Mikrotik configuration example

[System Error Message]

I've managed to compile a list of basic firewall rules for home use. This implements an automatic blacklist feature. Feel free to ask for more firewall configs or suggest improvements. I've also tried to make the config lean for performance. order of rules are important for the same chain. I will add other configs on request. You can also use this example with other routers such as ubiquiti and iptables but it is not a copy and paste for them.

To use this you will first need to define a few things.
Address lists
-DNS (IP addresses you use for DNS and NTP such as 8.8.8.8)
-Networked (LAN IP addresses you whitelist such as 192.168.88.0/24)
-LAN interface (its just the name of the LAN interface in /interfaces)
-WAN interface (name of the WAN interface in /interfaces)
- assuming the router's IP is 192.168.88.1
For /filters,

chain=input action=drop connection-state=invalid
chain=output action=drop connection-state=invalid
chain=forward action=drop connection-state=invalid
;;; allow MACwinbox (you may want to add the in-interface)
chain=services action=accept protocol=udp dst-port=20561
;;; Allow DNS,NTP
chain=input action=accept protocol=udp src-address-list=DNS src-port=53,123
chain=output action=accept protocol=udp dst-address-list=DNS dst-port=53,123
chain=input action=accept protocol=tcp src-address-list=DNS src-port=53,123
chain=output action=accept protocol=tcp dst-address-list=DNS dst-port=53,123
;;; hold hackers
chain=input action=tarpit protocol=tcp src-address-list=invalid
chain=input action=drop src-address-list=invalid
chain=output action=drop src-address-list=invalid
chain=forward action=drop dst-address-list=invalid
chain=forward action=drop src-address-list=invalid
;;; Accept PPTP connections (change to the vpn port and protocol used)
chain=input action=accept protocol=tcp dst-port=1723
chain=output action=accept protocol=tcp src-port=1723
;;; Record attempted hackers
chain=input action=add-src-to-address-list src-address-list=!Networked address-list=invalid address-list-timeout=0s
;;; Accept LAN input
chain=input action=accept src-address-list=Networked
chain=output action=accept dst-address-list=Networked
XI ;;; Add output IP to whitelist for 3s
chain=forward action=add-dst-to-address-list address-list=proxy address-list-timeout=3s out-interface=WAN"
XI ;;; accept input from output whitelist
chain=forward action=accept src-address-list=proxy
XI ;;; drop everything else
chain=forward action=drop
XI ;;; drop unauthorised output
chain=output action=drop dst-address-list=!Networked
;;; drop everything else
chain=input action=tarpit protocol=tcp
;;; drop everything else
chain=input action=drop
chain=output action=drop

note: XI for disabled, these rules are for alternative use if you want even more security but can cause problems. New rules added, you may need to add exceptions for output for other services too or instead of using IP based filtering you can go with port based by using the interface instead. Some of these rules can be applied in mangle instead.

Mangle rules (used for filter)

;;; Packets from WAN
chain=forward action=add-src-to-address-list address-list=External address-list-timeout=1d in-interface=WAN"
;;; Packets from LAN
chain=forward action=add-src-to-address-list address-list=Internal address-list-timeout=1d in-interface=LAN"

if you want to use mangle for QoS, mark packets in mangle and you can use those marked packets in filters too. I cannot give QoS examples because of my network.

NAT (requires connection tracking)

;;; Perform NAT
chain=srcnat action=masquerade src-address-list=Networked dst-address-list=!Networked

note: You may need to add an out interface if needed.

Hijacking rules, for proxy and other services.

;;; hijack NTP
chain=dstnat action=redirect to-ports=123 protocol=udp dst-port=123 dst-address=!Networked
;;; hijack dns
chain=dstnat action=redirect to-ports=53 protocol=tcp dst-port=53 dst-address=!Networked
;;; hijack dns
chain=dstnat action=redirect to-ports=53 protocol=udp dst-port=53 dst-address=!Networked
;;;transparent proxy, assuming port 8080
chain=dstnat action=redirect to-ports=8080 protocol=tcp src-address=Networked dst-address=!Networked
chain=dstnat action=redirect to-ports=8080 protocol=udp src-address=Networked dst-address=!Networked

If your proxy/dns/NTP server isnt the router itself you can use dst-nat action for the hijacking to set the server but you will than need to add an exception for it before the hijacking rules.

chain=dstnat src-address=server dst-address=!Networked action=accept

For multicore systems under system---resources---irq you can assign some functionality to a specific core. First core is 0. Some settings can be changed under IP---settings which is where it shows some settings for TCP and other things and shows whether acceleration is enabled.

