Kita perlu memiliki konfigurasi firewall yang tepat pada router untuk menghindari serangan yang berbeda dan koneksi yang tidak baik.
Untuk melakukannya, Anda dapat menerapkan konfigurasi (yang tentu saja dapat disesuaikan dengan kebutuhan jaringan masing masing) yang ditampilkan pada contoh dibawah ini.
Dalam contoh WAN sebagai gateway ke internet, LAN adalah interface lokal dan 192.168.88.0/24 adalah subnet yang digunakan pada LAN.
Buat daftar alamat yang mencakup subnet yang berbeda (pada dasarnya semua subnet yang seharusnya tidak ada di jaringan publik.
/ip firewall address-list add address=0.0.0.0/8 comment=RFC6890 list=NotPublic add address=10.0.0.0/8 comment=RFC6890 list=NotPublic add address=100.64.0.0/10 comment=RFC6890 list=NotPublic add address=127.0.0.0/8 comment=RFC6890 list=NotPublic add address=169.254.0.0/16 comment=RFC6890 list=NotPublic add address=172.16.0.0/12 comment=RFC6890 list=NotPublic add address=192.0.0.0/24 comment=RFC6890 list=NotPublic add address=192.0.2.0/24 comment=RFC6890 list=NotPublic add address=192.168.0.0/16 comment=RFC6890 list=NotPublic add address=192.88.99.0/24 comment=RFC3068 list=NotPublic add address=198.18.0.0/15 comment=RFC6890 list=NotPublic add address=198.51.100.0/24 comment=RFC6890 list=NotPublic add address=203.0.113.0/24 comment=RFC6890 list=NotPublic add address=224.0.0.0/4 comment=RFC4601 list=NotPublic add address=240.0.0.0/4 comment=RFC6890 list=NotPublic Firewall filter untuk mencegah router dari koneksi luar
/ip firewall filter add chain=input comment="Accept established and related packets" connection-state=established,related add chain=input comment="Accept all connections from local network" in-interface=LAN add action=drop chain=input comment="Drop invalid packets" connection-state=invalid add action=drop chain=input comment="Drop all packets which are not destined to routes IP address" dst-address-type=!local add action=drop chain=input comment="Drop all packets which does not have unicast source IP address" src-address-type=!unicast add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network" in-interface=WAN src-address-list=NotPublic Firewall filter untuk memproteksi jaringan luar
/ip firewall filter add chain=forward comment="Accept established and related packets" connection-state=established,related add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=WAN add action=drop chain=forward comment="Drop all packets from public internet which should not exist in public network" in-interface=WAN src-address-list=NotPublic add action=drop chain=forward comment="Drop all packets from local network to internet which should not exist in public network" dst-address-list=NotPublic in-interface=LAN add action=drop chain=forward comment="Drop all packets in local network which does not have local network address" in-interface=LAN src-address=!192.168.88.0/24 Semoga bermanfaat.