Networking Guides

MikroTik Firewall Configuration Guide — Filter, NAT & Mangle

Published by HI-GAIN Engineering Team on April 10, 2026

Understanding the MikroTik Firewall

The MikroTik RouterOS firewall is one of the most powerful features distinguishing MikroTik from consumer routers and even some enterprise equipment. Every MikroTik router — from the entry-level hEX to the enterprise CCR2216 — runs the same firewall engine. For Lebanese network administrators managing ISPs, office networks, and home setups, understanding the firewall is essential for security, traffic control, and compliance.

Firewall Tables and Chains

RouterOS organizes firewall rules into three main tables, each serving a different purpose:

Filter Table — Allow and Block Traffic

The filter table decides whether to accept or drop packets. It contains three default chains:

  • Input: Packets destined for the router itself — management access (Winbox, SSH, WebFig), DNS queries to the router, VPN connections, SNMP, and BGP/OSPF routing protocols.
  • Forward: Packets passing through the router from one interface to another — subscriber internet traffic, inter-VLAN traffic, and all transit traffic.
  • Output: Packets originating from the router itself — ping, DNS lookups initiated by the router, NTP requests, and routing protocol announcements.

NAT Table — Address Translation

NAT (Network Address Translation) modifies source or destination addresses. Two chains:

  • srcnat (Source NAT / Masquerade): Rewrites the source IP of outgoing packets to the router's public IP. Essential for sharing a single public IP among multiple LAN devices. Every Lebanese network with a single ISP connection uses masquerade or src-nat.
  • dstnat (Destination NAT / Port Forwarding): Redirects incoming traffic on specific ports to internal servers. Used for hosting web servers, game servers, CCTV remote access, and VPN endpoints behind NAT.

Mangle Table — Packet Marking and Modification

Mangle marks packets for later use by queue trees, routing policies, and other firewall rules. It does not drop or reject packets. Chains include prerouting, input, forward, output, and postrouting. Common uses:

  • Mark connections and packets for bandwidth management (queue trees)
  • Mark traffic for policy routing (send certain traffic through a specific WAN connection)
  • Set DSCP/TOS values for QoS prioritization

Essential Firewall Rules for Any MikroTik Router

Every MikroTik router in Lebanon should have these baseline firewall rules. They protect the router from internet-based attacks while allowing legitimate traffic:

Input Chain Protection

The input chain protects the router itself. Order matters — rules are processed from top to bottom, and the first matching rule wins:

  1. Accept established and related connections: Allow return traffic for connections the router initiated or previously approved. This single rule handles most legitimate traffic efficiently.
  2. Drop invalid connections: Reject malformed packets and connection tracking failures.
  3. Accept ICMP (optional): Allow ping for troubleshooting. Optionally rate-limit to prevent ping floods.
  4. Accept from LAN: Allow all traffic from your trusted local network interfaces.
  5. Accept specific services: Allow Winbox (port 8291), SSH (port 22), and VPN ports from specific source addresses or address lists only.
  6. Drop everything else: The final input rule drops all traffic not explicitly permitted. This is the most important rule — without it, every service on the router is exposed to the internet.

Forward Chain Protection

The forward chain controls traffic passing through the router between networks:

  1. Accept established and related: Same principle as input chain.
  2. Drop invalid: Reject broken connections.
  3. Accept from LAN to WAN: Allow internal devices to access the internet.
  4. Drop from WAN to LAN: Block unsolicited inbound connections. Only traffic matching an existing connection or a dstnat rule reaches internal devices.

NAT Configuration

Masquerade for Internet Access

The most basic NAT rule every Lebanese network needs: masquerade all outgoing traffic on the WAN interface. This translates private IP addresses (192.168.x.x, 10.x.x.x) to the router's public IP address. Configure a single srcnat masquerade rule matching the WAN interface in the out-interface parameter.

