[Mikrotik] Shamanism in RouterOS or how I did a normally closed Firewall in RAW

A logo from the Internet;
A logo from the Internet;

Where to start? .. RAW is inherently heavily curtailed in functionality, due to the fact that it goes to Conntrack and loses a lot of useful things, but this is not critical.

As mentioned above, Raw – processes packets before they get into Connection Tracking (hereinafter – Conntrack) and compared to Filter Rules, Raw processing or deletion is about the same as FastTrack, and this unloads the CPU ~ 6 times.

A small preface

I do not claim to be 100% accurate, for the simple reason that I am not a certified Mikrotik specialist. And I don’t have any certificates or diplomas. I am only a network installer, and I am writing here my experience with these devices.

For example, I took a fairly common model RB941-2ND with 100Mbps ports for clarity, RouterOS version – 6.47.9 | 32MB RAM and 650MHz CPU SMIPS.
(It may sound like a mockery, but I really did DDoS-ooze this configuration, and it quietly threshed all 100 Mbit loading only 25%, when, under the standard Filter rules, it went to 100% at 60 Mbit).

What is the problem with the Standard (QuickSet) Filter rules? And here’s what

With standard router parameters, we see that packets coming through the WAN interface go up to the Input chain. That is, the router processes them fully through Routing Decision, enters them into Conntrack with the appropriate data, and at the end this packet either meets its death in the face of the standard Drop rule, or will pass as a new connection with a local process if the router port is open. Or it will go to the Forward chain if port forwarding through network address translation is configured, but this is rather an exception.

Take a look at the RouterOS chain diagram:

It’s pretty simplistic, but … See? The packet goes up to the Input chain if it is useless. And it also goes through Conntrack, Mangle, NAT and Routing Decision and only then to Filter. This is a waste of the router’s CPU and RAM. Thus, with a fairly large amount of useless traffic, the CPU will go 100% or Conntrack will overflow with new connections sooner or later. This is because our subject’s hardware is poor.


Unload the router to work at least with the local network, if a large amount of empty traffic is spoiled from the external network. Close completely all RouterOS management ports for the WAN with one rule and try, if not completely prevent, then at least mitigate the Conntrack overflow.


The router is fully configured via QuickSet as a home hotspot, which may seem like a sacrilege to you (Forgive me it was too lazy to cut everything by hand)… FastTrack and other RouterOS management services are included. All these services are visible both on the local network and on the Internet via IP.
Usage scenario: Home / Office, with dynamic / static address; By and large, this does not play a role, you will need to slightly change the rules for each case, but they are united by one thing – open access from the outside. I will of course provide both in graphical and textual format for the terminal.

What is required?

We need Winbox or SSH terminal – whichever you prefer. Knowledge of how NAT works, direct hands and connection to RouterOS, it is very desirable from the local network, because to observe the truth “Remote Firewall configuration is to a long distance” neither I nor you want to, right?

How to implement and where to poke?

3 basic NAT rules for TCP, UDP and ICMP connections for the local network, so that the outgoing traffic of machines from the LAN changes its SRC ports to our range, which we will indicate. It is recommended to select the range and number of ports based on the number of clients, and how many connections are made at the peak time (optional, but desirable). You can take as an example ~ 2 thousand connections from one device, for example. Suppose there are about 4 devices in the network, a total of 8 thousand ports need to be reserved for our venture. It is also necessary to take into account that this range must be non-standard so that bots do not scan from outside, and NAT rules are not imposed on published ports of type 1-8000. It would be more correct to indicate, let’s say – 42000-50000.

Flaw such a method: If there are too many clients connected to the router, then in this case, it may not be possible to implement this system of rules. Or it will work out, but with jambs visible to users, such as “The site does not open.”

Dignity of this method:
> Flexibility, you can easily open any ports and install the server, but you will have to finish the RAW restriction so that there are no problems with Conntrack overflow in NAT during DDoS.
> Masking the Input chain. It will only be available on a certain range of ports. This means that if you hit DOS on the port on which NAT rules do not hang, the maximum unloading of the CPU in RAW when removing packets.

Of course, there are two versions from me. With a dynamic address, and with a static one.
First, let’s look at NAT rules for a dynamic address.

