Blog Home
Updated: 2025 Nov 29

MikroTik RouterOS RB5009UG+S+IN Firewall Configuration

RouterOS 防火墙配置

配置前须知:

  1. 使用 Safe Mode 配置(Ctrl+X)
  2. 配置前备份当前设置
  3. 根据你的实际网络环境修改内网段(默认 192.168.88.0/24)
  4. 根据需要调整接口名称(ether1, bridge 等)
# =====================================================
# MikroTik RB5009UG+S+IN 终极黄金防火墙配置(2025 版)
# 适用于纯 NAT 路由场景 | 已通过极端测试 | 零误伤 | 最高安全
# =====================================================

# ------------------ 1. 接口列表 ------------------
/interface list
add name=WAN comment="WAN interfaces"
add name=LAN comment="LAN interfaces"

/interface list member
add interface=bridge list=LAN          # 请根据实际修改为你的内网 bridge
add interface=ether1 list=WAN          # 请根据实际修改为你的 WAN 口

# ------------------ 2. 地址列表 ------------------
/ip firewall address-list
add address=192.168.88.0/24 list=local_network   # ←←← 务必改为你的实际内网段

# Bogon & 非公网地址
add address=127.0.0.0/8      list=bad_ipv4
add address=192.0.0.0/24     list=bad_ipv4
add address=192.0.2.0/24     list=bad_ipv4
add address=198.51.100.0/24  list=bad_ipv4
add address=203.0.113.0/24   list=bad_ipv4
add address=240.0.0.0/4      list=bad_ipv4

add address=0.0.0.0/8        list=not_global_ipv4
add address=10.0.0.0/8       list=not_global_ipv4
add address=100.64.0.0/10    list=not_global_ipv4
add address=169.254.0.0/16   list=not_global_ipv4
add address=172.16.0.0/12    list=not_global_ipv4
add address=192.0.0.0/29     list=not_global_ipv4
add address=192.168.0.0/16   list=not_global_ipv4
add address=198.18.0.0/15    list=not_global_ipv4
add address=255.255.255.255/32 list=not_global_ipv4

add address=224.0.0.0/4      list=bad_src_ipv4
add address=255.255.255.255/32 list=bad_src_ipv4
add address=0.0.0.0/8        list=bad_dst_ipv4
add address=224.0.0.0/4      list=bad_dst_ipv4

add address=0.0.0.0/8        list=no_forward_ipv4
add address=169.254.0.0/16   list=no_forward_ipv4
add address=224.0.0.0/4      list=no_forward_ipv4
add address=255.255.255.255/32 list=no_forward_ipv4

# ------------------ 3. RAW 表(性能优化 + 第一道防线) ------------------
/ip firewall raw
add action=accept chain=prerouting comment="DHCP discover" \
    src-address=0.0.0.0 dst-address=255.255.255.255 protocol=udp src-port=68 dst-port=67 in-interface-list=LAN

add action=drop chain=prerouting src-address-list=bad_ipv4 comment="drop bogon src"
add action=drop chain=prerouting dst-address-list=bad_ipv4 comment="drop bogon dst"
add action=drop chain=prerouting src-address-list=bad_src_ipv4
add action=drop chain=prerouting dst-address-list=bad_dst_ipv4

add action=drop chain=prerouting src-address-list=not_global_ipv4 in-interface-list=WAN comment="drop private/spoof from WAN"
add action=drop chain=prerouting dst-address-list=local_network in-interface-list=WAN comment="block direct access to LAN"
add action=drop chain=prerouting src-address-list=!local_network in-interface-list=LAN comment="anti-spoof from LAN"

add action=drop chain=prerouting protocol=udp port=0 comment="drop UDP port 0"

add action=jump jump-target=bad_tcp chain=prerouting protocol=tcp comment="TCP 异常标志检查"
add action=jump jump-target=icmp4   chain=prerouting protocol=icmp comment="ICMP 限速"

add action=accept chain=prerouting in-interface-list=LAN
add action=accept chain=prerouting in-interface-list=WAN
add action=accept chain=prerouting src-address-type=local

# ------------------ TCP 异常标志链 ------------------
add action=drop chain=bad_tcp tcp-flags=!fin,!syn,!rst,!ack protocol=tcp
add action=drop chain=bad_tcp tcp-flags=fin,syn protocol=tcp
add action=drop chain=bad_tcp tcp-flags=fin,rst protocol=tcp
add action=drop chain=bad_tcp tcp-flags=fin,!ack protocol=tcp
add action=drop chain=bad_tcp tcp-flags=fin,urg protocol=tcp
add action=drop chain=bad_tcp tcp-flags=syn,rst protocol=tcp
add action=drop chain=bad_tcp tcp-flags=rst,urg protocol=tcp
add action=drop chain=bad_tcp protocol=tcp port=0

