Centralized backup Mikrotik devices using a bash script

Hello everyone, in my first publication on Habre I want to share a ready.made solution for bacaps of Mikrotik devices.

Two types of configuration backups are provided for the microthic, it is binary backup and configuration exports. Binary backup has its advantages and disadvantages. The advantage is that after the restoration of the binary backup, you preserve the whole configuration (with users, passwords imported for users of SSH keyboard); The disadvantage is that such a backup cannot be restored for another type of device.

In general, it is a full.fledged backup, its restoration takes little time and restores the entire configuration. The export of the configuration as a backup method in turn partly smooths out these shortcomings, being a script for a microTist Rebild. The bottom line is that all the settings are displayed that can be exported. The advantage is that you can see and feel what is exported there, and the disadvantages can again be attributed to the fact that this also rests on the model. But a little less. Sometimes the case is in the number of integrates, sometimes something else. Also, not all settings can be exported to the text (users, files on the Physics, SSH-Sloking). In general, as I have taken out for myself, it is absolutely necessary to have both options for myself and preferably regularly and necessarily automatically. I took the idea from Vika Microtics: once and two.

I don’t like the proposed version of backups by mail or ftp that everything is either by mail or by ftp, everything is Plaintext. I also do not like the fact that you need to keep some kind of box or ftp and microics themselves will send. It is more convenient for me to do everything from the server of backups.

In fact, for a backup on SSh hands, just go to a microtics, perform a backup and pick it up. Accordingly, this can be automated.

As you already understood, all this was realized with the help of a regular bash script, then it is a little overgrown with garbage and works quietly. Therefore, I decided to describe it here to get some feedback from those who may be interested.

Executable script

The very first section contains Shebang, checking the configuration file, without indicating which, the script will not be completed. Next, there are default variables, quite laconic, some of which you can reduce in the configuration file of a particular device.

Настройка офисного Mikrotik для начинающих

Next is a line that makes the Source configuration file:

After that there is a section with some variables that are better to set after the configuration file and system utilities are imported, which I look for the reliability through Which:

After that there is a determination of the functions of the script, the description I will give below:

All functions are signed, but I’ll explain a little. FN_CHECK_LOG FN_CHECK_README functions check and create the initial filling of log files.TXT and Readme.TXT

fn_check_directory checks whether the directory has been created for the device that you describe in the directive st_hostname = “” in the config file

FN_Mikrotik_CleanUP performs the DNS cache and the history of teams in the console so as not to pull it into backup and for security purposes.

fn_mikrotik_fixtime an optional thing, which forcibly sets a NTP server for updating time. In this function, you can write anything if you want to constantly do it. You can also not use this function if there is no need.

fn_backup_binary and fn_backup_export make binary and export-backups, respectively. over, it is worth noting that instead of Plaintext, an encrypted export-file is created using Openssl. (Accordingly, you need to have OpenSSL in the system)

fn_backup_retention packs backups older than st_rtn days that you set in the config file if you do not use the standard (30 days). The function puts them in the Archive folder

FN_LOG at the very end of the script creates an entry in the log file.Txt about backup status

Firewall setting in Mikrotik

It became obvious to me that on Mikrotik I need to configure the Firewall to close from such compounds that lead to the brakes in the operation of the router. There is a lot of information on Fiewall in Mikrotik on the Internet, I will not describe this process in detail. You can read in detail about the configuration here or here. I’ll just give my set of rules for a regular home router. This is a minimum set of the rules of Faerwola, nothing superfluous and at the same time complete protection against unnecessary connections. Ether2 here. External Inte Weight, 192.168.one.0/24. My local network, 45000. Port torrent.

We allow the ADD Chain = Input Action = Accept Protocol = ICMP Add Chain = Forward Action = Accept Protocol = ICMP

Here is the screenshot of my rules Firewall. In principle, you can recreate all the rules on your Mikrotik:

NAT Settings in Mikrotik

It is worth it to complete the picture to add a couple more rules in the nat bookmark. The first directly hits the Internet from the locker, the second drops the port of 45000 from the external integration to the torrent rocking chair with address 192.168.one.fifty

Add Chain = Srcnat Action = Masquarade Out-Interface = Ether2 Add Chain = DSTNAT Action = DST-NAT To-DDDRESS = 192.168.one.50 to-ports = 45000 Protocol = TCP in-INTERFACE = Ether2 DST-PORT = 45000

That’s all. The Internet stopped lash. It is worth noting that I banned all incoming connections, except for torrent. That is, I can’t manage my Mikrotik remotely, all the connections are closed by Firewall. I just don’t need it. If you have such a need, do not forget to allow incoming connection to Firewall for Winbox.

