A router without a proper firewall is like a house with no locks. MikroTik RouterOS includes a powerful firewall, but it won't protect you until you configure it. This guide covers the essential firewall rules every MikroTik router needs – whether you're a home user, small business, or ISP.
Understanding MikroTik Firewall Chains
RouterOS uses three main chains:
- Input – Traffic to the router itself (e.g., WinBox, SSH, pings).
- Forward – Traffic passing through the router (e.g., LAN to internet).
- Output – Traffic from the router (rarely changed).
Most of your protection happens in Input and Forward chains.
Prerequisites
- A MikroTik router with basic internet access configured.
- WinBox or SSH access.
- Warning: Applying firewall rules via CLI can lock you out if done incorrectly. Keep WinBox's MAC connection available as a backup (it bypasses IP firewall).
Step 1: The Default State – No Firewall (Dangerous)
By default, a new MikroTik router accepts everything. Anyone on the internet can try to log in, ping your router, or probe open ports. Run this to see your current filter rules:
/ip firewall filter print
If you see no rules or only a few, your router is exposed.
Step 2: Essential Input Chain Rules
These rules protect the router itself. Order matters – rules are processed top to bottom. Add them in this sequence.
2.1 Allow established and related traffic (must be first)
/ip firewall filter add chain=input connection-state=established,related action=accept comment="Accept established/related"
This allows replies to connections you initiated (e.g., software updates, DNS queries).
2.2 Drop invalid packets
/ip firewall filter add chain=input connection-state=invalid action=drop comment="Drop invalid"
Invalid packets are often malicious or malformed.
2.3 Allow essential router services (customise to your needs)
/ip firewall filter add chain=input protocol=tcp dst-port=8291 action=accept comment="Allow WinBox"
/ip firewall filter add chain=input protocol=tcp dst-port=22 action=accept comment="Allow SSH"
/ip firewall filter add chain=input protocol=icmp action=accept comment="Allow ping"
Adjust ports based on which services you use. If you don't use SSH, skip it. Never leave open ports you don't need.
2.4 (Optional) Allow specific IPs to manage the router
Instead of opening WinBox to the world, restrict it to your office IP or VPN:
/ip firewall filter add chain=input protocol=tcp dst-port=8291 src-address=YOUR_STATIC_IP/32 action=accept comment="WinBox from office only"
Then remove the global WinBox rule above.
2.5 Block everything else (the "default drop" rule)
/ip firewall filter add chain=input action=drop comment="Drop all other input"
This rule must be last in the input chain. Anything not explicitly allowed gets dropped.
Step 3: Protecting Forwarded Traffic (Your LAN)
The forward chain controls traffic passing through the router (e.g., from LAN to internet, or from WAN to a server behind the router).
3.1 Accept established/related and drop invalid (same as input)
/ip firewall filter add chain=forward connection-state=established,related action=accept comment="Fwd accept established/related"
/ip firewall filter add chain=forward connection-state=invalid action=drop comment="Fwd drop invalid"
3.2 Allow your LAN to reach the internet
/ip firewall filter add chain=forward src-address=192.168.88.0/24 action=accept comment="Allow LAN to internet"
Replace 192.168.88.0/24 with your actual LAN subnet.
3.3 (Optional) Block inter‑VLAN or guest network access
If you have a guest WiFi on 192.168.100.0/24 that should not access your main LAN:
/ip firewall filter add chain=forward src-address=192.168.100.0/24 dst-address=192.168.88.0/24 action=drop comment="Block guest to LAN"
3.4 Drop all other forward traffic
/ip firewall filter add chain=forward action=drop comment="Drop all other forward"
Step 4: Protect Against Common Attacks
Add these rules before the final drop rules.
4.1 Block port scanners (PSD – Port Scan Detection)
/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=port_scanners address-list-timeout=1h comment="Detect port scanners"
/ip firewall filter add chain=input src-address-list=port_scanners action=drop comment="Drop port scanners"
4.2 Block brute force attempts (too many connections per second)
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-rate=1-50M action=add-src-to-address-list address-list=ssh_bruteforce address-list-timeout=1h comment="SSH brute force"
/ip firewall filter add chain=input src-address-list=ssh_bruteforce action=drop comment="Drop brute forcers"
Adjust the port (22 for SSH, 8291 for WinBox, 21 for FTP).
