How to block the MAC address on microtics. Disabling the search for neighbors…

Filtering MAC addresses Mikrotik

Since its appearance, the Internet has grown many times. Also, network indicators such as the resources provided, information exchange speeds, and connection speeds have increased many times. However, along with the growth of useful resources, the risks of theft of information, the use of resources were not under purpose and other dangers have increased many times. Thus, each system administrator is faced with issues of protecting the serviced resources.

This article is written with the aim of describing the functionality of the filtering of traffic in the Routeros operating system, manufactured by Mikrotik.

Features of the work of the firewall

For the basic understanding of the work of the firewall, you need to familiarize yourself with the concepts of the chain (chain), the state of the connection (Connection stat), conditions and action (Action).

Chains (chain)

When filtering traffic, depending on its purpose, it falls into one of the chains (chain) of traffic processing. In the filter, three main chains are predetermined:

  • Input incoming traffic intended for the router. For example, when you connect to the router using the Winbox application, traffic just gets into this chain.
  • Output outgoing traffic. Traffic created by the router itself. For example, if you execute the Ping command directly from the router itself, traffic will fall into this chain.
  • forward traffic going through the router. For example, if a computer from a local network installed a connection with an external site, this traffic enters the Forward chain.

Thus, we see that to protect the router itself, it is necessary to use the Input chain, and to protect and filter traffic between networks, you must use the Forward chain.

Restrict Internet Access Based on MAC Address in MikroTik

In addition, the administrator has the opportunity to create its own traffic processing chains, to which you can contact the main chains. This possibility will be considered in the future.

Connection state

Each of the network connections Mikrotik refers to one of the 4 states:

  • New. a new connection. A package that opens a new connection, which is not related to the existing network connections that are currently processed by the router.
  • Established. existing compound. The package refers to the already established connection, currently processed by the router.
  • Related. related connection. A package that is associated with an existing connection, but is not part of it. For example, a package that begins to connect the data transfer to the FTP session (it will be associated with the control connection of FTP), or ICMP package containing an error sent in response to another connection.
  • Invalid. the router cannot correlate the package with any of the above states of the connection.

Based on the foregoing, we see that the following set of conditions will be a good option for setting up packages:

  • one. Contributing new connections (New), making a decision on the passage or blocking of traffic.
  • 2. Always skip the compounds in the state of Established and Related, since the decision to pass this traffic was made at the stage of processing a new connection.
  • 3. Always block traffic for which the state of connection is equalid, because this traffic does not apply to any of the compounds and is actually a parasitic.


When passing the package through the filter, the router sequentially checks the compliance of the package with the specified conditions, starting from the rule located the first. and sequentially checking the package for compliance with the rules number two, three and so on, until one of the two events occurs:

one.The package will comply with the given condition. At the same time, the corresponding rule in which this condition was set will work, after which the processing of the package will be completed.

2.All conditions will end and the package will not be recognized as appropriate to any of them. At the same time, by default it will be missed further.

Based on p.2, it should be noted that there are two strategies for building a package filter:

one.Normally open fireplit. This type of setting can be defined as “everything is allowed, which is not prohibited”. In this case, we prohibit the passage of only some types of traffic. If the package does not correspond to these types, it will be missed. Typically, this type of firewall is characteristic of places where high requirements for users’ safety are not presented, and traffic can be a wide variety of and cannot be strictly qualified. This setting is characteristic of communication operators (Internet providers), open access points, home routers.

2.Normally closed firewall. This type of setting can be defined as “everything is prohibited, which is not allowed”. In this case, the passage of only certain types of traffic is allowed, and the last rule in the firewall is a rule prohibiting the passage of any type of traffic. This type of configuration of a firewall is characteristic of corporate use, where there are strict security requirements.

I can’t say that some of the strategies is correct, but some wrong. Both strategies have the right to life, but each. in certain conditions.

Now we will describe in more detail all the options on the basis of which we can make a decision on action.


The default configuration is no longer allowed to connect to the router from the external network, but protection is based only on the package filter. Do not forget about the installation of password on the user Admin. Therefore, in addition to filtration and password, I do the following:

Accessibility on external intenses

I turn off the services that are not necessary in the home network (and not in all non.home networks), and limit the remaining ones the area, indicating the addresses from which you can connect to these services.

The next step will be a restriction on the detection of a router by searching for neighbors. To do this, you must have a list of integrates where this protocol can work, set it up:

Add to the Discovery list, on which we want the Neighbors Discovey protocol to work.