And another important remark. I do not recommend configuring Fierwall in Mikrotik, and not only in the microtics remotely. I made a mistake during the configuration and turned off my access to the device. I had to reception and set up it again. Fortunately, this is not long, it did not take much time. But keep it in mind. It is better to make a backup before setting up if you suddenly have to reception 🙂

mikrotik, firewall, configuration, text, form

The article helped? Subscribe to Telegram Author Channel

I recommend useful materials on similar topics:

Through the console


When exporting, a file with the name you set in the command and expansion.RSC appears at the root of the Files section.

Export of a separate section (on the example of the IP Adress section):

Correction of problems when importing or export

He will show where the import of the file stops, you can use the same key to problems with export (the principle is the same, it will show the place at which the export stopped)


You may have a password, if you did not set the password, then it is a package and you just need to press the Enter key.

After the password request dialogue, there will be a dialogue about the reboot in which you need to enter Y, after which there will be a reboot and restoration of the configuration from the selected file.

Mikrotik settings transfer with an error

Very often, the procedure for copying the settings between the two routers Mikrotik downloads without success. An error is displayed or after rebooting the Mikrotik router simply does not work.

In order to find out what kind of error, only the method using the RSC file is suitable. At the moment where the error will occur will stop the execution of the sire.

Frequent errors when copying settings in Mikrotik

  • Different firmware;
  • Mikrotik-1 has a Wi-Fi module at 5GHz, and Mikrotik-2 is absent;
  • Mikrotik-1 has a SFP port, and Mikrotik-2 is absent;
  • A different number of ports.

There are questions or proposals for copying settings in Mikrotik? Actively offer your settings option! Leave a comment →

Комментарии и мнения владельцев on the article “Copy Mikrotik configuration to another router, transferring settings”

The task of the following plan was migration with RB750GR3 on RB3011uias-RM/RB401IGSRM 1. We make a full.fledged backup RB750GR3. 2. We flash RB3011uias-Rm through Netinstall to the latest version of the firmware (the same or more new than on the original device). Practice has shown, if you just upgrade to the desired version. the device does not start after such a backup. After the update through NetinStall, everything works perfectly (I can assume this is due to regional equipment requirements that are introduced into the firmware at the regional level, in this case RU). 3. Pour the backup itself. four. Rule the Inte Weist, Bridge Ports, Firewall, the address of the sheet (if the addresses are assigned to the ports, and not to the bridges), we check the routes just in case. In my case, there was no Ethernet1 port on RB3011UIAS-RM, instead of it sFP1, ​​respectively, according to the numbering, everything shifted to 1 port. 5. To resuscitate the display, it is enough to change the pin code. for each device it took about 20-25 minutes, such a feint turned on 15 devices.

Yes, of course, it was possible to confuse with the script, from there to bend the command of the preservation of the source poppies, to shift everything to 1 port for previously, but I am quite lazy if I do not see the profit in time in this, the configuration of each source device at that time was unique.

Good afternoon! You need to move the settings from Mikrotik RB2011uias-RM to Mikrotik RB4011igsrm. What method for copying settings is better to use? The Internet does not rise through Backup

There is a task to establish the same configuration on 8 routers Mikrotik Hap Mini RB931-2nd.The models are the same, but something begins to happen with the network when several such routers are included

There are 951ui-2nd, I want to change it to 2HND, and it is used in the same office as an access point. How then to throw the settings from 2nd, if poppies are also copied?

This problem is considered in the article. MA and IP addresses should be individual or not intersect within the framework of one network. This should be taken into account when transferring and changed on the final (where you copy) mikrotik.

