Hardening Mikrotik

1. Introduction

I always wandered, since I joined a cult got mine, why almost no one can properly secure them. Looks like people just don't bother to do that, and leave it as it is barely configured, and only whine when get hacked. But, holy shit, even through Quick Set you get a proper secure firewall, yet there are thousands of routers sticking out with a naked ass acessible WebFig (I bet alongside with it Winbox comes as well, didn't check).

In this article I'll show you how to harden your router's security. There's nothing difficult and could be find just by learning available features. Considering the firewall, I will just copy-paste a default set of rules, yeah, that feels no good, but what can I do if many haven't done even that.

If you are setting up a router for the first time I strongly recommend you use a default configuration as a base. First you need to reset a configuration to clear a router. For that in Winbox go to System->Reset Configuration and check an option No Default Configuration. In teminal > system/reset-configuration no-defaults=yes. And then using Quick Set configure basic access to the Internet and a LAN. We need No Default Configuration because these defaults doesn't include a firewall (if I recall correctly, I did that in 2019 for the last time).

2. Ways to harden your router

Vital thing to do is to keep a firmware up to date. That's another major reason why routers becomes a part of a botnet — vulnerabilities.

To do it in Winbox go to System->Packages and click a Check For Updates button. Or using teminal: > system/package/update/check-for-updates. After a reboot you need to upgrade a RouterBOARD firmware. In Winbox go to System->RouterBOARD and click Upgrade button. After that reboot a router again, go for it in System->Reboot. In a CLI > system/routerboard/upgrade, and then > system/reboot.

First thing is setting a password for your admin account. Many other articles recommend to rename it, but I never do that, because there's no access from outside anyway. Also we restrict from what addresses we can login.

Second, restrict access to router's configuration by IP, and disable not used services.

And here comes a firewall.

And before we start I want to give you a vital tip that will save your time, and, maybe, money — use Safe Mode! To toggle it in Winbox click button Safe Mode that you can find at the top left corner. In teminal press Ctrl-X. And when you're done, don't forget to disable this mode to save all applied changes or they will revert. Winbox will warn you about activated Safe Mode, but teminal not. :)

3. Password protection, SSH and address-based access restriction

3.1. Password

To change a password in Winbox go to System->Users, double-click on your admin account and in an edit dialogue click Password... button. In teminal type in > user/set admin password=new_password.

3.2. SSH

Alas, built-in SSH doesn't support modern ciphers and we cannot use keybased authentification. Hope it will change in the future. But now we have only passwords.

To configure SSH go to IP->SSH. We need there options Always Allow Password Login and Strong Crypto to be enabled. You may change Host Key Size to something more secure and click Regenerate Host Key button. Using teminal type in > ip/ssh/set always-allow-password-login=yes strong-crypto=yes. In a terminal works autocompletion, just tap Tab key twice. To regenerate a key type in > ip/ssh/regenerate-host-key and confirm.

3.3. Allowed Address list

Every user can be restricted by what addresses he allowed to login from. You may have already noticed a field Allowed Address when was setting a password. So, again, in Winbox go to System->Users, double-click your user and you will see a field Allowed Address, there could be multiple entries that can be added/removed using arrow buttons at the end of fields. You can type in individual IP-addresses and whole subnets in CIDR (e.g. 192.168.88.0/24) notation.

In teminal type in > user/set admin address= and type all addresses separated by a comma, e.g. address=192.168.88.3,192.168.89.0/24.

4. Configuring service list

There are a bunch of different ways to configure your router: Winbox, SSH, Telnet, WebFig and API. And you can access its filesystem with FTP or SFTP.

Good thing to do first will be disabling all not needed services. Go to IP->Services in Winbox and then using a button with a red cross disable them, or a blue check mark to enable it. Or in an edit dialogue click Disable button. In teminal type in > ip/service/set service disabled=yes.

As for me, I leave only SSH and Winbox services.

Okay, now let's restrict access to our services by IP. It is the same as for a user, just a field called Available From. In teminal: > ip/service/set service address=192.168.88.2,192.168.89.0/24.

5. Basic firewall

As I previously stated, default firewall we get using Quick Set is pretty much sufficient.

Go to IP->Firewall in Winbox or > ip/firewall/filter in teminal. For IPv6 sections called IPv6 for Winbox, and ipv6 for teminal.

In terminal you can switch to a needed section instead of typing it every time. To add a rule there is a command called add, and remove to remove a rule by its number. To see all rules and theirs numbers type print command.

Next I will give you set of rules for input and forward chains for IPv4 and IPv6. Those are very basic rules that allows already established connections in, allows ping our router from the Internet, and drops any other traffic that comes from anywhere else but not our LAN. Allows new connections from Internet only if there is a dstnat rule in a NAT table for that port.

5.1. Input chain

A basic input chain for IPv4:

1 chain=input action=accept connection-state=established,related,untracked
2 chain=input action=drop connection-state=invalid
3 chain=input action=accept protocol=icmp
4 chain=input action=drop in-interface-list=!LAN

Here the first rule let already allowed traffic to go in a router. The second one drops packets with invalid state. The third one allows pinging our router. And the fourth one drop all the packets that doesn't originate from interfaces listed in a LAN list.

And for IPv6:

1 chain=input action=accept connection-state=established,related,untracked
2 chain=input action=drop connection-state=invalid
3 chain=input action=accept protocol=icmpv6
;;; defconf: accept UDP traceroute
4 chain=input action=accept protocol=udp port=33434-33534
;;; defconf: accept DHCPv6-Client prefix delegation.
5 chain=input action=accept protocol=udp src-address=fe80::/10 dst-port=546
6 chain=input action=drop in-interface-list=!LAN

As you can see pretty much the same as for IPv4 except for rules 4 and 5 that are described by their's comments above them.

5.2. Forward chain

Here comes a basic forward chain for IPv4:

1 chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related,untracked
2 chain=forward action=accept connection-state=established,related,untracked
3 chain=forward action=drop connection-state=invalid
4 chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

First rule makes use of fasttrack mechanism that sends traffic via short path past the CPU, so called hardware offload to a switch chip. While it drastically reduce load on a CPU, we lose ability to work with traffic allowed by this rule, like mark packets, and other things in a mangle section. But, since I don't do anything special with traffic I offload everything. If you need to do something then you can fasttrack only some traffic like the one going in and out the Internet.

In the last rule we deny establishing connections from outside if there is no destination NAT rule specified.

So, here is a forward chain for IPv6:

1 chain=forward action=accept connection-state=established,related,untracked
2 chain=forward action=drop connection-state=invalid
3 chain=forward action=drop src-address-list=bad_ipv6
4 chain=forward action=drop dst-address-list=bad_ipv6
5 chain=forward action=accept protocol=icmpv6
;;; defconf: rfc4890 drop hop-limit=1
6 chain=forward action=drop protocol=icmpv6 hop-limit=equal:1
7 chain=forward action=drop in-interface-list=!LAN

As for rules 3 and 4 bad_ipv6 address list contains all reserved and special ranges that I won't provide here, these rules are here just to show off. And as you can see there is no fasttrack-connection rule since it is not implemented yet for IPv6.

If you don't use NATv6 then all you need to allow connections to your machine from outside is to create a corresponding rule: chain=forward action=accept dst-address= dst-port= connection-state=new. Don't think that in-interface-list=WAN is necessary here, we allow establishing a connection, so if we access that service from inside then just immediately leave a chain with accept action. And if you do use of NATv6 then use a last rule from IPv4 firewall instead.