Mikrotik - Default config

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Mikrotik - Default config

skewt

750 posts

Ultimate Geek

#214643 22-May-2017 16:01

Is the default config for a mikrotik now okay to use out of the box?

I recently updated mine to 6.39.1 and the only rule I had to block myself was block ICMP/Ping from WAN

GRC ShieldsUp is reporting 100% Passed

Connecting via BigPipe (IPoE)

Are there other rules and settings I should be using?

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1786129 22-May-2017 18:35

The default is fine. I use that along with allowing ICMP and have additional rules to detect and block ICMP flood and SYN flood.

chevrolux

4962 posts

Uber Geek
Inactive user

#1786170 22-May-2017 19:55

The biggest thing for us in NZ the fact the majority of ISP's require PPPoE and people don't update the rules after making the interface change, then within about half an hour wonder why their router is getting smashed.

As Steve mentioned, adding SYN flood and port scanner detection is a good addition too. I find the IP's that the port scanner rule picks up quite interesting.

Aaroona

3196 posts

Uber Geek

#1786799 23-May-2017 14:58

I know there are many different opinions - but can someone please explain to me the benefit of blocking ICMP ping on the WAN interface?
My understanding is that one of the down sides to blocking it is that Path MTU Discovery doesn't work.

DonGould

3892 posts

Uber Geek

#1787068 23-May-2017 20:59

chevrolux:
The biggest thing for us in NZ the fact the majority of ISP's require PPPoE and people don't update the rules after making the interface change, then within about half an hour wonder why their router is getting smashed.

As Steve mentioned, adding SYN flood and port scanner detection is a good addition too. I find the IP's that the port scanner rule picks up quite interesting.

can you post an export

Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - don@i.am.a.can.do.kiwi.nz

chevrolux

4962 posts

Uber Geek
Inactive user

#1787127 23-May-2017 22:20

 
 
/ip firewall filter
add chain=input comment="Input. All all ICMP" in-interface=pppoe-wan \
 protocol=icmp
add chain=input comment="Input. Allow established/related" connection-state=\
 established,related in-interface=pppoe-wan
add chain=input comment="Allow known hosts." in-interface=pppoe-wan \
 src-address-list=safe-hosts
add action=add-src-to-address-list address-list=port-scanners \
 address-list-timeout=1w chain=input comment="Identify port scanners" \
 in-interface=pppoe-wan protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=syn-flooders \
 address-list-timeout=30m chain=input comment="SYN flood detector" \
 connection-limit=30,32 in-interface=pppoe-wan protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop port scanners" in-interface=\
 pppoe-wan src-address-list=port-scanners
add action=drop chain=input comment="Drop SYN flooders" in-interface=\
 pppoe-wan src-address-list=syn-flooders
add action=drop chain=input comment="Input. Drop All." in-interface=pppoe-wan
add chain=forward comment="Forward. Allow established/related." \
 connection-state=established,related
add action=drop chain=forward comment="Forward. Drop Invalid" \
 connection-state=invalid
add action=drop chain=forward comment="Drop all not dstnat'd" \
 connection-nat-state=!dstnat connection-state=new in-interface=pppoe-wan

Edit: I use "pppoe-wan" for my wan interface. So obviously substitute that for whatever your wan interface is

fe31nz

1229 posts

Uber Geek

#1787131 23-May-2017 22:27

Aaroona:

I know there are many different opinions - but can someone please explain to me the benefit of blocking ICMP ping on the WAN interface?
My understanding is that one of the down sides to blocking it is that Path MTU Discovery doesn't work.

Path MTU discovery uses ICMP packets, but not ICMP Ping packets. If you block just the ICMP Ping packets, it is unaffected. If you block all ICMP packets, then Path MTU Discovery stops working and also several other subtle things, so it is not recommended to do that. Blocking ICMP Ping packets is entirely up to you - I can not think of anything that is damaged by doing that. I prefer to leave pings enabled myself, as there are times when I need to ping my router from my phone to see if the data networking on the phone is working properly.

For IPv6, ICMPv6 is required for the protocol to work, and there is an RFC that tells you what ICMPv6 packets you should be allowing:

http://www.ietf.org/rfc/rfc4890.txt

Unfortunately, for IPv4 there is no such straightforward set of recommendations and requirements available. I tend to have my routers allow rather than drop ICMP packets. If I find a problem, I can then drop the problem packets if I need to, but I do not then wind up with strange problems caused by the lack of certain ICMP packets.

chevrolux

4962 posts

Uber Geek
Inactive user

#1787173 23-May-2017 23:56

We leave ICMP open purely because we use it for basic diagnostics for connection uptime/stability.

By no means a perfect method but can be a dam handy quick way to check stuff.

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

skewt

750 posts

Ultimate Geek

#1787294 24-May-2017 09:58

Thanks for all that,

Will have to add that filter to my setup

Changing my BigPipe to connect with IpoE instead of PPPoE has made the setup so much easier after resetting my config

MadEngineer

4274 posts

Uber Geek

Trusted

#1787772 24-May-2017 20:25

If you're not port-forwarding or accepting services to your router from the world (eg vpn) there's no need for complicated port-scanner detections or address-list compilations (ie poor-man's fail2ban) as everything will be blocked anyway under the default config. It's only useful maybe if you're curious or if there's a risk that someone may detect an active port forward and start abusing it. That has the presumption that they will port scan before trying said open ports in the first place.

Also, instead of blindly accepting ICMP, use the following:

/ip firewall filter
add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings" 
add chain=input protocol=icmp action=drop comment="Drop excess pings"

You're not on Atlantis anymore, Duncan Idaho.