Now let us configure the protocol, indicating the list of Discovery in its settings:

In a simple, home configuration, the Discovery list can include intenses on which the access protocol at the MAC address can work for situations where IP is not available, so let’s configure this function:

Now, the router will become “invisible” on external intenses, which will hide information about it (not all of course), from potential scanners, and even deprive bad guys of easy opportunity to get control over the router.

DDOS protection

Now, add a little simple rules to the package filter:

And place them after the Defcona rule for the ICMP protocol.

The result will be a ban on a day for those who are trying to open more than 15 new connections per second. There are many or few compounds, the question is controversial, here you already select the number yourself, I chose 50 for corporate use, and I have such a banner 1-2 per day. The second group of the rules is much tougher, blocks attempts at the port of SSH (22) and Winbox (8291), 3 attempts per minute, and rest for the day;). If you need to put the DNS server on the Internet, then such a rule can be cut off by DNS Amplification Attacks attempts, but the solution is not perfect, and there are many false positive works.

RFC 1918

RFC 1918 describes the allocation of targeted spaces for globally not routing networks. Therefore, it makes sense to block traffic from \ to such networks, on the intese that looks to the provider, with the exception of situations where the provider gives you a “gray” address.

Place these rules closer to the beginning and do not forget to add an integration to the WAN list, looking towards the provider.

This set of routes will direct all the traffic to the RFC 1918 networks to the Black Hill, however, if there are routes with smaller metric, then such traffic will go through these routes. It is useful to guarantee that private traffic will not leak into the external network. For the Council, thank Achekalin

Pretty controversial technology that allows the applications to ask the router to throw ports through NAT, however, the protocol works without any authorization and control, this simply does not in the standard, and is often a point of reducing security. Set up at your discretion:

SIP Conntrack

Among other things, it is worth turning off the ConneTrack SIP module, which can cause VOIP inadequate operation, most modern SIP customers and servers are perfectly without its help, and SIP TLS makes it completely useless.

IPV6 tunnels

If you do not use IPV6 or do not want Windows Working machines raised IPV6 tunnels without demand, then block the following traffic:

Dynamic and invested lists

This function appeared recently (from version 6.41), and it is very comfortable. However, there is a feature: depth of investment. It is impossible to invest on the invested list. If you do this (such a feature) will not be informed about the problem, just such a list will not work in fact.

In the urban environment, when the ether is extremely noisy, it makes sense to abandon the 40MGHZ channels, this increases the specific power of the signal on the channel, since the 40MGHZ channel is essentially two channels of 20MGHZ.

Mikrotik and blocking unwanted sites (on the example of YouTube and)

On writing this article I have encouraged the fact that the oldest child became at night instead of going to bed, watch all sorts of videos on YouTube, until late at night, as well as replacing a home router with TP-Link TL-WR1043ND with Mikrotik RB951G.2hnd. Having selyed the Internet, I came across a presentation from 2017 on the microatist channel in YouTube. It described how it should not be done and how to do the right thing. Perhaps for many advanced users Mikrotik and Routeros this will not be a discovery, but I hope that novice users, like me, do not get lost in the wilds of the options offered on the Internet.

Let’s start with the often proposed option on the Internet (this is not how to do. ):

This solution has the following disadvantages: high load on CPU, increased Latency, loss of packages, YouTube and are not blocked.

Why is this happening? Each compound is checked again and again, Layer7 is checked in the wrong place that leads to the verification of the entire traffic.

The right decision

We create a rule with a regular expression for Layer7:

I only blocked a YouTube, if you need a or something else, creates separate rules

You can create rules for other streaming services of video, here is one of the options:

Next, we create the rules for marking connections and packages:

I have static IP addresses in my home network on DHCP, so I applied the filter to the IP address of the child’s smartphone, you can create a group of addresses and apply it to it. We go to the IPFireWallDresslist menu click the Add button, enter the name of the group and do not forget to fill out the list of addresses for blocking.

Next, go to the ipfirewallmangle menu, select our Mark_Connaction and Mark_packet And in the field SRC. Address We drive a blocked IP or group.

Everything, the device was left without YouTube, tough, but for educational purposes you need.

You can also apply these scheduled rules.

