MikroTik RouterOS Firewall Filters and Network Address Translation (NAT)

Document revision 14-Jul-2002
This document applies to the MikroTik RouterOS V2.5

Overview

The firewall supports filtering and security functions that are used to manage data flows to the router, through the router, and from the router. Along with the Network Address Translation they serve as security tools for preventing unauthorized access to networks.

Contents of the Manual

The following topics are covered in this manual:

What's New in V2.5.3?
What's New in V2.5?
Installation
Packet Flow through the Router
IP Firewall Configuration
Troubleshooting
Additional Resources
Firewall Applications

What's New in V2.5.3?

IP Firewall mangle rules are marking packets and/or changing the MSS if the 'flow' or 'tcp-mss' arguments are specified. The 'action' argument can heve following values:
- 'action=accept' - packet is mangled and no more mangle rules are processed after packet matches this rule;
- 'action=passthrough' - packet is mangled and the remaining mangle rules are processed.

What's New in V2.5?

The MikroTik RouterOS V2.5 has a different firewall feature compared to the previous versions. Stateful firewall feature is implemented by means of connection tracking. V2.5 has ability to maintain state information about a connection in memory tables, such as source and destination ip address and port number pairs (known as socket pairs), protocol types, connection state and timeouts. Firewalls that do this are known as stateful. Stateful firewalling is inherently more secure than its "stateless" counterpart, i.e., simple packet filtering as in V2.4.

When migrating from V2.4 to V2.5, please note that:

The filtering rules of the INPUT and OUTPUT chains do not work for packets passing through the router. You may need to move the rules used in V2.4 to the FORWARD chain, which processes these packets in V2.5.
The MASQUERADING is no longer done by the rules of the FORWARD chain, as it was in V2.4. Use the argument value 'action=masquerade' of the SRC-NAT.
The NAT feature is configured now separately in SRC-NAT or DST-NAT depending on the requirement to change the source or the destination address:port respectively. No longer are two rules needed to configure access, for example, from the external network to a webserver in a local network. Just add one destination NAT rule to the '/ip firewall dst-nat'. No need to exclude the private address:port form masquerading either. Read the relevant section below.
Same as in V2.4, the firewall rules are grouped together in CHAINS. Each chain can be considered as a set of rules. There are three default chains (input, forward, and output), which cannot be deleted. More chains can be added for grouping together filtering rules.
Additionally to the previous versions, the firewall rules can specify the connection state and source MAC address for the packets in V2.5.
A new feature of V2.5 is the ability to change packet properties in the flow, called MANGLE. Currently only two properties can be changed: packets can be marked, and the TCP Maximum Segment Size (MSS) value can be changed (only TCP SYN packages). After marking the packets, the firewall and queue rules can be applied to the marked packets, based on the value of the 'flow' argument.
The firewall rules have counters in V2.5, which serve as monitoring tool of the firewall and help to debug the firewall setup.
Connections through the router and their states can be monitored.

Firewall Installation

The firewall feature is included in the "system" software package. No additional software package installation is needed for this feature.

Packet Flow through the Router

The firewall rules are applied in the following order:

When a packet arrives at an interface, the NAT rules are applied first. The firewall rules of the input chain and routing are applied after the packet has passed the NAT rule set. This is important when setting up firewall rules, since the original packets might be already modified by the NAT.
If the packet should be forwarded through the router, the firewall rules of the forward chain are applied next.
When a packet leaves an interface, firewall rules of the output chain are applied first, then the NAT rules and queuing.

IP packet flow through the router is given in the following diagram:

IP Packet Flow

IP Firewall Configuration

The IP firewall management can be accessed under the /ip firewall menu. Firewall can be managed through the WinBox Console as well. Go to IP Firewall and select the desired chain. Press the 'List' button to access the rules of the selected chain.

