Protecting your Mikortik RB from the internet

Support How To
1

Introduction

There are quite a few Mikrotik routers on the wug that don’t have proper firewalls from the internet to protect the router from login attempts. This is a basic set of instructions to protect the router from the internet.
#Symptoms
If you router logs look like this you need this:

image.png831×654 5.39 KB

#Assumptions

  • This assumes you have an internet interface called internet. Edit if different e.g. pppoe-out or whatever.
  • This assume you do not wish to access the rb from the internet. This will block all access to the router from the internet.
  • This assumes you have NAT running from the internet interface to allow access from your PCs etc.
  • This assume you have no existing firewall rules on the rb.

#Firewall rules to fix the above
The rules below drop any access on the input chain from the internet, but allows connections outbound from the router. This protects the router from any access from the internet.
The rules do the following to all connection on the input chain (to the router itself) coming from the internet interface.

  1. Drop invalid connections.
  2. Accept established connections (typically outbound connections established by the router or a client of the router).
  3. Accept related connections to the point above.
  4. Drop any other connection.

To implement the rules below please do:

  1. Copy the rules below into to a text editor
  2. In your text editor replace in-interface=internet with your internet interface name e.g. in-interface=mweb or whatever it’s called.
  3. Open a terminal on your rb (via winbox or ssh or telnet)
  4. Copy the rules from your text editor.
  5. Right click on your terminal and select paste to paste them into your terminal. I
/ip firewall filter
add action=drop chain=input comment="drop invalid connections from internet" connection-state=invalid in-interface=internet
add chain=input comment="accept established connections from internet" connection-state=established in-interface=internet
add chain=input comment="accept related connections from internet" connection-state=related in-interface=internet
add action=drop chain=input comment="drop all else from internet" in-interface=internet

#Warning
Be careful when you implement the above. Do not implement this on an interface where you are access the rb as you may lock yourself out of the rb.

Want access to the router from the internet

You may need to open specific ports (e.g. ssh or web port) to allow access. Do so by adding an allow rule before the final drop rule above. For example:

/ip firewall filter
add chain=input comment="allow ssh from internet" dst-port=22 in-interface=internet protocol=tcp

After adding the above you may wish to move the rule such that it appears just before the final “drop all else from the internet” rule above.

Wiki

This post is a wiki to allow anyone to edit and improve.

12 Likes
2

If you happen to lock yourself out of your rb - you could ask someone to access your rb via the wug, this is if you not in the mood to get on the roof and reset.

1 Like
3

great post @spin , if i might add, i find alot of rbs with no admin password!

1 Like