I will be glad to Комментарии и мнения владельцев and amendments if you notice some inaccuracies, This is my first article on Habr. Based on materials from the Mikrotik channel on YouTube. Attention, this article is not about how to limit the child’s access to the Internet, restriction of access to YouTube is just an example. Article about one way to restrict access to undesirable resources.

Radius tab

Mac Authentication. Authorization on the MAC address. This setting is applied to those customers who are not in Access-List. The Radius server will use the MAC address of the client as a user name.

Mac Accounting. Turn on the MAC statistical.

EAP Accounting. Turn on EAP statistics.

Interim update. The time interval through which access point re.requests information about the account with the Radius server.

Mac Format. format in which we write down the MAC address. Available formats:


Indicates how the client’s MAC address is encoded by the access point to the User-Name Radius server attribute.

  • As-Username. use only the name when checking authenticity in the Radius server.
  • AS-SURNAME-And-PASSWORD. Use the name and password when checking authenticity in the Radius server (as an attribute of User-Name).

Mac Caching Time. The interval of time through which the access point will caching authentication answers. The value of Disabled turns off the cache, all the answers are directed directly to the Radius server.

EAP tab

EAP Methods. EAP authentication method. Meanings:

  • EAP-TLS. Using authentication EAP TLS. Client and server support certificates.
  • EAP TTLS MSCHAPV2. EAP authentication named user and password.
  • Passthrough. The access point will relay the authentication process for the Radius server.

TLS Mode. TLS check mode. Meanings:

  • Verify Certificate. Check the certificate.
  • Dont Verify Certificate. Do not check the certificates from the client.
  • No certificates. Do not use a certificate, use the 2048 Bit Anonymous Diffie-Shellman Key method.
  • Verify Certificate with Crl. Check a certificate for CRL lists (list of canceled SSL certificates).

TLS Certificate. Here we indicate directly the TLS certificate.

MSCHAPV2 username. User name for EAP TTLS MSCHAPV2 authentication.

MSCHAPV2 Password. EAP TTLS MSCHAPV2 authentication password.

Protection Mikrotik. Persecution mania

In addition to the main article, the protection of the WAN-Intease in Mikrotik would like to note several important points in the safety of your router. The points described here are not critical in defense of the Mikrotik router, but, in the complex, they help to protect the router even better. I will specially continue the points described in the previous material to emphasize. This article is a continuation and addition of the first and cannot be separately considered.

Despite the prohibiting rule in paragraph 13 (“Add Action = Drop Chain = Input Comment = Drop_all_wan in-INTERFACE = ETER1-VELTON”) at the end of the first article, I recommend checking the activity of the services. If any service is not used. In order to secure it, disconnect it.

Check the SNMP service. He is turned off by default. If we do not use it. Should do not stand an Enabled checkbox. If we use. take care of his protection.

How can you check the Mac Address of an IP for MikroTik VPS by CL and with Winbox?(MH)

Similarly with the Romon service. There is nothing to shine too much on the network. He is also disconnected by defect.

If you use a NTP server, follow that Port 123/UDP is closed outside. If you use the general prohibition rule as in paragraph 13. additional. The rule for this port is not necessary to write.

If you do not use the overall prohibition rule, then when you turn on the Allow Remote Requests in DNS Setts, your router will respond to all DNS profiles from all integrations. That is why very often many admins are faced with DNS-Flood on an external intese. Be sure to use the prohibiting rule to close this vulnerability:

/IP FireWall Filter Add Chain = Input Action = Drop Protocol = UDP in-INTERFACE = ETER1 DST-port = 53

If you use access to the web-integer from-right, you must limit the subnets or disable the HTTP service. as not a safe protocol. Instead, you need to use HTTPS with a self-signed SSL-sediment and non-standard port.

You need to remember. If you add graphs and do not limit their display on subnets, then any person will be able to see the movement of traffic according to intenses.

In Tools/Mac Server, turn off the Mac Ping Server. This will turn off the response of the device when kicking through mac-ping.

MAC address contains information about the manufacturer of the device. In the first six characters of the MAC address, there is information about the vendor (manufacturer) of the device. Having determined the manufacturer, an attacker can choose a hacking method. For example, 00: 00: 0c. Cisco Systems, Inc. Therefore, it is recommended to change the MAC address of our router on an external integration.