IP Firewall Common Arguments

The common arguments used in the firewall rules are:

action - Action to undertake if the packet matches the rule (see below). The choice of the available action is different for firewall filter, mangle and NAT rules.
mark-flow - (MANGLE only) Flow mark string.
dst-address - Destination IP address. Can be in the form address/mask:ports, where mask is number of bits in the subnet, and ports is one port, or range of ports, e.g., x.x.x.x/32:80-81
dst-netmask - Destination netmask in decimal form x.x.x.x
dst-port - Destination port number or range (0-65535). 0 means all ports 1-65535.
icmp-options - "any:any". ICMP options.
out-interface - interface the packet is leaving the router. If the default value 'all' is used, it may include the local loopback interface for packets with destination to the router.
limit-burst - allowed burst regarding the limit-count/limit-time
limit-count - how many times to use the rule during the 'limit-time' period
limit-time - time interval, used in limit-count
protocol - Protocol (all / egp / ggp / icmp / igmp / ip-encap / ip-sec / tcp / udp). 'all' cannot be used, if you want to specify ports.
src-address - Source IP address. Can be in the form address/mask:ports, where mask is number of bits in the subnet, and ports is one port, or range of ports, e.g., x.x.x.x/32:80-81
src-mac-address - host's MAC address the packet has been received from.
src-netmask - Source netmask in decimal form x.x.x.x
src-port - Source port number or range (0-65535). 0 means all ports 1-65535.
in-interface - interface the packet has entered the router through. If the default value 'all' is used, it may include the local loopback interface for packets originated from the router.
tcp-mss - (MANGLE only) The new TCP Maximum Segment Size (MSS) value, MTU minus 40, or 'dont-change'.
tcp-options - ( all / syn-only / non-syn-only ). 'non-syn-only' is for all other options than 'syn-only'.
connection-state - (any / established / invalid / new / related). The connection state.
flow - Flow mark to match. Only packets marked in the MANGLE would be matched.
jump-target - Name of the target chain, if the action=jump is used.
log - Log the action ( yes / no ).
bytes - (cannot be set) Number of bytes processed by this rule.
packets - (cannot be set) Number of packets processed by this rule.

To reset the byte and packet counters, use the command 'reset-counters'.

Please note, that 'src-nat' and 'dst-nat' rules are processing and counting only packets that are opening connections (for tcp only SYN, for icmp/udp only first packet). Thus, the counters rather show how many connections have been opened, than how many packets have been changed.

If the packet matches the criteria of the rule, then the performed ACTION can be:

accept - Accept the packet. No action, i.e., the packet is passed through without undertaking any action, except for mangle, and no more rules are processed in the relevant list/chain.
drop - Silently drop the packet (without sending the ICMP reject message)
jump - jump to the chain specified by the value of the 'jump-target' argument.
passthrough - ignore this rule, except for mangle, go on to the next one. Acts the same way as a disabled rule, except for ability to count and mangle pacets.
reject - Reject the packet and send an ICMP reject message
return - Return to the previous chain, from where the 'jump' took place.
passthrough - (MANGLE only) mark the packet for further processing against some rule, and go on processing the next rule.
masquerade - (SRC-NAT only) Use masquerading for the packet and substitute the source address:port of the packet with the ones of the router. In this case, the 'to-src-address' argument value is not taken into account and it does not need to be specified, since the router's local address is used.
redirect - (DST-NAT only) redirects to the local address:port of the router. In this case, the 'to-dst-address' argument value is not taken into account and it does not need to be specified, since the router's local address is used.
nat - (SRC-NAT and DST-NAT only) Perform Network Address Translation. For source NAT, the 'to-src-address' should be specified (not required with 'action=masquerade'). For destination NAT, the 'to-dst-address' should be specified (not required with 'action=redirect').

Logging the Firewall Actions

To enable logging of the firewall actions you should set the value of the rule argument 'log' to 'yes'. Also, the logging facility should be enabled for firewall logs:

[MikroTik] system logging facility> set Firewall-Log logging=local 
[MikroTik] system logging facility> print                                      
  # FACILITY            LOGGING PREFIX              REMOTE-ADDRESS  REMOTE-PORT
  0 Firewall-Log        local                                                  
  1 PPP-Account         none                                                   
  2 PPP-Info            none                                                   
  3 PPP-Error           none                                                   
  4 System-Info         local                                                  
  5 System-Error        local                                                  
  6 System-Warning      local                                                  
  7 Prism-Info          local                                                  
[MikroTik] system logging facility>

You can send UDP log messages to a remote syslog host by specifying the remote address and port (usually 514). Local logs can be viewed using the /log print command:

