklist<\/code> for one week. These ports cover the most commonly abused attack vectors: FTP, SSH, Telnet, SMTP, DNS, NetBIOS, SMB, RDP, SIP, VNC, SQL Server, MySQL, SNMP, and UPnP among others.<\/p>\n\n\n\nThe logic is simple: if you’re not deliberately exposing any of these services to the internet, there is no legitimate reason for an outside IP to be probing them. Anyone who does is either scanning opportunistically or targeting you specifically \u2014 either way, they go on the list. Rule 3 then blocks them from that point forward for the entire week.<\/p>\n\n\n\n
\n\n\n\n9. Drop everything else<\/h3>\n\n\n\nadd action=reject chain=input comment=\"Drop all from WAN\" in-interface=\\\n ether1-wan reject-with=icmp-network-unreachable\nadd action=reject chain=forward comment=\"Drop everything else\" reject-with=\\\n icmp-network-unreachable\n<\/code><\/pre>\n\n\n\nThese are your catch-all rules. Anything from the WAN that hasn’t been explicitly accepted by a previous rule gets dropped here. Never skip these \u2014 without them, unmatched traffic falls through to RouterOS defaults, which is not a firewall policy you want to rely on.<\/p>\n\n\n\n
\n\n\n\nComplete Rule Order at a Glance<\/h2>\n\n\n\n#<\/th> Chain<\/th> Action<\/th> Purpose<\/th><\/tr><\/thead> 1<\/td> input \/ forward<\/td> Accept<\/td> Established & related traffic<\/td><\/tr> 2<\/td> input \/ forward<\/td> Drop<\/td> Invalid packets<\/td><\/tr> 3<\/td> input<\/td> Reject<\/td> Blacklisted sources<\/td><\/tr> 4<\/td> forward<\/td> Drop<\/td> Unsolicited WAN inbound<\/td><\/tr> 5<\/td> input<\/td> Accept<\/td> Whitelisted sources (optional)<\/td><\/tr> 6<\/td> input<\/td> Log + Accept<\/td> Winbox port tracking<\/td><\/tr> 7<\/td> input \/ forward<\/td> Accept<\/td> LAN traffic<\/td><\/tr> 8<\/td> input<\/td> Add to list<\/td> Blacklist port scanners<\/td><\/tr> 9<\/td> input \/ forward<\/td> Reject<\/td> Everything else<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n\n\n\nFinal Thoughts<\/h2>\n\n\n\n
This ruleset won’t make your router impenetrable, but it will make it vastly more resilient than an empty firewall with just a password on it \u2014 which, again, is a setup I see far more often than I should.<\/p>\n\n\n\n
Start with these rules, watch your logs, and watch your blacklist populate. You’ll quickly get a sense of what’s being thrown at your network from the outside every single day. It’s eye-opening, and it makes a strong case for never leaving a MikroTik without a proper firewall again.<\/p>\n","protected":false},"excerpt":{"rendered":"
One of the most common mistakes I’ve seen from technicians setting up MikroTik routers is leaving the firewall completely empty. The assumption seems to be that a strong password is enough protection. It isn’t. A password protects your router’s management interface \u2014 it does nothing to stop malicious traffic from flowing through it, scanning your … Continue reading “Simple & Basic Home Firewall with Mikrotik”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[21,11],"_links":{"self":[{"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=\/wp\/v2\/posts\/119"}],"collection":[{"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=119"}],"version-history":[{"count":2,"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=\/wp\/v2\/posts\/119\/revisions"}],"predecessor-version":[{"id":149,"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=\/wp\/v2\/posts\/119\/revisions\/149"}],"wp:attachment":[{"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=119"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=119"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lfps64.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=119"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}