Blog Home
Updated: 2025 Dec 02

MikroTik RB5009 防火墙完整配置

配置

# =====================================================
# MikroTik RB5009 - 安全加固防火墙完整配置 (2025版)
# =====================================================

# 接口列表, 先打印(print), 如果没有则添加
/interface list
add name=WAN
add name=LAN
add name=VPN
# 新增 TRUSTED 列表,用于合并 LAN 和 VPN
add name=TRUSTED

# 接口列表成员
/interface list member
add interface=bridge list=LAN
add interface=bridge list=TRUSTED
add interface=ether1 list=WAN
add interface=zerotier1 list=VPN
add interface=zerotier1 list=TRUSTED

# ------------------ 1. 地址列表 ------------------
/ip firewall address-list
# 本地内网网段(务必根据实际情况修改!)
add address=10.10.10.0/24 list=local_network comment="LAN Subnet"
add address=10.24.152.0/24 list=local_network comment="ZeroTier Subnet"

# 完整 Bogon / Bad IPv4(RFC 6890 + 社区公认的不应出现在公网的地址)
add address=0.0.0.0/8           list=bad_ipv4 comment="This Network"
add address=127.0.0.0/8         list=bad_ipv4 comment="Loopback"
add address=169.254.0.0/16      list=bad_ipv4 comment="Link-local (APIPA)"
add address=192.0.0.0/24        list=bad_ipv4 comment="RFC5735 Special Use"
add address=192.0.2.0/24        list=bad_ipv4 comment="TEST-NET-1"
add address=198.51.100.0/24     list=bad_ipv4 comment="TEST-NET-2"
add address=203.0.113.0/24      list=bad_ipv4 comment="TEST-NET-3"
add address=224.0.0.0/4         list=bad_ipv4 comment="Multicast"
add address=240.0.0.0/4         list=bad_ipv4 comment="Reserved for Future Use"
add address=255.255.255.255/32  list=bad_ipv4 comment="Limited Broadcast"

# RFC1918 + CGNAT 私有地址(单独列表,用于防地址欺骗、掉包等策略)
add address=10.0.0.0/8          list=private_ipv4 comment="RFC1918 Private"
add address=172.16.0.0/12       list=private_ipv4 comment="RFC1918 Private"
add address=192.168.0.0/16      list=private_ipv4 comment="RFC1918 Private"
add address=100.64.0.0/10       list=private_ipv4 comment="CGNAT-anti-spoofing"

# ------------------ 2. RAW 表(第一道防线)------------------
/ip firewall raw

# 允许 LAN 侧 DHCP 发现(必须放在最前)
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
    dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN \
    protocol=udp src-address=0.0.0.0 src-port=68

# 直接丢弃所有 Bogon 地址(无论源或目的)
add action=drop chain=prerouting comment="Drop Bogon from WAN" in-interface-list=WAN src-address-list=bad_ipv4 log=yes log-prefix="RAW-BOGON"

# 防止 WAN 口 IP 欺骗 (WAN口不应该收到源IP为私有地址的包)
# 注意:如果你上一级是光猫拨号(WAN口获取内网IP),请禁用此条!
; add action=drop chain=prerouting comment="Drop Private SRC from WAN (Anti-Spoof)" in-interface-list=WAN src-address-list=private_ipv4

# 保护 LAN 网段不被 WAN 侧直接访问
add action=drop chain=prerouting comment="Drop WAN to local_network" dst-address-list=local_network in-interface-list=WAN

# TCP 标志位检查
add action=jump chain=prerouting comment="Check Bad TCP flags" jump-target=bad_tcp protocol=tcp

# ICMP 检查
add action=jump chain=prerouting comment="Check ICMP" jump-target=icmp4 protocol=icmp

# 丢弃 TCP/UDP 端口0 异常流量
add action=drop chain=prerouting comment="Drop UDP port 0" port=0 protocol=udp
add action=drop chain=prerouting comment="Drop TCP port 0" port=0 protocol=tcp

# --- 自定义链 bad_tcp ---
add action=drop chain=bad_tcp comment="NULL flags" tcp-flags=!fin,!syn,!rst,!ack,!psh,!urg,!ece,!cwr protocol=tcp
add action=drop chain=bad_tcp comment="XMAS" tcp-flags=fin,psh,urg protocol=tcp
add action=drop chain=bad_tcp comment="FIN+SYN" tcp-flags=fin,syn protocol=tcp
add action=drop chain=bad_tcp comment="SYN+RST" tcp-flags=syn,rst protocol=tcp
add action=drop chain=bad_tcp comment="FIN+RST" tcp-flags=fin,rst protocol=tcp
add action=drop chain=bad_tcp comment="FIN without ACK" tcp-flags=fin,!ack protocol=tcp
add action=return chain=bad_tcp comment="Accept valid TCP flags"