[MikroTik] > log print detail without-paging
...
 time=feb/24/2002 19:37:08 
    message=router->REJECT, in:ether1, out:(local), src-mac \
             00:30:85:95:67:2b, prot TCP (SYN), \
             213.67.20.9:4164->195.13.162.195:21, len 60 
                     
(The format of the log is:
DATE TIME Chain -> ACTION, in:interface, out:interface, \
             src-mac ADDRESS, protocol (protocol option), \
             src-address:port->dst-address:port, packet_length )

Marking the Packets (Mangle) and Changing the MSS

Packets entering the router can be marked for further processing them against the rules of firewall chains, source or destination NAT rules, as well as for applying queuing to them. Use the /ip firewall mangle to manage the packet marking. Specify the value for the 'mark-flow' argument and use 'action=passthrough', for example:

[MikroTik] ip firewall mangle> add action=passthrough mark-flow=abc-all        
[MikroTik] ip firewall mangle> print                                           
Flags: X - disabled, I - invalid 
  0   src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 protocol=all tcp-options=any 
      icmp-options=any:any flow="" src-mac-address=00:00:00:00:00:00 
      limit-count=0 limit-burst=0 limit-time=0s action=passthrough 
      mark-flow=abc-all tcp-mss=dont-change bytes=9091 packets=61 

[MikroTik] ip firewall mangle>

Note, that the packets originated from the router cannot be mangled!

To change the TCP Maximum Segment Size (MSS), set the 'tcp-mss' argument to a value which is your desired MTU value less 40, for example, if your connection MTU is 1500, you can set 'tcp-mss=1460' or lower. The MSS can be set only for TCP SYN packets.

For example, if you have encrypted PPPoE link with MTU=1492, set the mangle rule as follows:

[MikroTik] ip firewall mangle>
add protocol=tcp tcp-options=syn-only action=passthrough tcp-mss=1448 
[MikroTik] ip firewall mangle> print                                           
Flags: X - disabled, I - invalid 
  0   src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 protocol=tcp tcp-options=syn-only 
      icmp-options=any:any flow="" src-mac-address=00:00:00:00:00:00 
      limit-count=0 limit-burst=0 limit-time=0s action=passthrough 
      mark-flow="" tcp-mss=1448 bytes=0 packets=0 

[MikroTik] ip firewall mangle>

Firewall Chains

The firewall filtering rules are grouped together in chains. It is very advantageous, if packets can be matched against one common criterion in one chain, and then passed over for processing against some other common criteria to another chain. Let us assume that, for example, packets must be matched against the IP addresses and ports. Then matching against the IP addresses can be done in one chain without specifying the protocol ports. Matching against the protocol ports can be done in a separate chain without specifying the IP addresses.

The Input Chain is used to process packets entering the router through one of the interfaces with the destination of the router. Packets passing through the router are not processed against the rules of the input chain.

The Forward Chain is used to process packets passing through the router.

The Output Chain is used to process originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain.

Note, that the packets passing through the router are not processed against the rules of neither the input, nor output chains!

When processing a chain, rules are taken from the chain in the order they are listed there from the top to the bottom. If it matches the criteria of the rule, then the specified action is performed on the packet, and no more rules are processed in that chain. If the packet has not matched any rule within the chain, then the default policy action of the chain is performed.

The list of currently defined chains can be viewed using the /ip firewall print command:

[MikroTik] ip firewall> print                                                  
  # NAME                                                                 POLICY
  0 input                                                                accept
  1 forward                                                              accept
  2 output                                                               accept
[MikroTik] ip firewall>

These three chains cannot be deleted. The available policy actions are:

accept - Accept the packet
drop - Silently drop the packet (without sending the ICMP reject message)
none - N/A

You can change the chain policies by using the /ip firewall set command.

Note! Be careful about changing the default policy action to these chains! You may lose the connection to the router, if you change the policy to drop, and there are no rules in the chain, that allow connection to the router.

Usually packets should be matched against several criteria. More general filtering rules can be grouped together in a separate chain. To process the rules of additional chains, the 'jump' action should be used to this chain from another chain.

To add a new chain, use the /ip firewall add command:

[MikroTik] ip firewall> add name=router                                        
[MikroTik] ip firewall> print                                                  
  # NAME                                                                 POLICY
  0 input                                                                accept
  1 forward                                                              accept
  2 output                                                               accept
  3 router                                                               none  
[MikroTik] ip firewall>

The policy of user added chains is 'none', and it cannot be changed. Chains cannot be removed, if they contain rules (are not empty).

