How to Configure the Firewall on a MikroTik Router — A Complete Guide

Part 1: Understanding Basic Firewall Workflow in MikroTik

Accessing the Firewall

From the management interface (e.g., Winbox), navigate to IP → Firewall, which opens the Firewall settings window.

Image Placeholder 1: MikroTik Firewall main interface (IP → Firewall)

OSI Layer-Based Filtering

MikroTik firewalls operate across OSI layers—ranging from Layer 2 (MAC-based filtering) to Layer 7 (content filtering). Higher layers offer more granular control, with Layer 7 enabling content-based rule enforcement.

Part 2: Working with Filter Rules

Creating and Ordering Rules

In the Filter Rules tab, click “+” to define a new rule. Rules are processed in order; they follow an If → Then logic:

1. Specify precise “allow” rules first.

2. Add any “deny” rules (e.g., drop specific traffic).

3. Finish with general rules (e.g., allow all or deny all).

Rule Components

• General, Advanced, Extra tabs define the conditions.

• Action tab specifies what happens when conditions match (e.g., accept, drop).

Chains Explained

Rules belong to one of three chains:

• Input: Targets traffic destined to the router itself.

• Forward: Handles traffic passing through the router.

• Output: Applies to traffic originating from the router.

Part 3: Practical Scenario — Blocking Ping (ICMP) to the Router

To prevent clients from pinging the router:

• Chain: Input

• Src.Address: 192.168.100.0/24 (your LAN network)

• Protocol: ICMP

• Action: drop

This rule drops any ICMP traffic from the specified LAN to the router.

Optionally, instead of dropping, you can use reject and specify a return message (e.g., "ICMP host unreachable") to inform the sender.

Part 4: Conditional Rules Using Source IP Negation

To apply a rule to all clients except a specific IP:

• Enter the IP in Src.Address.

• Tick the small checkbox next to it—this applies a negation (!), meaning not that IP.

This allows targeted exclusions, such as permitting one trusted system while blocking others.