If you need to access some of your internal services outside, do it through VPN using the router as a VPN server (hence the accept PPTP but disable the rule if you arent using vpn or change it to the port you use) so it requires config and authentication, something some services that have it arent secured such as the nissan car vulnerability or being able to bypass CCTV server authentications. If you do want to host a server (such as a public Web or game server) than there are clear enough port forwarding rules on mikrotik wiki.

Edit: updated rules

 

[System Error Message]

Continued
Mikrotik hardware acceleration guide
Mikrotik routerOS has 3 types of hardware acceleration. Fastpath, Fasttrack and encryption. Both Fastpath and Fasttrack acceleration if enabled will be shown in /IP settings.

Fastpath:
Fastpath is hardware acceleration for bridging and routing. It cannot be used for NAT so if you are using your routerboard for only routing and bridging with no need for QoS or filters or rules (say for example you are making a point to point wifi bridge) than you can definitely use this for that situation allowing you to use a low cost routerboard for it. Fastpath is enabled under bridge settings and cannot use the IP firewall. It is very much like using acceleration on a consumer router, tick to enable but with no other features used. Every routerboard should support this.

Fasttrack:
Fasttrack is hardware acceleration for NAT and with connection tracking enabled (the wiki says it is fastpath with connection tracking). There are 2 ways you can use it either by the filter rule in firewall filters or in mangle. In routerOS the acceleration is unique in that you can select which connections (as long as it is TCP or UDP). If a packet is used to uniquely selected for acceleration than the connection will be accelerated. Only connections that have been established can be accelerated so the best way to perform selective acceleration is by filtering new connections. What isnt mentioned in the mikrotik wiki is that fasttrack can be applied in mangle to give even more performance and even more selective choices. It also seems that mangle is used during acceleration whereas filters and QoS are simply ignored. You could also use fasttrack to lower CPU load for the input and output chain for various other services on the routerboard such as for DNS and NTP services (also not mentioned in the wiki). Supported routerboards are http://wiki.mikrotik.com/wiki/Manual:Wiki/Fasttrack . Fasttrack is applied on the connection and not on packets. Mikrotik says the plan to extend Fasttrack to support non TCP/UDP packets so your firewall rules can be generic but you will still need rules after fasttrack to catch the non-accelerated connections.

The basic rule for fasttrack shown in the wiki is

/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related
/ip firewall filter add chain=forward action=accept connection-state=established,related

Under mangle you can actually apply the rules there instead. The rules for fasttrack should be applied below after all your filtering but before you drop everything else in the chain you are accelerating.
Using fasttrack for prerouting in mangle if it works may yield better results if you dont have any restrictions to apply on it. It may be possible to apply QoS on it by limiting the data rate (not packet rate) of the connection in the firewall rule under mangle and it may be possible to apply priority style QoS by using the mangle firewall for performing selective fasttrack and using the rule order. None of this is verified yet but upon trying different combinations of rules on my CCR it says enabled but i havent yet seen any packets accelerated in statistics (though this could be a bug or i simply am not in the setup where acceleration can be applied).

If any of you has any routerboards please test this and let me know by PM if the stuff not on the wiki works. If it does work you should see a lower CPU usage or better throughput than without.

Encryption:
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec
According to the wiki only AES hardware acceleration is supported in routerOS so it wont matter if the hardware supports other types of acceleration, only AES will be accelerated. Some optimisations can be done to improve performance from the wiki but nowhere does it mention where to enable/disable it.

PM me for any mistakes, corrections or requests regarding mikrotik routerOS configuration.