Firewall Rules

Management of the firewall rules can be accessed by selecting the desired chain. If you use the WinBox console, select the desired chain and then press the 'List' button on the toolbar to open the window with the rules. In the terminal console, use the /ip firewall rule command with the argument value that specifies a chain, for example:

[MikroTik] ip firewall> rule input                                             
[MikroTik] ip firewall rule input>

To add a rule, use the add command, for example:

[MikroTik] ip firewall rule input> add dst-port=8080 protocol=tcp action=reject
[MikroTik] ip firewall rule input> print                                       
Flags: X - disabled, I - invalid 
  0   src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:8080 out-interface=all protocol=tcp 
      icmp-options=any:any tcp-options=any connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=reject log=no bytes=0 packets=0 

[MikroTik] ip firewall rule input>

Here, the available values for the argument 'action' are:
(accept / drop / jump / passthrough / reject / return)
See the argument description above.

Masquerading and Source NAT

Masquerading is a firewall function that can be used to 'hide' private networks behind one external IP address of the router. For example, masquerading is useful, if you want to access the ISP's network and the Internet appearing as all requests coming from one single IP address given to you by the ISP. The masquerading will change the source IP address and port of the packets originated from the private network to the external address of the router, when the packet is routed through it.

Masquerading helps to ensure security since each outgoing or incoming request must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request. Masquerading also conserves the number of global IP addresses required and it lets the whole network use a single IP address in its communication with the world.

To use masquerading, a source NAT rule with action 'masquerade' should be added to the src-nat rule set:

[MikroTik] ip firewall src-nat>
add src-address=10.5.91.0/24:0-65535 out-interface=ether1 action=masquerade
[MikroTik] ip firewall src-nat> print                                          
Flags: X - disabled, I - invalid 
  0   src-address=10.5.91.0/24:0-65535 dst-address=0.0.0.0/0:0-65535 
      out-interface=ether1 protocol=all icmp-options=any:any flow="" 
      limit-count=0 limit-burst=0 limit-time=0s action=masquerade 
      to-src-address=0.0.0.0 to-src-port=0-65535 bytes=0 packets=0 

[MikroTik] ip firewall src-nat>

If the packet matches the 'masquerading' rule, then the router opens a connection to the destination, and sends out a modified packet with its own address and a port allocated for this connection. The router keeps track about masqueraded connections and performs the 'demasquerading' of packets, which arrive for the opened connections. For filtering purposes, you may want to specify 'the to-src-ports' argument value, say, to 60000-65535, as it was in V2.4 by default.

If you want to change the source address:port to specific adress:port, use the 'action=nat' instead of 'action=masquerade':

[MikroTik] ip firewall src-nat> add src-address=192.168.0.1/32 \
out-interface=ether1 action=nat to-src-address=10.0.0.217
[MikroTik] ip firewall src-nat> print                                          
Flags: X - disabled, I - invalid 
  0   src-address=192.168.0.1/32:0-65535 dst-address=0.0.0.0/0:0-65535 
      out-interface=ether1 protocol=all icmp-options=any:any flow="" 
      limit-count=0 limit-burst=0 limit-time=0s action=nat 
      to-src-address=10.0.0.217 to-src-port=0-65535 bytes=120 packets=2 

[MikroTik] ip firewall src-nat>

Here, the

src-address - can be IP host's address, for example, 192.168.0.1/32, or network address 192.168.0.0/24
to-src-address - can be one address, or a range, say 10.0.0.217-10.0.0.219. The addresses should be added to the router's interface, or should be routed to it from the gateway router.

The source nat can masquerade several private networks, and use individual to-src-address for each of them.

