Mastering the MikroTik Firewall: NAT, Port Forwarding, and Basic Security Print

Hey there!
I’m Emmanuel Corels, your friendly admin from Emmanuel Corels Creatives, and welcome to our second article in the MikroTik series. Last time, we covered the basics of MikroTik and WinBox, from setting an IP address to updating RouterOS. Now, we’re diving deeper into one of the most powerful (and sometimes intimidating) features of MikroTik: the firewall.

Why the Firewall Matters

The firewall is your main line of defense and a critical piece of network management. With RouterOS, you can configure everything from basic protection rules to advanced port forwarding and NAT (Network Address Translation). So let’s get started, step by step, and make sure you have a solid foundation in firewall basics.

1. MikroTik Firewall Overview

MikroTik’s firewall is found under IP -> Firewall in WinBox. You’ll see several tabs:

• Filter Rules: For allowing or blocking traffic.
• NAT: For Network Address Translation (e.g., masquerade, port forwarding).
• Mangle: For marking or modifying packets (advanced feature).
• Service Ports: For managing built-in services.
• Address Lists: For grouping IP addresses or networks.

We’ll focus primarily on Filter Rules and NAT this time.

2. Basic Firewall Concepts

2.1 Chains

In MikroTik, filter rules are organized into chains:

1. Input: Traffic to the router itself (e.g., WinBox access, ping to the router).
2. Output: Traffic from the router.
3. Forward: Traffic going through the router (LAN to WAN or WAN to LAN).

2.2 Default Action

Rules can accept, drop, or reject traffic. Understanding when to allow or block traffic is crucial for security.

3. NAT Basics: Masquerade

A common scenario is when you have a LAN behind your MikroTik and you want to allow users to access the internet. For that, you typically use source NAT (srcnat) with an action of masquerade.

3.1 The Masquerade Rule

1. In WinBox, go to IP -> Firewall -> NAT.
2. Click the “+” to add a new NAT rule.
3. In the General tab:
   • Chain: srcnat
   • Out. Interface: Select the interface that connects to the internet (e.g., ether1-WAN).
4. In the Action tab:
   • Action: masquerade
5. Click OK.

Now, any traffic leaving your router through the WAN interface is “masqueraded,” meaning the router rewrites the source address to its own public IP. This allows devices on the LAN (with private IPs) to connect to the internet.

Command Line Equivalent:

/ip firewall nat add chain=srcnat out-interface=ether1-WAN action=masquerade

4. Basic Filter Rules

4.1 Default Firewall Rules

If you’re using a newer MikroTik with default configuration, you might already have a set of basic firewall rules. These typically:

• Allow established/related connections.
• Drop invalid connections.
• Provide basic protection for WinBox access.

However, let’s create our own simple set of rules from scratch, so you understand the logic.

Rule 1: Allow Established and Related Traffic

1. Go to IP -> Firewall -> Filter Rules.
2. Click “+” to add a new rule.
3. Chain: forward (we’re focusing on traffic passing through the router).
4. Connection State: established,related.
5. Action: accept.
6. Comment: “Allow established/related traffic.”
7. Click OK.

This rule ensures that once a connection is established, return traffic is automatically allowed.

Rule 2: Drop Invalid Connections

1. Again, click “+”.
2. Chain: forward.
3. Connection State: invalid.
4. Action: drop.
5. Comment: “Drop invalid connections.”
6. Click OK.

This rule discards traffic that doesn’t match any known, valid connection state.

Rule 3: Allow New LAN Traffic to the Internet

1. Click “+”.
2. Chain: forward.
3. In. Interface: Select your LAN interface (for example, bridge or ether2-LAN).
4. Connection State: new.
5. Action: accept.
6. Comment: “Allow LAN to internet.”
7. Click OK.

This allows new connections from your LAN heading out to the internet. The first two rules will handle the return traffic (established/related).

