Internet-facing MikroTik routers face constant attacks from port scans, brute-force attempts, and misconfiguration risks, so making a secure firewall is essential before you put a device in production. In this guide, you will learn to apply MikroTik firewall best practices.

By following this guide on PerLod Hosting, you can build a secure and minimal rule set that protects the router itself and controls transit traffic without breaking normal connectivity.

Prerequisites for Applying Mikrotik Firewall Best Practices

Before you start the MikroTik firewall best practices, you must ensure that you have the following things in place:

• MikroTik RouterOS 6.36 or later.
• Console or Winbox access to the router.
• WAN interface configured and connected to the internet.
• LAN interface configured with the local network.

Understanding MikroTik Firewall Architecture

MikroTik processes every packet through several firewall stages, and understanding this architecture helps you place rules in the right spot for maximum efficiency.

• Raw (Prerouting): First stage before connection tracking, used for early packet dropping to reduce CPU load.
• Filter (Input): Controls traffic destined to the router itself.
• Filter (Forward): Controls traffic passing through the router.
• NAT: Handles source and destination address translation.

Now that you have understood the MikroTik firewall architecture, you can proceed to the following steps to apply MikroTik firewall best practices and configuration.

Configure MikroTik Interface Lists

Interface lists simplify MikroTik firewall rule management by grouping interfaces by function. To configure the interface lists, you can use:

/interface list
add name=WAN
add name=LAN

/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN

Remember to replace ether1 and bridge with your actual WAN and LAN interface names.

MikroTik RAW Firewall Rules

Raw rules process packets before connection tracking, which reduces CPU load during attacks. These rules block broken packets and stop common attacks.

Drop Invalid TCP Flags

These rules block TCP packets with invalid flag combinations used in stealth scans and attacks.

/ip firewall raw
add chain=prerouting action=drop protocol=tcp tcp-flags=!fin,!syn,!rst,!ack comment="Drop invalid TCP flags"
add chain=prerouting action=drop protocol=tcp tcp-flags=fin,syn
add chain=prerouting action=drop protocol=tcp tcp-flags=fin,rst
add chain=prerouting action=drop protocol=tcp tcp-flags=fin,!ack
add chain=prerouting action=drop protocol=tcp tcp-flags=syn,rst
add chain=prerouting action=drop protocol=tcp tcp-flags=rst,urg

Drop Port 0 Attacks

Port 0 is reserved and should never appear in normal traffic.

add chain=prerouting action=drop protocol=tcp src-port=0 comment="Drop TCP port 0"
add chain=prerouting action=drop protocol=tcp dst-port=0
add chain=prerouting action=drop protocol=udp src-port=0 comment="Drop UDP port 0"
add chain=prerouting action=drop protocol=udp dst-port=0

Mitigate ICMP Attacks

These rules help stop ICMP attacks, like ping floods and fragmented packets.

add chain=prerouting action=drop protocol=icmp packet-size=1025-65535 comment="Drop large ICMP packets"
add chain=prerouting action=drop protocol=icmp fragment=yes comment="Drop fragmented ICMP"

Block Malicious IP Options

IP options are rarely needed in normal traffic, so seeing them often means someone is probing or trying an attack.

add chain=prerouting action=drop ipv4-options=loose-source-routing comment="Drop IP options attacks"
add chain=prerouting action=drop ipv4-options=strict-source-routing
add chain=prerouting action=drop ipv4-options=record-route
add chain=prerouting action=drop ipv4-options=router-alert
add chain=prerouting action=drop ipv4-options=timestamp
add chain=prerouting action=drop protocol=!igmp ipv4-options=any

Accept Standard Protocols

These rules allow standard protocols to pass through to the filter stage.

add chain=prerouting action=accept protocol=icmp comment="Accept ICMP"
add chain=prerouting action=accept protocol=tcp
add chain=prerouting action=accept protocol=udp

Input Filter Rules for MikroTik

The input chain protects the router itself from unauthorized access. These rules implement a default-deny policy for MikroTik firewall best practices.

Accept Established Connections

This rule allows return traffic for connections initiated by the router.