4.3 Block ICMP (ping) floods
/ip firewall filter add chain=input protocol=icmp icmp-options=8:0 limit=5,5 action=accept comment="Limit ping"
/ip firewall filter add chain=input protocol=icmp action=drop comment="Drop excess ping"
Step 5: Enable FastTrack (For Better Performance)
FastTrack bypasses firewall processing for established connections, greatly increasing throughput. Add this before your forward drop rule.
/ip firewall filter add chain=forward connection-state=established,related action=fasttrack-connection comment="FastTrack established connections"
/ip firewall filter add chain=forward connection-state=established,related action=accept comment="Accept after FastTrack (fallback)"
Note: FastTrack bypasses simple queues, connection marks, and some logging. If you need per‑IP bandwidth limits or detailed accounting, do not use FastTrack – or use it only for non‑limited traffic.
Step 6: Verify Your Firewall Rules Order
View your rules with:
/ip firewall filter print
A correct order looks like this:
- Accept established/related (input)
- Drop invalid (input)
- Accept WinBox (input)
- Accept SSH (input)
- Accept ping (input)
- Drop port scanners (input)
- Drop brute force (input)
- Drop all other input
- FastTrack (forward – optional)
- Accept established/related (forward)
- Drop invalid (forward)
- Accept LAN to internet (forward)
- Drop other forward
Step 7: Testing Your Firewall
From an external machine (or via your phone's mobile data), try to:
- Ping your router's public IP – should be blocked (unless you allowed ICMP).
- Scan open ports using a tool like
nmap– only the ports you explicitly allowed (e.g., 8291, 22) should show as open. - Attempt a wrong login via WinBox or SSH multiple times – after a few tries, you should be temporarily blocked.
If you lock yourself out, use WinBox via MAC address (Neighbors tab) – it bypasses IP firewall rules entirely.
Step 8: Saving and Backing Up Your Rules
Once satisfied, export your firewall configuration:
/ip firewall export file=firewall-backup
Download the file via WinBox Files or FTP for safekeeping.
To make rules persistent after reboot, no extra step is needed – RouterOS saves changes immediately.
Common Mistakes to Avoid
- Putting the drop rule too early – This blocks everything, including your WinBox access. Always place the general drop rule last.
- Forgetting to allow established/related – Without this, your router can't reply to DNS queries or update packages.
- Allowing all ICMP – Ping is useful for diagnostics, but leaving unlimited ping can be abused. Use rate limiting.
- Not testing after each change – Add rules one by one and test before moving to the next.
- Disabling all services and forgetting to enable WinBox – You'll need a console cable or factory reset.
Sample Minimal Firewall Script (Copy‑Paste Ready)
Here is a complete, safe starter firewall for most home and small office setups. Adjust interface names and subnets as needed.
/ip firewall filter
add chain=input connection-state=established,related action=accept comment="Accept established/related"
add chain=input connection-state=invalid action=drop comment="Drop invalid"
add chain=input protocol=tcp dst-port=8291 action=accept comment="WinBox"
add chain=input protocol=tcp dst-port=22 action=accept comment="SSH"
add chain=input protocol=icmp action=accept comment="Ping"
add chain=input action=drop comment="Drop all other input"
add chain=forward connection-state=established,related action=fasttrack-connection comment="FastTrack"
add chain=forward connection-state=established,related action=accept comment="Accept established/related"
add chain=forward connection-state=invalid action=drop comment="Drop invalid"
add chain=forward src-address=192.168.88.0/24 action=accept comment="Allow LAN to internet"
add chain=forward action=drop comment="Drop all other forward"
Monitoring Firewall Activity
See which rules are being hit:
/ip firewall filter print stats
To watch live connections:
/tool torch interface=ether1 port=22,8291
To view blocked attempts:
/ip firewall address-list print where list=port_scanners
Conclusion
A properly configured firewall is the foundation of network security. The rules in this guide will stop most automated attacks, port scanners, and brute force attempts while allowing your legitimate traffic to flow freely.
Remember: No firewall is "set and forget". Review your rules periodically, update RouterOS, and monitor logs for unusual activity. For advanced protection, consider adding Layer7 filtering, Bogon ASN blocking, or integrating with a threat intelligence feed.
Once you're comfortable with these basics, explore MikroTik's address lists, RAW table (for pre‑connection filtering), and Mangle for traffic marking.