The answer to your own question: after postponing settings, the Destination-microtics go to Interfaces and click on the Reset Mac button

mikrotik, firewall, configuration, text, form

Without understanding the architecture and principles of work, you can’t just work with microtics. I bought it for a replacement and now I have been changing for 2 weeks, you will not be able to copy the settings 1 to 1

Good afternoon! I decided to update the Mikrotik RB750 equipment on RB750GR3. Faced the problem of transferring settings from Mikrotik RB750 to RB750GR3. I used the Winbox utility to postpone settings. Made a copy on the equipment RB750. He transferred to the RB750GR3 using Winbox, the equipment was discouraged, went into settings on the new RB750GR3, it seems to have copied users and settings. But when I tried to connect via PPPOE to the PC router, but there is no Internet. Please tell me where to look for a problem.

Transferring the settings process is delicate and in practice at different stages part of the settings was not tolerated. You used Backup or RSC? If the latter, then the MAC factory is usually not prescribed in the unloaded configuration.

Using the possibilities of backup and restoration of Mikrotik devices.

The backup reconnaissance function (Backup) can be used to save Mikrotik Routeros settings in a binary file that can be saved on the router or unloaded from it through the FTP protocol for further use. Recovery from the configuration file can be used to return the configuration, which was at the time of the creation of a backup copy. In the recovery procedure, it is assumed that the configuration is restored on the same router where the backup file was originally created (or on another router of the same model and with the same version of Routeros), therefore, when equipment is changed to another, the configuration can be loaded in a partially damaged form.

The export of the configuration can be used to unload the full or partial configuration of the Mikrotik Routeros on the console screen or to the text file (script), which can be downloaded from the router through the FTP protocol. Dump configuration. This is a set of commands that add (without removing the existing configuration) selected to the current router configuration. The configuration imports performs a package of console commands from a script file.

The system reset command is used to remove the entire configuration on the router. Before this, it may be useful to make a backup copy of the router configuration.

Backup of the system

The reconnaissance function of the system allows you to easily save and upload the configuration of the device. You can learn more about the backup function in the corresponding section of the official leadership: https: // wiki.Mikrotik.COM/Wiki/Manual: System/Backup.

The Export team displays a script that can be used to restore configuration. The command can be called at any level of the menu, and it operates for this level of the menu and all the menu subsurbs. The output can be saved in a file available for download via ftp.

Description of the File = [Filename] command. saves the outport of the Export to File Example [admin@mikrotik] IP Address Print Flags: X. Disabled, I. Invalid, d. Dynamic # Address Network BroadFace 0 10.one.0.172/24 10.one.0.0 10.one.0.255 Bridge1 1 10.5.one.1/24 10.5.one.0 10.5.one.255 ether1 [admin@mikrotik] to make an export file: [admin@mikrotik] IP Address Export File = Address [Admin@mikrotik] IP Address to see the router: [Admin@Mikrotik] Creation-Time 0 Address.RSC Script 315 Dec/23/2003 13:21:48 [Admin@mikrotik] Compact export

Starting from the version of Routeros 5.12 EXPORT COMPACT was added. This allows you to export only that part of the configuration that is not the Routeros configuration by default. Note: starting with V6RC1 “Export Compact” is the default behavior. For export in the old style, use detailed export. For example, compact export OSPF: [Admin@SXT-SST]/Routing OSPF Export Compact # Jan/02/1970 20:16:32 By Routeros 5.12 # software # /routing ospf instance set [ find default=yes ] redistribute-connected=as-type-1 /routing ospf interface add disabled=yes interface=wlan1 network-type=point-to-point /routing ospf network add area = Backbone Network = Add Area = Backbone Disabled = Yes Network = Add Area = Backbone Network = 10.ten.ten.0/24 [admin@sxt-st] /routing ospf

Compact export is another function that indicates which part of the configuration is a default configuration in Routeros and cannot be removed. As in the example below, “” indicates that this part of OSPF is part of the default configuration.

[admin@sxt-st] /routing ospf Instance Print Flags: X. Disabled, Default 0 Name = “Default” Router.id = distribute-default=never redistribute-connected=as-type-1 redistribute-static=no redistribute-rip=no redistribute-bgp=no redistribute-other-ospf=no metric-default=1 metric-connected=20 metric-static = 20 Metric-Rip = 20 Metric-Bgp = Auto Metric-fast-Sospf = Auto in-Filter = OSPF-in OUT-FILTER = OSPF-OUT

The row.level team /Import [name_fila] performs a script saved in a file with the specified name. Performing this command will add a configuration from the specified file to the current configuration. This file can contain any console commands, including scripts. Can be used to restore the configuration or its parts after loss of configuration.