/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="Accept established/related"

Drop Invalid Connections

Invalid connections usually mean the packet is broken or doesn’t match any known session.

add chain=input action=drop connection-state=invalid comment="Drop invalid connections"

Rate-Limit ICMP

add chain=input action=accept protocol=icmp limit=5,10:packet comment="Accept ICMP with rate limit"
add chain=input action=drop protocol=icmp comment="Drop excess ICMP"

The first rule lets through a small amount of ICMP (5 per second, up to 10 at once), so normal ping and monitoring works but ping floods get limited.

Brute Force Protection for SSH

These rules detect multiple SSH connection attempts within 1 minute and block the source. The first rule must be placed before the second for proper staging.

add chain=input action=add-src-to-address-list protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m comment="SSH brute force stage 2"
add chain=input action=add-src-to-address-list protocol=tcp dst-port=22 connection-state=new address-list=ssh_stage1 address-list-timeout=1m
add chain=input action=drop protocol=tcp dst-port=22 src-address-list=ssh_stage2 comment="Drop SSH brute force"

Allow LAN Access

This rule permits all traffic from trusted LAN interfaces to access router services.

add chain=input action=accept in-interface-list=LAN comment="Accept from LAN"

Drop Everything Else

This is a default-deny policy; if traffic isn’t explicitly allowed above, it gets blocked.

add chain=input action=drop comment="Drop all other input"

Forward Filter Rules for MikroTik

The forward chain controls traffic passing through the router between networks. Here are the forward chain MikroTik firewall best practices:

FastTrack Established Connections

FastTrack bypasses connection tracking for established connections, which improves performance.

/ip firewall filter
add chain=forward action=fasttrack-connection connection-state=established,related comment="FastTrack established"
add chain=forward action=accept connection-state=established,related,untracked comment="Accept established/related"

Drop Invalid Connections

This stops broken or invalid packets from passing through the router.

add chain=forward action=drop connection-state=invalid comment="Drop invalid forward"

Allow LAN to Internet

This rule permits outbound internet access from the local network.

add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN comment="Allow LAN to internet"

Drop Port Scanners

The Port Scan Detector (PSD) identifies hosts scanning 21 ports within 3 seconds and blocks them for 1 day.

add chain=forward action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=port_scanners address-list-timeout=1d comment="Detect port scanners"
add chain=forward action=drop src-address-list=port_scanners comment="Drop port scanners"

Drop Everything Else

This blocks incoming connections from the internet that you didn’t request or allow.

add chain=forward action=drop comment="Drop all other forward"

MikroTik NAT Configuration

To let your LAN devices access the internet, you need to configure source NAT so outbound traffic uses the router’s public IP address.

/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=WAN comment="Masquerade LAN to internet"

Masquerading automatically uses the WAN interface IP address for outbound connections.

Disable Unnecessary Services for MikroTik Firewall

You can reduce the attack surface by disabling unused services. To do this, you can use:

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes

Keep only SSH and Winbox enabled, and restrict them to LAN access only:

set ssh address=192.168.88.0/24
set winbox address=192.168.88.0/24

Replace 192.168.88.0/24 with your actual LAN subnet.

Verify MikroTik Firewall Rules

After applying the configuration, you can verify the firewall rules with:

/ip firewall filter print
/ip firewall raw print
/ip firewall nat print

Test internet access from a LAN device to make sure it works. Then try accessing the router from outside (WAN) to confirm it’s blocked.

Monitoring and Maintenance MikroTik Firewall

You must monitor the firewall activity and blocked connections. Review blocked IPs periodically to identify attack patterns. The address lists automatically expire based on configured timeouts.

/ip firewall filter print stats
/ip firewall address-list print

For production MikroTik deployments that require high availability and performance, you can consider using dedicated MikroTik VPS hosting infrastructure.

MikroTik Firewall Rules Ordering

Firewall rules are processed sequentially from top to bottom. It is recommended to follow these ordering principles:

• Place the accept rules for established or related connections first for performance.
• Drop invalid connections early.
• Place rate-limiting rules before accept rules.
• Group related rules with comments.
• Place default-deny rules last.

Rules can be reordered using:

/ip firewall filter move [rule-number] [destination-number]

Conclusion

Securing your internet router doesn’t have to be complicated. By following these Mikrotik firewall best practices, using RAW rules to drop junk traffic early, and locking down the Input and Forward chains, you can stop most scanners and attacks automatically.

We hope you enjoy this guide. Subscribe to our X and Facebook channels to get the latest articles on MikroTik VPS Hosting.

For further reading: Setting Up a Secure IPsec Tunnel on MikroTik VPS