Port Forwarding (dstnat)

To make internal services accessible from the internet, create dstnat rules. Each rule specifies the incoming port, protocol, and the internal server's IP and port. Common examples in Lebanese networks:

  • Forward port 80/443 to a local web server
  • Forward port 554 (RTSP) to an NVR for remote CCTV viewing
  • Forward port 8291 (Winbox) from a specific source IP for remote management
  • Forward custom ports for game servers or VoIP systems

Hairpin NAT

A common issue: LAN devices cannot access the local server using its public IP or domain name. This happens because the packet leaves the LAN, gets translated, and returns to the LAN but the source address is wrong. Hairpin NAT (also called NAT loopback) adds a srcnat masquerade rule for internal traffic destined for port-forwarded services.

Address Lists for Efficient Rule Management

Instead of creating separate firewall rules for each IP address, use address lists to group IPs and reference them in a single rule. Practical applications:

  • Admin access list: Add your management IP addresses to an address list. Reference it in input chain rules allowing Winbox and SSH access. When your IP changes, update the list — not every rule.
  • Blocked IPs: Create a dynamic address list that automatically adds IPs engaging in brute-force attacks (port scanning, failed login attempts). Use the "add src to address list" action in firewall rules to populate this list automatically.
  • Country blocking: Import IP ranges for specific countries to block or allow traffic from particular geographic regions.

Connection Tracking

The firewall relies on connection tracking to classify packets as new, established, related, or invalid. Connection tracking consumes RAM — each tracked connection uses approximately 350 bytes. On a busy ISP router handling 100,000 concurrent connections, that is 35 MB of RAM dedicated to connection tracking.

On routers like the hAP AX3 (1 GB RAM) or RB5009 (1 GB RAM), default connection tracking settings are sufficient for home and small office use. ISP routers like the CCR2116 (16 GB RAM) handle hundreds of thousands of connections without issues.

Firewall Logging and Monitoring

Enable logging selectively — logging every packet floods the log and consumes CPU. Best practices:

  • Log dropped packets in the input chain with a prefix like "input-drop" for security monitoring
  • Log new connections to specific services (SSH, Winbox) for audit trails
  • Send logs to a remote syslog server for long-term storage and analysis
  • Use RouterOS system logging with action types: disk, memory, remote, or email

Common Firewall Mistakes

  • No drop rule at the end of input chain: Without it, all services on the router are exposed to the internet. This is the most common and most dangerous misconfiguration.
  • Blocking established/related traffic: Placing deny rules before the accept established/related rule breaks return traffic for legitimate connections.
  • Forgetting to allow VPN traffic: After setting up a VPN server, add input chain rules allowing the VPN port before the final drop rule.
  • Masquerade on wrong interface: The masquerade rule must match the WAN interface only, not all interfaces. Masquerading on LAN interfaces breaks local traffic.

Where to Get MikroTik Firewall Support in Lebanon

HI-GAIN provides technical support for MikroTik firewall configuration as part of our customer service. We can pre-configure routers with secure firewall rules before delivery. Browse MikroTik routers or call +961 3 337 666. Visit our MikroTik routers page for the full lineup.

Frequently Asked Questions

What is the most important MikroTik firewall rule?
The drop-all rule at the end of the input chain. Without it, every service running on the router (Winbox, SSH, DNS, API, web interface) is exposed to the internet. Always add a final rule in the input chain that drops all traffic not explicitly permitted by earlier rules.
Why is my MikroTik router getting hacked?
The most common cause is missing firewall rules on the input chain. By default, MikroTik routers allow management access from all interfaces including the WAN port. Add input chain rules to restrict Winbox, SSH, and WebFig access to your LAN only, and add a drop-all rule at the end.
How do I set up port forwarding on MikroTik?
Create a dstnat rule in Firewall > NAT specifying the protocol, destination port, and the internal server's IP and port. Ensure the forward chain allows the forwarded traffic. For local access via public IP, add a hairpin NAT masquerade rule.
What is mangle used for in MikroTik?
Mangle marks packets and connections for use by other RouterOS features. The most common use is marking traffic for queue trees (bandwidth management) and policy routing (routing certain traffic through specific WAN connections). Mangle does not block or allow traffic — it only marks it.
Can HI-GAIN help configure my MikroTik firewall?
Yes. HI-GAIN provides technical support for MikroTik configuration including firewall setup. We can pre-configure routers with secure firewall rules, NAT, and VPN settings before delivery. Contact us at +961 3 337 666 or visit our Dora, Beirut warehouse.