Rule 4: Drop Everything Else

1. Click “+”.
2. Chain: forward.
3. Under the Advanced or General tab, Connection State can be left blank.
4. Action: drop.
5. Comment: “Drop everything else.”
6. Click OK.

This final rule ensures that any traffic not explicitly allowed is dropped. This is a good default security stance (aka a “deny all” rule).

4.2 Order of Rules

Filter rules run from top to bottom, so place your rules in a logical order:

1. Allow established/related.
2. Drop invalid.
3. Allow new LAN to internet.
4. Drop everything else.

If you need to reorder rules, you can drag them up or down in WinBox.

5. Port Forwarding

Let’s say you have a server on the LAN running a web service (port 80), and you want users on the internet to access it. That’s called destination NAT or port forwarding.

5.1 Destination NAT Rule

1. Go to IP -> Firewall -> NAT.
2. Click “+”.
3. Chain: dstnat.
4. Dst. Address: Your public IP address (or you can leave it blank if your MikroTik’s WAN interface has the only valid public IP).
5. Protocol: tcp.
6. Dst. Port: 80.
7. Move to the Action tab:
   • Action: dst-nat.
   • To Addresses: The LAN IP of the server (e.g., 192.168.88.100).
   • To Ports: 80.
8. Comment: “Port forward HTTP to LAN server.”
9. Click OK.

Now, when someone on the internet goes to your public IP on port 80, the MikroTik will forward that traffic to 192.168.88.100.

Command Line Equivalent:

/ip firewall nat add chain=dstnat dst-address=<YOUR_PUBLIC_IP> protocol=tcp dst-port=80 \
action=dst-nat to-addresses=192.168.88.100 to-ports=80

Security Note: Be sure to have a corresponding filter rule to allow that traffic in the forward chain, or rely on your “drop everything else” rule if you specifically allow it. One approach is to create a rule:

• Chain: forward
• Dst. Address: 192.168.88.100 (the server’s LAN IP)
• Protocol: tcp, Dst. Port: 80
• Action: accept

6. Testing Your Rules

• Check Logs: Go to System -> Logging and set up firewall logging if you want to see what’s being dropped or accepted.
• Use External Devices: If possible, test your port forwarding from a computer outside your LAN (like a mobile phone on cellular).
• Ping and Traceroute: Use Tools -> Ping or Traceroute in WinBox to diagnose connectivity.

7. Common Pitfalls

1. Wrong Interface: Make sure you choose the correct WAN or LAN interface.
2. Order of Rules: Remember, rules are processed in sequence. If you place a “drop all” rule above your “allow new from LAN” rule, you’ll block LAN traffic accidentally.
3. Forgetting to Allow Forwarded Traffic: Port forwarding requires a destination NAT rule and a corresponding firewall filter rule (unless your default policy allows it).

8. Practical Security Tips

• Disable Unused Services: Go to IP -> Services and disable Telnet, FTP, or other services you don’t need.
• Use WinBox and SSH over Safe Networks: If you need remote access, consider using a VPN.
• Keep RouterOS Updated: Security patches come out frequently, so stay on top of those updates.
• Limit Access: In IP -> Firewall -> Filter Rules, you can restrict WinBox or SSH access to specific IP ranges if you want to tighten security.

9. Summary and What’s Next

You now have a solid understanding of how to create basic filter rules for security, set up NAT masquerade for internet access, and configure port forwarding for services inside your network. These are the cornerstones of any MikroTik setup.

Up Next: In the next article, we’ll explore VPN setups (like L2TP/IPsec, OpenVPN, or PPTP), and talk about using CHR (Cloud Hosted Router) in a virtual environment. We’ll break down the steps, from spinning up a virtual instance to configuring secure VPN tunnels.

Thanks for joining me on this journey—if you have any questions or want me to dive deeper into specific topics, just let me know. I’m always happy to help you get the most out of your MikroTik gear!

Written by:
Emmanuel Corels, Admin
Emmanuel Corels Creatives