Don’t forget to update your Mikrotik firmware to 6.41.1 or higher! Current stable and secure firmware is 6.47.10.
Simple Mikrotik Firewall configuration:
In Mikrotik terminal go to Firewall Filter:
/ip firewall filter
For increase the speed of router fist rule should be:
add chain=forward action=fasttrack-connection connection-state=established,related
Allow Established and Related connections for forward and input chains:
add chain=forward action=accept connection-state=established,related,untracked log=no log-prefix="" add chain=input action=accept connection-state=established,related,untracked log=no log-prefix=""
Drop invalid connections for forward and input chains only from WAN interfaces:
add chain=forward action=drop connection-state=invalid in-interface-list=WAN log=no log-prefix="" add chain=input action=drop connection-state=invalid in-interface-list=WAN log=no log-prefix=""
Allow ICMP ping from WAN only width 128 bits packets:
add chain=input action=accept protocol=icmp in-interface-list=WAN packet-size=0-128 log=no log-prefix=""
Allow remote control by Winbox or SSH only from IP addresses from AccessList:
add chain=input action=accept protocol=tcp src-address-list=AccessList in-interface-list=WAN dst-port=8291,22 log=no log-prefix=""
In IP -> Firewall -> Address List create new address list width name AccessList and add there all IP addresses you want to use for remote connection to your router.
Allow OpenVPN connections:
add chain=input action=accept protocol=tcp in-interface-list=WAN dst-port=1194 log=no log-prefix=""
Allow PPTP VPN connections:
add chain=input action=accept protocol=tcp in-interface-list=WAN dst-port=1723 log=no log-prefix="" add chain=input action=accept protocol=gre log=no
Allow SSTP VPN connection (443 port,
change port if yout SSTP server run on other port):
add chain=input action=accept protocol=tcp in-interface-list=WAN dst-port=443 log=no log-prefix=""
Allow L2TP IPsec VPN connection:
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp comment="allow L2TP VPN (ipsec-esp)" add action=accept chain=input dst-port=500,1701,4500 in-interface-list=WAN protocol=udp comment="allow L2TP VPN (500,4500,1701/udp)"
Drop all other connections to Mikrotik and to local network:
add chain=input action=drop in-interface-list=WAN log=no log-prefix="" add chain=forward action=drop connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""
In IP -> Services menu enable only SSH and Winbox services, for more security you can change default Winbox and SSH ports:
It is all you need to secure your home or office router and network.
Don’t forget to update your Mikrotik firmware to 6.41.1 or higher! Current stable and secure firmware is 6.48.6. For more stability use firmware from “long term” channel.