Understanding and Configuring The MikroTik Default Firewall and NAT Rules: A Comprehensive Guide

Last updated on 
Understanding and Configuring The MikroTik Default Firewall and NAT Rules: A Comprehensive Guide
Configuring the Mikrotik Firewall

IPv4 Configuration

/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
  • Explanation: This line adds a NAT (Network Address Translation) rule for IPv4 traffic going out of interfaces in the WAN list. It masquerades (translates) the source IP address of outgoing packets to the IP address of the MikroTik router itself. This is commonly used for allowing devices with private IP addresses to access the internet using a single public IP address (NAT). The ipsec-policy=out,none part ensures that IPsec traffic (VPN traffic) going out is not subjected to NAT. The comment "defconf: masquerade" indicates that this rule is part of the default configuration.
/ip firewall {
    filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
    filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
    filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
    filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
    filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
    filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
    filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
    filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
    filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
    filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
    filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
}
  • Explanation: This block configures IPv4 firewall rules. Here’s a breakdown:
    • Input chain: Accepts traffic that is part of an established connection, related to an established connection, or is untracked. It drops traffic with invalid connection states, accepts ICMP traffic (like ping), allows traffic destined for the loopback address (127.0.0.1), and drops all other incoming traffic not coming from LAN interfaces.
    • Forward chain: Accepts inbound and outbound IPsec traffic, fast tracks established or related connections, and drops invalid and new connections not related to destination NAT (DNAT).

IPv6 Configuration

/ipv6 firewall {
    address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
    address-list add list=bad_ipv6 address=::1 comment="defconf: lo"
    address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
    address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
    address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
    address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
    address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
    address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
    address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
    filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
    filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
    filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
    filter add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
    filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."
    filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
    filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
    filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
    filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
    filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
    filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
    filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
    filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
    filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
    filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
    filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
    filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
    filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
    filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
    filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
    filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
    filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
}
  • Explanation: This block configures IPv6 firewall rules and address lists. Here’s a breakdown:
    • Address list: Defines various IPv6 address ranges (bad_ipv6) that should be blocked or treated specially. These ranges include unspecified addresses, loopback (::1), site-local addresses (fec0::/10), IPv4-mapped addresses (::ffff:0:0/96), IPv4-compatible addresses (::/96), and others specified for different purposes (like documentation, discard, ORCHID, and 6bone).
    • Input chain: Accepts established, related, and untracked connections, drops invalid connections, and accepts specific protocols such as ICMPv6 (like ping), UDP (traceroute and IKE), and IPsec protocols. It also drops traffic not coming from LAN interfaces.
    • Forward chain: Similar to the IPv4 forward chain, it accepts established, related, and untracked connections, drops invalid connections, and blocks traffic with bad source or destination IPv6 addresses (bad_ipv6). It accepts ICMPv6 and specific protocols like HIP, IKE, and IPsec.

Summary

This script provide a basic firewall and NAT configuration for both IPv4 and IPv6 traffic on a MikroTik router. They ensure that only necessary traffic is allowed while dropping or rejecting potentially harmful or unnecessary traffic, based on established best practices ("defconf" conventions). Adjustments may be necessary depending on specific network requirements and security policies.