MikroTik: Default Firewall Rules

I’ve included the following rules for my benefit and future reference, but feel free to use them as you please. These are the generic default configuration firewall rules that usually come configured on MikroTik routers. Again, these are very basic, you will most likely want to add further rules for increased security. The value for “in-interface-list” will most likely need to be changed to reflect your current network environment. However, if you are not using interface lists, modify the rules accordingly by replacing the “in-interface-list” property and value with the “in-interface” property and value).

Input Chain Rules

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked comment="DEFAULT: Accept established, related, and untracked traffic."
add action=drop chain=input connection-state=invalid comment="DEFAULT: Drop invalid traffic."
add action=accept chain=input protocol=icmp comment="DEFAULT: Accept ICMP traffic."
add action=drop chain=input in-interface-list=!LAN comment="DEFAULT: Drop all other traffic not coming from LAN."

Forward Chain Rules

/ip firewall filter
add action=accept chain=forward ipsec-policy=in,ipsec comment="DEFAULT: Accept In IPsec policy."
add action=accept chain=forward ipsec-policy=out,ipsec comment="DEFAULT: Accept Out IPsec policy."
add action=accept chain=forward connection-state=established,related,untracked comment="DEFAULT: Accept established, related, and untracked traffic."
add action=drop chain=forward connection-state=invalid comment="DEFAULT: Drop invalid traffic."
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN comment="DEFAULT: Drop all other traffic from WAN that is not DSTNATed."

2 thoughts on “MikroTik: Default Firewall Rules”

  1. Hi So to have a port open on the router.. It will be as an input and we put it before the chain=foward ?.. or before the chain:input action:drop ?
    add action=accept chain=input protocol=tcp dst-port=5060-5061 comment=”Voip”
    ** And nothing to put in the NAT ??
    thanks

    1. It doesn’t matter if the input rule is placed before or after the forward chain as long as it is placed before the Input Action Drop rule that drops all other traffic destined TO the router. As far as the NAT rule, you will need to add the appropriate rule to allow traffic for the particular subnet/vlan if you haven’t already.

Leave a Comment

Your email address will not be published. Required fields are marked *