/Interface Ethernet Set Ether1 Mac-DDDRESS = XX: XX: XX: XX: XX: XX: XX

It should be remembered that by changing the Mac you can provoke a conflict, so be careful. I use MAC devices that will appear on my network, for example 9C: 93: 4E. Xerox Corporation. You can see information on physical addresses of various vendors here: http: // www.Coffer.COM/mac_find/

Changing the mac-we will confuse the cracker, which means this is a plus to security. There is a material on the network where a person came up with a script that periodically changes the Mac on a WAN-integer. This scheme will work if your provider does not have a binding to the physical address.

What would protect against the “replacement of the Aplinka”, namely, protect your router from the attacker, who will intervene in the L2 network between you and the provider and want to “hack” your device on the WAN-port, put the option of the ARP “Reply Only” option and bring MAC address of the provider final device in the ARP integration table. Thus, the attacker will not be just entered by IP, he will still need to choose a Mac to communicate with your router. This is done by the team:

/Interface Ethernet Set Ether1 ARP = Reply-ONLY

It is worth considering. with such a scheme, if the provider changes equipment. You will have to make a new MAC provider to the ARP table of the WAN-Inteate, otherwise there will be no connection.

Periodically make an audit of Discovery Intections (see paragraph 3 of the first article). The fact is that the created new intensees (PPTP, L2TP and any others) automatically fall into Neighbor Discovery. And they remain active there until you turn them off. And this. Information to everyone on the integration about the device model, about the OS version, about Mac and IP addresses, about uptime, the presence of IPV6 and so on.

If we talk about Neighbor, then when disconnecting Discovery Intections, it is impossible to see information about other devices on this integration. But I would really like to hide my information, and have information about neighboring devices. To do this, it is not enough to add the pro prohibiting UDP with Port 5678 to Van Inteaches


Introductory: it is necessary to limit access to Wi-Fi only from certain computers.

Solution: it was decided to let only people with specific MAC addresses on the network.

In Winbox, select “Wireless”, then the “Registration” tab, we find the computers that you need to add, with the right button and “Copy to Access List”.

An analogue of this action in the console will be Interface Wireless-List Add Interface = Wlan1 Mac-Address = AA: BB: CC: DD: EE: FF

We can go to the “Access List” tab and see or edit the created entry. First of all, I recommend prescribing a comment with the description. Also, here you can specify the permissible signal force for connection and only customers with a certain signal force will be connected to the point. That makes an additional level of security.

Next, go to the WREIS WLAN settings and on the Wireless tab, remove the box with “Default authenticate”.

In the console, it is enough to add Default-Authentication = No when setting up an integration

/interface wirelessset 0 Band=2ghz-b/g/n country=russia default-authentication=no disabled=no \ frequency=2452 l2mtu=2290 mode=ap-bridge security-profile=arxont ssid=\ arxont wireless-protocol=802.eleven

Everything, this is the setting of access to the MAC is completed. Now only computers with MAC addresses listed in Access List can work on our Wi-Fi network.

Note: in principle, almost the same can be done 1) Putting the Reply-OLY mode in the ARP integration and static ARP records. So there will also be a binding IP-Mac. 2) the FIRVOL FIRVOLA Rules for SRC-Mac-Adddress filtering.


In the Комментарии и мнения владельцев of the article published earlier, one of the users asked: “Or you can add a section about how to protect your own, a microtics so that it does not go to the side?””. One of the users wrote the following: “There are two universal principles for any network device. administration only from the internal integer (everything is closed on the outside) and regularly update the firmware” (author’s oography). And we immediately realized that one short answer is not to do, and this issue deserves a full.fledged separate consideration taking into account the wide capabilities of the Routeros operating system, as well as the OpenSource of solutions that are comprehensively completing the problematic issue of information security. In addition to directly setting up access safety to the router, it is necessary to use it as a full.fledged barrier for multilevel attacks that can be aimed at the protected network. There are a lot of technologies of this implementation, so we divide the capabilities applied to logical levels and present subject recommendations for the administration of networks based on Mikrotik equipment.

So that the article is not too bulky, we will divide it into four parts. In the first part, we consider general recommendations for setting up the safety of equipment Mikrotik, the organization of safety L1 and L2. In the second part, we will continue to talk about L2, namely about the work of the DOT1X protocol. Consider the safety L3. In the third part, we show the implementation of centralized logistics. In the fourth part (final) we will talk about the option of setting up a full.fledged IDS. which in the complex will allow quite widely illuminated methods for protecting the equipment of Mikrotik. Let’s start the technical part.