Redirection and Destination NAT

Redirection and destination NAT should be used when you need to give access to services located on a private network from the outside world. To add a destination NAT rule that gives access to the http server 192.168.0.4 on the local network via external address 10.0.0.217, use the following command:

[MikroTik] ip firewall dst-nat> 
add action=nat protocol=tcp \
dst-address=10.0.0.217/32:80 to-dst-address=192.168.0.4
[MikroTik] ip firewall dst-nat> print                                          
Flags: X - disabled, I - invalid 
  0   src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=10.0.0.217/32:80 protocol=tcp icmp-options=any:any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=nat to-dst-address=192.168.0.4 to-dst-port=0-65535 
      bytes=0 packets=0 

[MikroTik] ip firewall dst-nat>

Here, if you want to redirect to the router's local address, use 'action=redirect' and do not specify the 'to-dst-address'.

Note on 'redirect' and 'masquerade'

REDIRECT is similar to regular destination NAT in the same way as MASQUERADING is similar to source NAT - masquerading is source NAT, except you do not have to specify to-src-address - outgoing interface address is used automatically. The same with REDIRECT - it is destination NAT where to-dst-address is not used - incoming interface address is used instead. So there is no use of specifying to-src-address for src-nat rules with action=masquerade, and no use of specifying to-dst-address for dst-nat rules with action=redirect. Note that to-dst-port is meaningful for REDIRECT rules - this is port on which service _on router_ that will handle these requests is sitting (e.g. web proxy).

When packet is dst-natted (no matter - action=nat or action=redirect), dst address is changed. Information about translation of addresses (including original dst address) is kept in router's internal tables. Transparent web proxy working _on router_ (when web requests get redirected to proxy port on router) can access this information from internal tables and get address of web server from them. If you are dst-natting to some different proxy server, it has no way to find web server's address from IP header (because dst address of IP packet that previously was address of web server has changed to address of proxy server). Starting from HTTP/1.1 there is special header in HTTP request which tells web server address, so proxy server can use it, instead of dst address of IP packet. If there is no such header (older HTTP version on client), proxy server can not determine web server address and therefore can not work.

It means, that it is impossible to correctly transparently redirect HTTP traffic from router to some other transparent-proxy box. Only correct way is to add transparent proxy on the router itself, and configure it so that your "real" proxy is parent-proxy. In this situation your "real" proxy does not have to be transparent any more, as proxy on router will be transparent and will forward proxy-style requests (according to standard; these requests include all necessary information about web server) to "real" proxy.

Connection Tracking

Connections through the router and their states can be monitored at 'ip firewall connection', for example:

[MikroTik] ip firewall connection> print                                       
Flags: U - unreplied, A - assured 
  #    SRC-ADDRESS           DST-ADDRESS           PR.. TCP-STATE   TIMEOUT    
  0  A 10.5.91.205:1361      10.5.0.23:22          tcp  established 4d23h59m55s
  1  A 10.5.91.205:1389      10.5.5.2:22           tcp  established 4d23h59m21s
  2  A 10.5.91.205:1373      10.5.91.254:3986      tcp  established 4d23h59m56s
  3  A 10.5.91.205:1377      159.148.172.3:23      tcp  established 4d23h35m14s
  4  A 80.232.241.3:1514     159.148.172.204:1723  tcp  established 4d23h59m53s
  5    159.148.172.204       80.232.241.3          47               9m21s      
[MikroTik] ip firewall connection>

Connection timeouts are as follows:

TCP SYN sent (First stage in establishing a connection) = 2min.
TCP SYN recvd (Second stage in establishing a connection) = 60sec.
Established TCP connections (Third stage) = 5 days.

TCP FIN wait (connection termination) = 2min.
TCP TIME wait (connection termination) = 2min.
TCP CLOSE (remote party sends RTS) = 10sec.
TCP CLOSE wait (sent RTS) = 60sec.
TCP LAST ACK (received ACK) = 30sec.
TCP Listen (ftp server waiting for client
    to establish data connection) = 2min.

UDP timeout = 30sec.
UDP with reply timeout (remote party has responded) = 180sec.
ICMP timeout = 30sec.
All other =  10min.

Troubleshooting

I set the policy for the input chain to 'drop', and I lost connection to the router
You should add rules to the chain allowing required communications, and only then change the default policy of the chain!
I put up filtering rules, but they seem not to work
Use the Firewall logging to see, whether you are matching the packets with your rules or not! The most common mistake is wrong address/netmask, e.g., 10.0.0.217/24 (wrong), 10.0.0.217/32 (right), or 10.0.0.0/24 (right).
I am trying to use policy routing based on source addresses and masquerading, but it does not work.
Masqueraded packets have source address 0.0.0.0 at the moment when they are processed according to the routing table. Therefore it is not possible to have masquerading with different source address. See the Routes Manual for more information.

