From Zero Security to Enterprise-Grade Protection: My First MikroTik Firewall Setup

Alex NyamburaAlex Nyambura
6 min read

Module 4 of my MikroTik Zero to Hero Challenge

After three modules of getting basic connectivity working, I had a sobering realisation: my router was completely naked on the internet. No firewall rules. Management interfaces are accessible from anywhere. Time for a serious security wake-up call.

The Scary Reality Check

Picture this: Your router is humming along nicely, DHCP is working, the internet is flowing smoothly, and then you realise anyone on the internet can try to access your router's management interface.

That's exactly where I was after Module 3. My network worked great, but it was about as secure as leaving your front door wide open with a "Welcome Hackers" sign.

Understanding How Traffic Flows

Before jumping into firewall rules, I had to understand where traffic goes in my network. This was the key to everything.

The Three Traffic Paths

1. INPUT Chain - "Who can talk TO the router?"

  • When I use Winbox to manage the router

  • When someone tries to access the router from the internet (bad!)

  • When the router receives replies from internet services

2. FORWARD Chain - "Who can pass THROUGH the router?"

  • When my laptop browses the internet

  • When someone from the internet tries to reach my laptop (also bad!)

  • Most of your normal internet traffic

3. OUTPUT Chain - "What can the router send OUT?"

  • When the router updates its time via NTP

  • When the router checks for software updates

  • Usually not configured in basic setups

Here's how it looks:

Laptop → Internet: Goes through FORWARD chain
Managing router: Goes through INPUT chain  
Router getting updates: Goes through OUTPUT chain

The Magic of Connection States

This blew my mind. Instead of looking at every packet individually, MikroTik's firewall remembers connection states:

  • NEW: Someone is trying to start a new connection

  • ESTABLISHED: Packets from connections we already started

  • RELATED: Traffic related to connections we have (like FTP data)

  • INVALID: Weird, suspicious, or broken packets

The security superpower: Allow replies to connections we started, but block strangers trying to start new connections to us.

Building My First Real Security

Securing the Router Itself (INPUT Chain)

I started with the most critical part - protecting the router from internet attacks:

# Rule 1: Allow replies to connections the router started
/ip firewall filter add chain=input connection-state=established,related action=accept comment="Allow replies to my connections"

# Rule 2: Drop suspicious/broken traffic
/ip firewall filter add chain=input connection-state=invalid action=drop comment="Drop invalid packets"

# Rule 3: Allow ping from my local network only
/ip firewall filter add chain=input protocol=icmp src-address=192.168.88.0/24 action=accept comment="Allow ping from LAN"

# Rule 4: Allow management from my local network only  
/ip firewall filter add chain=input src-address=192.168.88.0/24 dst-port=8291 protocol=tcp action=accept comment="Winbox from LAN"

# Rule 5: Block everything else
/ip firewall filter add chain=input action=drop comment="Drop all other input"

Controlling Internet Access (FORWARD Chain)

Next, I controlled what could pass through the router:

# Rule 1: Allow replies to connections my devices started
/ip firewall filter add chain=forward connection-state=established,related action=accept comment="Allow reply traffic"

# Rule 2: Allow my local network to access the internet
/ip firewall filter add chain=forward src-address=192.168.88.0/24 action=accept comment="Allow LAN to internet"

# Rule 3: Drop suspicious forwarded traffic  
/ip firewall filter add chain=forward connection-state=invalid action=drop comment="Drop invalid forward"

# Rule 4: Block everything else from getting to my network
/ip firewall filter add chain=forward action=drop comment="Drop all other forward"

The Moment I Locked Myself Out

Here's where things got interesting. I was connected to my router through my home WiFi (not the lab network) when I enabled the firewall.

Suddenly, no more access!

The firewall was working perfectly - it was blocking my WiFi connection because it wasn't from the trusted LAN network (192.168.88.0/24).

Creative Problem Solving

I had to add a special rule to allow my wireless connection:

/ip firewall filter add chain=input src-address=MY-WIRELESS-IP dst-port=8291 protocol=tcp action=accept comment="Winbox from wireless" place-before=4

The place-before=4 was crucial - it had to go before the "drop everything else" rule.

Testing My Security

I did proper security testing:

✅ Positive Test: My laptop from the LAN could still manage the router
✅ Negative Test: A different device couldn't access management
✅ Functionality Test: Internet access still worked perfectly

All tests passed! The firewall was doing exactly what it should.

Understanding Rule Order (Super Important!)

MikroTik processes firewall rules from top to bottom and stops at the first match. This means order matters a lot.

I made the mistake of adding duplicate rules by running commands multiple times. Had to clean up:

/ip firewall filter remove 0,1,2,3,4

Lesson learned: Always check existing rules before adding new ones.

What My Security Policy Does

For Management Access:

  • ✅ Allow from my local network (192.168.88.0/24)

  • ✅ Allow from my specific wireless IP

  • ❌ Block everyone else on the internet

For Internet Access:

  • ✅ My devices can browse the internet freely

  • ✅ Replies to my requests come back fine

  • ❌ Random internet users can't reach my devices

For Network Diagnostics:

  • ✅ I can ping the router from my network

  • ❌ Internet users can't ping my router

The Commands That Matter

# View all firewall rules
/ip firewall filter print

# Add a rule at a specific position
/ip firewall filter add chain=input src-address=192.168.88.0/24 dst-port=8291 protocol=tcp action=accept place-before=5

# Remove rules (be careful!)
/ip firewall filter remove 0,1,2

# Test connectivity
/ping 8.8.8.8
/ip firewall connection print

What I Achieved

By the end of Module 4:

Router is secure - Management only from trusted networks
Internet access maintained - Users can browse normally
Attack resistance - Invalid and suspicious traffic blocked
Diagnostic capability - Network troubleshooting still works
Professional security model - Default deny with explicit allows

The Big Learning

Module 4 taught me that good security is about controlling traffic flows, not just blocking bad stuff.

The connection state tracking was the real game-changer. Instead of trying to guess what's good or bad, I let the firewall remember what connections my network started, and only allow replies to those.

This is how enterprise networks work - not by trying to identify every possible threat, but by having a clear policy about what's allowed and blocking everything else.

From Open Door to Fort Knox

My network went from being completely open to having enterprise-grade security. But this was just the foundation. I still had no NAT rules for internet access, no VLANs for network segmentation, and no Quality of Service controls.

The journey was getting more complex, but also more powerful. I was starting to understand why network professionals choose MikroTik - it gives you complete control to build exactly what you need.

This is part of my MikroTik Zero to Hero challenge. Security first, everything else follows.

Next up: Module 5 - NAT & Port Forwarding (Making internal services accessible while staying secure)

10
Subscribe to my newsletter

Read articles from Alex Nyambura directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#Mikrotiknetworkingroutingfirewall

Written by

Alex Nyambura
Alex Nyambura