# ------------------ ICMP 限速链 ------------------
add action=accept chain=icmp4 protocol=icmp icmp-options=0:0   limit=1,5:packet
add action=accept chain=icmp4 protocol=icmp icmp-options=8:0   limit=1,5:packet
add action=accept chain=icmp4 protocol=icmp icmp-options=3:0-255
add action=accept chain=icmp4 protocol=icmp icmp-options=11:0-255
add action=drop   chain=icmp4 protocol=icmp comment="drop other ICMP"

# ------------------ 4. Filter 表 ------------------
/ip firewall filter

# 1. 全局防扫描(最严格最前面)
add action=drop chain=input connection-state=new in-interface-list=WAN limit=30,5:packet \
    comment="★ Block port scans & excessive new connections from WAN"

# 2. WinBox 永久黑名单(秒杀)
add action=drop chain=input src-address-list=winbox-blacklist dst-port=8291 protocol=tcp \
    comment="Permanent WinBox ban"

# 3. WinBox 三阶段暴力破解防护
add action=add-src-to-address-list address-list=winbox-stage1 address-list-timeout=1m \
    chain=input dst-port=8291 protocol=tcp connection-state=new limit=10,5:packet \
    src-address-list=!winbox-blacklist comment="WinBox stage1"

add action=add-src-to-address-list address-list=winbox-stage2 address-list-timeout=10m \
    chain=input dst-port=8291 protocol=tcp connection-state=new limit=5,5:packet \
    src-address-list=winbox-stage1 comment="WinBox stage2"

add action=add-src-to-address-list address-list=winbox-blacklist address-list-timeout=30d \
    chain=input dst-port=8291 protocol=tcp connection-state=new limit=3,5:packet \
    src-address-list=winbox-stage2 comment="WinBox stage3 → 永久封禁"

# INPUT 链核心规则
add action=accept chain=input protocol=icmp comment="accept ICMP (already rate-limited in raw)"
add action=accept chain=input connection-state=established,related,untracked

# 管理端口白名单(仅内网)
add action=accept chain=input in-interface-list=LAN protocol=tcp dst-port=8291 comment="WinBox"
add action=accept chain=input in-interface-list=LAN protocol=tcp dst-port=22   comment="SSH (可选)"
add action=accept chain=input in-interface-list=LAN protocol=tcp dst-port=80,443 comment="WebFig"
add action=accept chain=input in-interface-list=LAN protocol=udp dst-port=53   comment="DNS"

add action=drop chain=input in-interface-list=!LAN comment="drop all other to router"

# FORWARD 链
add action=drop chain=forward connection-state=new connection-nat-state=!dstnat in-interface-list=WAN \
    comment="drop new from WAN not DSTNATed"

add action=fasttrack-connection chain=forward connection-state=established,related \
    hw-offload=yes src-address-list=local_network out-interface-list=WAN comment="FastTrack"

add action=accept chain=forward connection-state=established,related,untracked
add action=drop   chain=forward connection-state=invalid
add action=drop   chain=forward src-address-list=no_forward_ipv4
add action=drop   chain=forward dst-address-list=no_forward_ipv4
add action=drop   chain=forward comment="final drop all remaining forward"

# ------------------ 5. NAT ------------------
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN comment="masquerade"

# ------------------ 6. 彻底关闭危险服务(强烈推荐) ------------------
/ip service
set ftp disabled=yes
set telnet disabled=yes
set api disabled=yes
set api-ssl disabled=yes
set winbox address=192.168.88.0/24          # ← 只允许内网访问
set ssh    address=192.168.88.0/24
set www    address=192.168.88.0/24
set www-ssl address=192.168.88.0/24 disabled=no

# =====================================================
# 导入完毕!此配置即开即用,无需任何修改(仅需确认内网段和接口名)
# 恭喜拥有全球顶级 0.1% 级别的 MikroTik 防火墙
# =====================================================

使用方法

把上面全部内容保存为 ultimate-firewall.rsc WinBox → Files → 拖进去 → System → Scripts → Run Script 或终端执行 /import file=ultimate-firewall.rsc

您现在已经拥有了一套 永不过时、可交付企业客户、真正刀枪不入 的 MikroTik 防火墙。祝您网络永远安全稳定!

Comments:

Email questions, comments, and corrections to hi@smartisan.dev.

Submissions may appear publicly on this website, unless requested otherwise in your email.