Additional Resources

Read about connection tracking at
http://www.cs.princeton.edu/~jns/security/iptables/iptables_conntrack.html

IP Firewall Applications

Further on, the following examples of using firewall rules are given:

Basic Firewall Building Principles

Example of Firewall Filters

Example of Source NAT (Masquerading)

Example of Destination NAT

Basic Firewall Building Principles

Assume we have router that connects a customer's network to the Internet. The basic firewall building principles can be grouped as follows:

Protection of the Router from Unauthorized Access
Connections to the addresses assigned to the router itself should be monitored. Only access from certain hosts to certain TCP ports of the router should be allowed.
This can be done by putting rules in the input chain to match packets with the destination address of the router entering the router through all interfaces.
Protection of the Customer's hosts
Connections to the addresses assigned to the customer's network should be monitored. Only access to certain hosts and services should be allowed.
This can be done by putting rules in the forward chain to match packets passing through the router with the destination addresses of customer's network.
Using source NAT (masquerading) to 'Hide' the Private Network behind one External Address
All connections form the private addresses are masqueraded, and appear as coming from one external address - that of the router.
This can be done by enabling the masquerading action for source NAT rules.
Enforcing the Internet Usage Policy from the Customer's Network
Connections from the customer's network should be monitored.
This can be done by putting rules in the forward chain, or/and by masquerading (source NAT) only those connections, that are allowed.

Filtering has some impact on the router's performance. To minimize it, the filtering rules that match packets for established connections should be placed on top of the chain. These are TCP packets with options 'non-syn-only'.

Examples of setting up firewalls are discussed below.

Example of Firewall Filters

Assume we want to create a firewall, that

protects the MikroTik router from unauthorized access from anywhere. Only access from the 'trusted' network 10.5.8.0/24 is allowed.
protects the customer's hosts within the network 192.168.0.0/24 from unauthorized access from anywhere.
gives access from the Internet to the http and smtp services on 192.168.0.17
Allows only ICMP ping from all customer's hosts and forces use of the proxy server on 192.168.0.17

The basic network setup is in the following diagram:

Firewall

The IP addresses and routes of the MikroTik router are as follows:

[MikroTik] > ip address print                                                  
Flags: X - disabled, I - invalid, D - dynamic 
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
  0   10.0.0.217/24      10.0.0.217      10.0.0.255      Public                
  1   192.168.0.254/24   192.168.0.0     192.168.0.255   Local                 
[MikroTik] > ip route print                                                    
Flags: X - disabled, I - invalid, D - dynamic, J - rejected, 
C - connect, S - static, R - rip, O - ospf, B - bgp 
    #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE               
    0  S 0.0.0.0/0          r 10.0.0.1        1        Public                  
    1 DC 192.168.0.0/24     r 0.0.0.0         0        Local                   
    2 DC 10.0.0.0/24        r 0.0.0.0         0        Public                  
[MikroTik] >

Protecting the Router

To protect the router from unauthorized access, we should filter out all packets with the destination addresses of the router, and accept only what is allowed. Since all packets with destination to the router's address are processed against the input chain, we can add the following rules to it:

[MikroTik] > ip firewall rule input
[MikroTik] ip firewall rule input> 
add protocol tcp tcp-option non-syn-only connection-state=established \
    comment="Allow established TCP connections"
add protocol udp \
    comment="Allow UDP connections"
add protocol icmp \
    comment="Allow ICMP messages"
add src-addr 10.5.8.0/24 \
    comment="Allow access from 'trusted' network 10.5.8.0/24 of ours"
add action reject log yes \
    comment="Reject and log everything else"
[MikroTik] ip firewall rule input> print                                       
Flags: X - disabled, I - invalid 
  0   ;;; Allow established TCP connections
      src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=tcp 
      icmp-options=any:any tcp-options=non-syn-only 
      connection-state=established flow="" src-mac-address=00:00:00:00:00:00 
      limit-count=0 limit-burst=0 limit-time=0s action=accept log=no bytes=964 
      packets=17 