General recommendations

The first thing we always do with a piece of iron is to update the firmware:

It is always interesting to see what the manufacturer was there. And if it comes to CVE. Then doubly more interesting. Of course, there is no exploits for each resolved problem in the public domain, or maybe they do not exist at all outside the Mikrotik company. In addition, you can find the announcement of the long.awaited settings such as UDP for OpenVPN, which is already in 7 (not stable) version of the operating system.

Next, we look at how many users are created, we delete the extra. We put passwords corresponding to the company’s information security policy, if any, if not, then just stronger:

If paranoia rolls over, then we use SSh input without password entering (and Admin user can be replaced with another). Sigenim a pair of RSA keys, we will indicate 4096 bits, what is it too much:

At the output there will be a closed key Test_user:

Bind the open key to the user Routeros:

Add hardcore, forbidden to log in the password:

It is important to note that if there is a user for whom a public key is not imported, then, despite the above setting, Routeros retains the opportunity to log in under it using a password. We figured out the accounts, then turn off the servers of various control protocols, including unsafe, of course, whether you do not need them:

You can change the listened port for SSH server. Especially on a value that is not included in the default NMAP, but we do not see in this protection, rather a disguise:

Let’s explain. Nmap, in our opinion, the most common network scanner. If your device someone will scan, then it is likely that it is for them. NMAP with the default parameters scans not all 65535 ports, therefore, indicating the SSH server to listen to the “rare port”, you eliminate a large number of “amateurs” to finish the network. Additionally, here you can fasten Port Knocking technology:

Scan the router and see that everything works correctly. The SSH server will be unavailable until attempts to establish the connection on the 28 port, then for 30 seconds for 29 port, then for 30 seconds for 30 seconds. If the sequence of calls is correct and the temporary limits are observed, then the IP address of the source will be able to set the SSH session within 30 seconds, otherwise Drop: otherwise:

It should be noted that if you indicate the ports of knocking about this order: 21, 80, 443, and transfer the ssh port to the value of 8080 (all four are included in the default list for scanning nmap), then your secret port 8080 will be determined at the first time scanning. If you really want to use Port Knocking technology, then choose the ports in the order of decrease, and the values ​​of the ports on the “non-scanned” nmap: neither in TOP 100 mode, nor in TOP 1000 mode. In addition, you can limit the IP addresses from which the management protocols are available to the trusted range:

Thus, despite the fact that the 22th port is ready to accept TCP connection, however, from not trusted IP addresses, it will be dropped by a SSH server:

As general recommendations, it is better not to use protocols that do not have encryption to transmit protected information. If this is not possible, then try to let traffic through encrypted VPN tunnels. But it is better even to use safe protocols inside such compounds, because the VPN network can go far beyond the perimeter controlled by you. If possible, do not use PAP, HTTP protocols (including the implementation of API), FTP, SMTP, etc.D. Always use their safe analogues: Chap, Mschap2, HTTPS, SMTPS.

Make regular backups of your devices configurations. Routeros has two types Backup: Binar Backup

The first is recommended only on fully identical devices, and is not subject to editing (when rolling, the exact image of the operating system is restored). The second, on the contrary, can be manually controlled by constructively processed (before receiving the result), however, it may contain sensitive information (if you do not do /Export Hide-Sensitive), therefore, we recommend securing the storage of this kind of backup files. Whether to put a regular Backup in a planner of tasks or not, here everyone already decides for himself. The main thing is not to get confused in all backups and not transfer them to the remote server through an open Internet channel via FTP.

Setting up traffic filtering between the ports of the Bridge Mikrotik with examples

Almost always, when it comes to setting Mikrotik, traffic filtering, we are talking about /IP Firewall. But this is convenient when we filter Lan2wan, protect the perimeter of Mikrotik, adjust NAT and T.P. But if you need to limit the traffic inside the local network, so that one of the computers connected to a particular port (Ether5, for example) could not turn to another specific network resource, or simply if it is necessary that everyone who is connected to the Ether5 port could not go online through the company’s gateway? Here /IP Firewall will not help, because the ports of the local network are combined into one Bridge (in fact, a controlled switch) and Firewall will not allow to filter on the ports of LAN (an error will come out). There is another tool: /Interface Bridge Filter. Similar to /IP Firewall Filter. but refers precisely to the Bridge.

For example, there are Mikrotik, LAN Ports (Ether2.Ther5) are combined in Bridge, a host with Mac 00: 11: 22: 33: 44: 55 is connected to Ether5 (it doesn’t matter what is the IP address, but if important is it if it is important. Add to taste, but do not complicate too much).