# --- 自定义链 icmp4 ---
add action=accept chain=icmp4 comment="Echo Reply (rate limit)" icmp-options=0:0 limit=10,10:packet protocol=icmp
add action=accept chain=icmp4 comment="Request (rate limit)" icmp-options=8:0 limit=10,10:packet protocol=icmp
add action=accept chain=icmp4 comment="Dest Unreachable" icmp-options=3:0-255 protocol=icmp
add action=accept chain=icmp4 comment="Time Exceeded" icmp-options=11:0-255 protocol=icmp
add action=accept chain=icmp4 comment="Parameter Problem" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp4 comment="Drop other ICMP" protocol=icmp log=yes log-prefix="RAW-ICMP-DROP"
add action=return chain=icmp4 comment="Return to prerouting"

# ------------------ 3. Filter 表 ------------------
/ip firewall filter
# FastTrack (RB5009 性能关键)
add action=fasttrack-connection chain=forward comment="FastTrack" connection-state=established,related hw-offload=yes
add action=accept chain=input comment="Accept Est/Rel/Untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Accept Est/Rel/Untracked" connection-state=established,related,untracked

# Drop Invalid
add action=drop chain=input comment="Drop Invalid" connection-state=invalid
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid

# Input 链 - 保护路由器本身
add action=accept chain=input comment="ICMP (limited)" protocol=icmp limit=10,10:packet
add action=accept chain=input comment="WinBox from TRUSTED" dst-port=8291 in-interface-list=TRUSTED protocol=tcp
add action=accept chain=input comment="SSH from TRUSTED (port 2200)" dst-port=2200 in-interface-list=TRUSTED protocol=tcp
add action=accept chain=input comment="DNS UDP from TRUSTED" dst-port=53 in-interface-list=TRUSTED protocol=udp
add action=accept chain=input comment="DNS TCP from TRUSTED" dst-port=53 in-interface-list=TRUSTED protocol=tcp
add action=accept chain=input comment="Allow all from VPN interface (ZeroTier)" in-interface-list=VPN
add action=drop chain=input comment="Drop all other input" log=yes log-prefix="INPUT-DROP"

# Forward 链 - 保护内网
add action=accept chain=forward comment="LAN → WAN new connections" connection-state=new in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="VPN → LAN" in-interface-list=VPN out-interface-list=LAN
add action=drop chain=forward comment="Drop new from WAN if not DSTNAT" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="WAN-NEW-DROP"
add action=drop chain=forward comment="Drop Bogon in forward" src-address-list=bad_ipv4
add action=drop chain=forward comment="Drop Bogon in forward" dst-address-list=bad_ipv4
add action=drop chain=forward comment="Final drop forward" log=yes log-prefix="FWD-DROP"

# ------------------ 4. NAT ------------------
/ip firewall nat

# 1. 【最前面】终极通用 Hairpin NAT
add action=masquerade chain=srcnat comment="Universal Hairpin NAT" \
    src-address-list=local_network \
    dst-address-list=local_network \
    out-interface-list=LAN

# 2. 【最后】标准互联网出口 Masquerade(必须放在所有 srcnat 规则的最后)
add action=masquerade chain=srcnat comment="Internet Masquerade (default)" \
    out-interface-list=WAN

# ------------------ 5. 服务安全加固 ------------------
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
set www-ssl disabled=yes
set winbox address=10.10.10.0/24,10.24.152.0/24
set ssh address=10.10.10.0/24,10.24.152.0/24 port=2200

/ip ssh
set strong-crypto=yes forwarding-enabled=no

# ------------------ 6. IPv6 基础防护(如果不使用IPv6可直接禁用)------------------
/ipv6 settings
set disable-ipv6=yes   # 如果您需要IPv6,请删除此行并补充完整ipv6 firewall

# ------------------ 7. 其他推荐安全设置 ------------------
/ip neighbor discovery-settings set discover-interface-list=LAN
/ip firewall service-port set sip disabled=yes
/ip dns
set allow-remote-requests=yes \
    servers=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
    use-doh-server=https://cloudflare-dns.com/dns-query \
    verify-doh-cert=yes \
    cache-size=4096KiB

# ==================== 配置结束 ====================
# 导入后建议立即执行:
# /system reboot
# 然后检查日志: /log print where topics~"firewall"

Comments:

Email questions, comments, and corrections to hi@smartisan.dev.

Submissions may appear publicly on this website, unless requested otherwise in your email.