  1   ;;; Allow UDP connections
      src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=udp 
      icmp-options=any:any tcp-options=any connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=accept log=no bytes=46 packets=1 

  2   ;;; Allow ICMP messages
      src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=icmp 
      icmp-options=any:any tcp-options=any connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=accept log=no bytes=0 packets=0 

  3   ;;; Allow access from 'trusted' network 10.5.8.0/24 of ours
      src-address=10.5.8.0/24:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=all 
      icmp-options=any:any tcp-options=any connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=accept log=no bytes=0 packets=0 

  4   ;;; Reject and log everything else
      src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=all 
      icmp-options=any:any tcp-options=any connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=reject log=yes bytes=0 packets=0 

[MikroTik] ip firewall rule input>

Thus, the input chain will accept the allowed connections and reject and log everything else.

Protecting the Customer's Network

To protect the customer's network, we should match all packets with destination address 192.168.0.0/24 that are passing through the router. This can be done in the forward chain. We can match the packets against the IP addresses in the forward chain, and then jump to another chain, say, 'customer'. We create the new chain and add rules to it:

[MikroTik] ip firewall> add name=customer                                      
[MikroTik] ip firewall> print                                                  
  # NAME                                                                 POLICY
  0 input                                                                accept
  1 forward                                                              accept
  2 output                                                               accept
  3 router                                                               none  
  4 customer                                                             none  
[MikroTik] ip firewall> rule customer
[MikroTik] ip firewall rule customer> 
add protocol tcp tcp-option non-syn-only connection-state=established \
    comment="Allow established TCP connections"
add protocol udp \
    comment="Allow UDP connections"
add protocol icmp \
    comment="Allow ICMP messages"
add protocol tcp tcp-option syn-only dst-address 192.168.0.17/32:80 \
    comment="Allow http connections to the server at 192.168.0.17"
add protocol tcp tcp-option syn dst-address 192.168.0.17/32:25 \
    comment="Allow smtp connections to the server at 192.168.0.17"
add protocol tcp tcp-option syn src-port 20 dst-port 1024-65535 \
    comment="Allow ftp data connections from servers on the Internet"
add action reject log yes \
    comment="Reject and log everything else"
[MikroTik] ip firewall rule customer> print                                    
Flags: X - disabled, I - invalid 
  0   ;;; Allow established TCP connections
      src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=tcp 
      icmp-options=any:any tcp-options=non-syn-only 
      connection-state=established flow="" src-mac-address=00:00:00:00:00:00 
      limit-count=0 limit-burst=0 limit-time=0s action=accept log=no bytes=0 
      packets=0 

  1   ;;; Allow UDP connections
      src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=udp 
      icmp-options=any:any tcp-options=any connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=accept log=no bytes=0 packets=0 

  2   ;;; Allow ICMP messages
      src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=icmp 
      icmp-options=any:any tcp-options=any connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=accept log=no bytes=0 packets=0 

  3   ;;; Allow http connections to the server at 192.168.0.17
      src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=192.168.0.17/32:80 out-interface=all protocol=tcp 
      icmp-options=any:any tcp-options=syn-only connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=accept log=no bytes=0 packets=0 

  4   ;;; Allow smtp connections to the server at 192.168.0.17
      src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=192.168.0.17/32:25 out-interface=all protocol=tcp 
      icmp-options=any:any tcp-options=syn-only connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=accept log=no bytes=0 packets=0 

  5   ;;; Allow ftp data connections from servers on the Internet
      src-address=0.0.0.0/0:20 in-interface=all 
      dst-address=0.0.0.0/0:1024-65535 out-interface=all protocol=tcp 
      icmp-options=any:any tcp-options=syn-only connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=accept log=no bytes=0 packets=0 

  6   ;;; Reject and log everything else
      src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=all 
      icmp-options=any:any tcp-options=any connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=reject log=yes bytes=0 packets=0 

[MikroTik] ip firewall rule customer>

Note about the rule #5: active ftp data connections are made from the server's port 20 to the client's tcp port above 1024.