Let’s configure filtering in Bridge ( /Interface Bridge Filter. In Winbox Bridge. Filters):

1) block the traffic host with the MAC address 00: 11: 22: 33: 44: 55 through the port of Ether5 to host

Add Action = Drop Chain = Forward DST-DSADDRESS = in.interface = Ether5 Mac-Protocol = IP SRC-Mac-Address = 00: 11: 22: 33: 44: 55/Ff: Ff: Ff: Ff: Ff

2) allow the host another starting traffic:

Add Action = Accept Chain = Forward in-Interface = Ether SRC-Mac-Address = 00: 11: 22: 33: 44: 55/FF: FF: FF: FF: FF

3) allow traffic to our host from the network:

Add Action = Accept Chain = Forward DST-MAC-DDDRESS = 00: 11: 22: 33: 44: 55/Ff: Ff: Ff: Ff: Ff Out-Interface5

4) We allow BroadCasts to the host from the network:

Add Action = Accept Chain = Forward DST-MAC-DDDRESS = FF: Ff: Ff: Ff/Ff: Ff: Ff: Ff: Ff Out-Interface5

If prohibited, the host will not be able to mutually relax with the network. There will be no answer even to pings.

5) Forbid any other devices to go to the network through the port Ether5:

Add Action = Drop Chain = Forward Out-Interface = Ether5 Add Action = Forphald in.interface = Ether5

Here you also need to be very careful so as not to slaughter the desired official traffic, which can be needed by a host (for example, DHCP queries or something else).

You can replace Mac, IP, but replacing the port is already more difficult:

6) Forbid, through the port of Ether5, traffic to the server without attaching to the Mac:

Add Action = Drop Chain = Forward DST-DSADDRESS = in.interface = Ether5

But here we will no longer give other devices connected to Ether5 to interact with the server.

There is no Establice or Related, StateFul as an ordinary firewoman does not work here. Therefore, traffic should be allowed both in one direction and in the other.

From the leadership of Mikrotik: You Can Put Packet Marks in Bridge Firewall (Filter and NAT), Which Are the Same as the Packet Marks in IP Firewall Put by “/IP Firewall Mangle”. In this way, Packet Marks Put by Bridge Firewall Can Be Used in “IP Firewall”, and Vice Versa. Which means that marcreaming of packages in a bridge is essentially the same as in IP Firewall. You can label packages in the Bridge and use these marks in the “ordinary” IP Firewall, and vice versa, the marks created in the IP Firewall can be used in Bridge Firewall.

You can mark packages, you can filter along the port of both the source and the purpose and a lot more. You can tune the microtics endlessly!

User and password

Now you need to replace the user by default and install the password for him.

We create a new user with administrator rights.

Then we close the WinBox program, start it again and go under the new user, open the System/Users menu and turn off the administrator account account.

On this, preparatory operations can be considered complete. We move on to setting Firewall.

Firevol setting up

That is, based on the states of the connection and chains, the general rules for protecting the router can be formulated as:

  • We work only with an Input chain;
  • We miss the compounds with the state of Established and Related, as already installed;
  • We miss the ICMP protocol;
  • We consider both WAN and DMZ by unprincipled networks;
  • We allow the passage of some traffic to the router. We block the rest of the traffic.

Now let’s define the allowed traffic from unprofitable intenses. So, we allow:

  • TCP Port 8291. Winbox, remote control outside;
  • 65522 SSH on a changed port;
  • Suppose that in the future we will be tuned with a VPN server on the PPTP protocol and we will allow port 1723 on the TCP protocol.

Also from this moment we begin to work with the command line of the router. All commands are inserted into the router terminal. If necessary, you can see in a graphic inteiice, what exactly was done. Very soon you will learn to read the commands and correlate them with a graphic intese.

We determine the so-called Bogon networks (a private or non-distributed IP address).

And we prohibit the connection from these subnets to the WAN port of the router:

We allow all the already installed connections (Connection State = Established):

We allow all dependent connections

We allow new connections for ports 65522 and 8291 from any integration:

We allow new compounds on port 1723 (PPTP) of any integer:

And we block all new compounds from all intenses except LAN:

On this, the basic setting of security of the router has been completed. In the next part, we will consider the protection of the local network, the demilitarized zone and the creation of our own traffic filtering chains.