Dmitry Porotnikov / Harden a Fresh MikroTik Router

Created Mon, 13 Jul 2026 00:00:00 +0000 Modified Mon, 13 Jul 2026 00:00:00 +0000
766 Words

Harden a Fresh MikroTik Router

Before starting, make sure Quick Set has already configured the WAN, LAN bridge, DHCP, and NAT. This guide assumes:

  • ether1 is the WAN interface
  • bridge1 is the trusted LAN bridge
  • The router may be exposed through an upstream router’s DMZ or have a direct public IP
  • (optional, in my setup) OSPF is used to reach additional trusted networks

1. Verify interface roles

/interface list print
/interface list member print
/interface bridge port print

You want to see:

WAN -> ether1
LAN -> bridge1

ether1 must not be a member of bridge1. If it is, fix that first:

/interface list
add name=WAN
add name=LAN

/interface list member
add list=WAN interface=ether1
add list=LAN interface=bridge1

2. Define trusted networks

Add whatever networks you need to trust:

/ip firewall address-list
add list=TRUSTED-LANS address=192.168.1.0/24 comment="Main LAN"
add list=TRUSTED-LANS address=192.168.2.0/24 comment="OSPF LAN 2"
add list=TRUSTED-LANS address=192.168.3.0/24 comment="OSPF LAN 3"

3. Install the IPv4 firewall

Apply rules in Safe Mode where possible.

/ip firewall filter

add chain=input action=accept \
    connection-state=established,related,untracked \
    comment="INPUT 01 - established related"

add chain=input action=drop \
    connection-state=invalid \
    comment="INPUT 02 - drop invalid"

add chain=input action=accept \
    protocol=icmp \
    comment="INPUT 03 - allow ICMP"

add chain=input action=accept \
    protocol=ospf \
    src-address=192.168.1.252 \
    in-interface=bridge1 \
    comment="INPUT 04 - OSPF peer 192.168.1.252"

add chain=input action=accept \
    protocol=ospf \
    src-address=192.168.1.253 \
    in-interface=bridge1 \
    comment="INPUT 05 - OSPF peer 192.168.1.253"

add chain=input action=accept \
    src-address-list=TRUSTED-LANS \
    in-interface-list=LAN \
    comment="INPUT 06 - trusted networks to router"

add chain=input action=drop \
    in-interface-list=WAN \
    comment="INPUT 07 - drop WAN to router"

add chain=input action=drop \
    comment="INPUT 99 - drop everything else"

add chain=forward action=accept \
    connection-state=established,related,untracked \
    comment="FORWARD 01 - established related"

add chain=forward action=drop \
    connection-state=invalid \
    comment="FORWARD 02 - drop invalid"

add chain=forward action=accept \
    src-address-list=TRUSTED-LANS \
    dst-address-list=TRUSTED-LANS \
    comment="FORWARD 03 - routing between trusted LANs"

add chain=forward action=accept \
    src-address-list=TRUSTED-LANS \
    out-interface-list=WAN \
    comment="FORWARD 04 - trusted LANs to Internet"

add chain=forward action=accept \
    in-interface-list=WAN \
    connection-nat-state=dstnat \
    comment="FORWARD 05 - allow explicit port forwards"

add chain=forward action=drop \
    in-interface-list=WAN \
    comment="FORWARD 06 - drop unsolicited WAN"

add chain=forward action=drop \
    comment="FORWARD 99 - drop everything else"

4. OSPF notes

If your OSPF peers live on bridge1, allow protocol 89 only from the known peer addresses, as shown in the firewall rules above.

Check neighbor status:

/routing ospf neighbor print
/ip route print where ospf

You should see learned routes like:

192.168.2.0/24 via 192.168.1.253
192.168.3.0/24 via 192.168.1.252

The trusted-network forward rule is what lets traffic flow between your main LAN and those OSPF-learned networks.

5. Verify NAT

Quick Set normally creates the right masquerade rule, but verify it:

/ip firewall nat print

You want to see:

chain=srcnat action=masquerade out-interface-list=WAN

If it’s missing, add it:

/ip firewall nat
add chain=srcnat action=masquerade \
    out-interface-list=WAN \
    comment="Masquerade internal networks"

Don’t add destination-NAT rules here unless you are intentionally exposing a service.

6. Restrict management services

Turn off everything you do not need:

/ip service
disable ftp
disable telnet
disable www-ssl
disable reverse-proxy
disable api
disable api-ssl

Now lock down the services you’re keeping. Restrict SSH, www, and WinBox to your trusted networks:

/ip service
set ssh address=192.168.1.0/24,192.168.2.0/24,192.168.3.0/24
set www address=192.168.1.0/24,192.168.2.0/24,192.168.3.0/24
set winbox address=192.168.1.0/24,192.168.2.0/24,192.168.3.0/24

If you do not need WebFig HTTP, disable it:

/ip service disable www

7. Restrict Layer 2 management

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN

/tool mac-server ping
set enabled=no

/ip neighbor discovery-settings
set discover-interface-list=LAN

/tool bandwidth-server
set enabled=no

8. DNS

If your LAN devices point to the MikroTik for DNS:

/ip dns
set servers=1.1.1.1,1.0.0.1 allow-remote-requests=yes

The firewall rules already block WAN access to the router, so the DNS resolver stays internal.

9. Remove temporary debug logging (my unique quirk, you may not have those)

Check what logging rules exist:

/system logging print detail

Remove any temporary PPP/PPPoE debug rules if you see them:

/system logging remove [find where topics="pppoe,debug"]
/system logging remove [find where topics="ppp,debug"]

Keep the defaults: info, error, warning, and critical.

10. Verify before enabling upstream DMZ

Run these before you expose the router:

/ip firewall filter print detail without-paging
/ip firewall filter print stats
/ip firewall nat print
/ip service print
/interface list member print
/routing ospf neighbor print
/ip route print where ospf

After enabling the upstream DMZ, watch the WAN drop counter:

/ip firewall filter print stats \
    where comment="INPUT 07 - drop WAN to router"

That counter should climb. Good — the MikroTik is dropping unsolicited traffic from the WAN.

11. Save the secured configuration

/export hide-sensitive file=router-secured
/system backup save name=router-secured

For remote administration, use a VPN (WireGuard works well) instead of exposing WinBox, SSH, or WebFig directly.