The range 12000-18000 is listed as an example of your own configuration;

Masquerade NAT Rule
Masquerade NAT Rule

Rules in text mode for the terminal:

/ip firewall nat
add action=masquerade chain=srcnat comment="SRC RAW NAT TCP" out-interface-list=WAN protocol=tcp to-ports=42000-50000

add action = masquerade chain = srcnat comment = “SRC RAW NAT UDP”
out-interface-list = WAN protocol = udp to-ports = 42000-50000

add action = masquerade chain = srcnat comment = “SRC RAW NAT ICMP”
out-interface-list = WAN protocol = icmp

As you can see, it is used Masquerade… This is for compatibility with dynamic provisioning of addresses from the provider (DHCP) and as a more compatible / universal option. However, it is also less secure, since your local IP addresses can merge into the provider’s network in case of a sudden break.

If you have a static IP address, there is another option. It is slightly safer and more reliable, since in case of a sudden break, local addresses will not fly off into the public network;

Rules in text mode for the terminal:

/ip firewall nat add action=src-nat chain=srcnat comment="SRC NAT TCP RAW"
out-interface-list=WAN protocol=tcp to-addresses=INSERTYOURIP to-ports=

add action = src-nat chain = srcnat comment = “SRC NAT UDP RAW”
out-interface-list = WAN protocol = udp to-addresses = INSERTYOURIP to-ports =

add action = src-nat chain = srcnat comment = “SRC NAT ICMP RAW”
out-interface-list = WAN protocol = icmp to-addresses = INSERTYOURIP

Do not forget to edit “INSERTYOURIP”, enter your static address there so that the rule will start working 🙂

Firewall RAW, great and terrible

Here we need scratch a turnip, do 5 basic RAW rules. We always operate with the Prerouting chain, and never with Output. This is done so that DNS requests from the router to the provider’s DNS server go correctly and the regular packet update works if the administrator wants it.

The first fundamental rule is to block fragmented packets from all Ethernet interfaces. We call him anyway. I foolishly named it Security Rule.
Example of a rule in the terminal:

/ip firewall raw add action=drop chain=prerouting comment= "Security Rule: Block IP Fragment" fragment=yes

IP Fragment Delete Rule
IP Fragment Delete Rule

Rules 2 to 4 – Accept packets on the ports specified in NAT, but depending on the network speed, specify a limit on the number of packets per second. (Each 1 Mbps = 2 packets). In all the rules below, we indicate the WAN interface.

Rule text format:

/ip firewall raw
add action=accept chain=prerouting comment="Src NAT TCP" dst-port=12000-18000 in-interface-list=WAN limit=200,200:packet protocol=tcp

add action = accept chain = prerouting comment = “Src NAT UDP” dst-port = 12000-18000 in-interface-list = WAN limit = 200,200: packet protocol = udp

add action = accept chain = prerouting comment = “Src NAT: RAW ICMP” limit =
10,10: packet protocol = icmp

Empirically, it was found that the limitation of 200 incoming packets per second for TCP / UDP protocols over a 100 Mbit line is sufficient with FastTrack enabled, since using this technology, a smooth passage of the connection is organized. Each packet with an established connection is processed by the FastTrack zero rule, and once for each connection can go into RAW. If this happens – Routing Decision and Conntrack decides for itself where to place this packet, in Forward (These are Related and Established connections) or in Input (Deleting or managing RouterOS) of the chain. Let me remind you that the ports in the screenshot 12000-18000 are from an example of your own configuration.

We accept ICMP as it is, we set the limit at 10 packets per second according to the standard.

Accept connections in our NAT ports
Accept connections in our NAT ports

The fifth rule is block everything that is not explicitly allowed from the WAN interface.

Block all rule
Block all rule

The advantages of this system of rules:

  1. High performance Drop-and empty traffic. (Yes, it can save you from DDoS with IP Spoofing if the services of your LAN machines are NAT-shielded and RAW restricted, since connection timers for external services are taken into account to protect Conntrack).

  2. Flexibility, you can easily publish your services.

  3. You can do something like Conntrack via Address List and Mangle if you need stable operation / monitoring of IP of connected clients to your services.

  4. It does not affect LAN connections, since all the rules are worked out only for the WAN.

  5. Completely closes all ports of the router from the outside, with the correct selection of the local port translation range. This happens because packets do not reach the Input chain without an appropriate allowing rule, and even if they do, they are caught by the standard Drop all from WAN rule.

  6. It is possible to attach a system that detects IP scanners, hackers and drop them not in the Input chain, but in Prerounting.


  1. Limiting the number of user ports.

  2. Partly not VPN compatible.

  3. There may be problems with torrents, but I did not notice anything on my configuration, except that there is no feedback from the computer.

Similar Posts

Leave a Reply