All we have to do now is to put rules in the forward chain, that match the IP addresses of the customer's hosts on the Local interface and jump to the customer chain:

[MikroTik] ip firewall rule forward>
add out-interface=Local action=jump jump-target=customer
[MikroTik] ip firewall rule forward> print                                     
Flags: X - disabled, I - invalid 
  0   src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=Local protocol=all 
      icmp-options=any:any tcp-options=any connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=jump jump-target=customer log=no bytes=0 packets=0 

[MikroTik] ip firewall rule forward>

Thus, everything that passes the router and leaves the Local interface (destination of the customer's network) will be processed against the firewall rules of the customer chain.

Enforcing the 'Internet Policy'

To force the customer's hosts to access the Internet only through the proxy server at 192.168.0.17, we should put following rules in the forward chain:

[MikroTik] ip firewall rule forward>                                           
add protocol icmp out-interface Public \
    comment="Allow ICMP ping packets"
add src-address 192.168.0.17/32 out-interface Public \
    comment="Allow outgoing connections form the server at 192.168.0.17"
add action reject out-interface Public log yes \
    comment="Reject and log everything else"
[MikroTik] ip firewall rule forward> print                                     
Flags: X - disabled, I - invalid 
  0   src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=Local protocol=all 
      icmp-options=any:any tcp-options=any connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=jump jump-target=customer log=no bytes=0 packets=0 

  1   ;;; Allow ICMP ping packets
      src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=Public protocol=icmp 
      icmp-options=any:any tcp-options=any connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=accept log=no bytes=0 packets=0 

  2   ;;; Allow outgoing connections form the server at 192.168.0.17
      src-address=192.168.0.17/32:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=Public protocol=all 
      icmp-options=any:any tcp-options=any connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=accept log=no bytes=0 packets=0 

  3   ;;; Reject and log everything else
      src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=0.0.0.0/0:0-65535 out-interface=Public protocol=all 
      icmp-options=any:any tcp-options=any connection-state=any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=reject log=yes bytes=0 packets=0 

[MikroTik] ip firewall rule forward>

Example of Source NAT (Masquerading)

If you want to 'hide' the private LAN 192.168.0.0/24 'behind' one address 10.0.0.217 given to you by the ISP (see the network diagram in the Application Example above), you should use the source network address translation (masquerading) feature of the MikroTik router. The masquerading will change the source IP address and port of the packets originated from the network 192.168.0.0/24 to the address 10.0.0.217 of the router when the packet is routed through it.

To use masquerading, a source NAT rule with action 'masquerade' should be added to the firewall configuration:

[MikroTik] ip firewall src-nat> add action=masquerade out-interface=Public
[MikroTik] ip firewall src-nat> print                                          
Flags: X - disabled, I - invalid 
  0   src-address=0.0.0.0/0:0-65535 dst-address=0.0.0.0/0:0-65535 
      out-interface=Public protocol=all icmp-options=any:any flow="" 
      limit-count=0 limit-burst=0 limit-time=0s action=masquerade 
      to-src-address=0.0.0.0 to-src-port=0-65535 bytes=0 packets=0 

[MikroTik] ip firewall src-nat>

All outgoing connections from the network 192.168.0.0/24 will have source address 10.0.0.217 of the router and source port above 1024. No access from the Internet will be possible to the Local addresses. If you want to allow connections to the server on the local network, you should use Static Network Address Translation (NAT).

Example of Destination NAT

Assume you need to configure the MikroTik router for the following network setup, where the server is located in the private network area:

The server's address is 192.168.0.4, and we are running web server on it that listens to the TCP port 80. We want to make it accessible from the Internet at address:port 10.0.0.217:80. This can be done by means of Static Network Address translation (NAT) at the MikroTik Router. The Public address:port 10.0.0.217:80 will be translated to the Local address:port 192.168.0.4:80. One destination NAT rule is required for translating the destination address and port:

[MikroTik] ip firewall dst-nat> 
add action=nat protocol=tcp \
dst-address=10.0.0.217/32:80 to-dst-address=192.168.0.4
[MikroTik] ip firewall dst-nat> print                                          
Flags: X - disabled, I - invalid 
  0   src-address=0.0.0.0/0:0-65535 in-interface=all 
      dst-address=10.0.0.217/32:80 protocol=tcp icmp-options=any:any flow="" 
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 
      limit-time=0s action=nat to-dst-address=192.168.0.4 to-dst-port=0-65535 
      bytes=0 packets=0 

[MikroTik] ip firewall dst-nat>