Description of the team File = [Filename]. Loads an exported configuration from a file to a router automatic import

In Routeros, you can automatically perform scenaries. The script file should be called ANY.Auto.RSC. As soon as this file is uploaded by FTP to the router, it will be automatically executed, like the ‘/Import’ command. This method only works with ftp.

As soon as the file is uploaded, it is automatically executed. Information about the execution of commands is recorded in ANY.Auto.log

Example to download the saved export file, use the following command: [admin@mikrotik] import address.RSC Opening Script File Address.RSC Script File Loaded and Executed Successfully [admin@mikrotik]

Team name: / System Reset-Configuration

This command cleans the entire user configuration on the router and sets the configuration by defending, including the user name and password (“Admin” and without password), IP addresses and other settings are erased, and the integrates are disconnected. After the reset command, the router will reboot. Default. This is either a factory configuration by default, which can be seen in the article “The default configuration” (https: // wiki.Mikrotik.COM/Wiki/Manual: Default_Configurations, or it can be a user configuration by default, which can be installed by integration of the RSC file using NetinStall.

Command Description: Keep-Users: Keeps the router users, passwords and keys of the SSH host (starting with V6.45.1) No-defaults: It does not download any default settings, it simply cleanses everything SKIP-Backup: Automatic backing is not created before reset if the YES Run-After-RESET is indicated: Indicate the export file name for launch after reset after resetting

Note: If the Run-After-RESET parameter is set, the No-defaults parameter will be ignored and only the specified script will be uploaded! Warning: If the device has a folder with the name “Flash”, then the Confscript file.RSC must be stored in this folder so that the Run-After-RESET team worked. Everything that is outside this folder is stored on the RAM disk, the contents of which are removed when the power is reloaded or off. Warning: If Routeros was installed using NetinStall and the script was indicated as the initial configuration, then the reset command will perform this scenario after cleaning the configuration. In order to stop this process, you will have to reinstall Routeros. Example: [admin@mikrotik] System Reset-Configuration Dangerous! Reset Anyway? [Y/N]: N Action cancelled [admin@mikrotik]

How to restore the configuration of a microtic via Winbox.

To restore the configuration of a microtics from a backup, you must also go to the Files menu. In the “File List” window, select a backup copy that you want to use to restore and press the “Restore” button. Restoration translation is recommended to reset all the current settings through the System. Reset Configuration menu.

To save a backup through a team integer, you must enter the command:

where File_Backup is the name of the configuration file.

If you entered everything correctly, then you will receive a message in response:

In order to restore a backup microtics from the terminal, you need to enter the command

where File_Backup is the name of the configuration file.

How to save Mirkotik config in text format. Previous options are not convenient when you need to see the configuration file in the text editor and see the setting. In order to read the confusion file, you must enter the following command in CLI or Terminal:

Where is File_Backup.RSC. configuration file name. Next, you can unload the file-configuration through Winbox-File, as described at the beginning of the article. To restore the configuration file in the terminal, enter the command:

How to make a backup copy of a particular section of a microatist.

To create a backup copy of only a certain section, we go to the section itself via Terminal and add Export File = Name_File:

Only a specific section can be restored by a command:

Add a comment to cancel the answer

This site uses Akismet to combat spam. Find out how your Комментарии и мнения владельцев are processed.

Key combinations and functional keys

Moving the cursor

In the Mikrotik Routeros console, you can move the cursor in the following ways within the line:

  • Control- \-breaking the line into two separate lines at the location of the cursor with the subsequent display of the second of two lines.
  • Controlb or ←. moving the cursor to one sign back.
  • Controlf or →. moving the cursor one sign forward.
  • Controla or Home key. moving the cursor at the beginning of the line.
  • CONTROLE or END key. moving the cursor to the end of the line.

Manipulations with text

In the command line of Mikrotik Routeros, manipulations with the text can be performed in the following ways:

  • Ctrlc. copy the selected text.
  • Ctrlv. insert the selected text.
  • Ctrlk. delete all signs, starting from the sign on which the cursor is located, and to the end of the line.
  • Ctrlu. remove all signs from the beginning of the line to the sign on which the cursor is located, not counting this sign itself.
  • Delete. delete the sign on which the cursor is located.
  • Ctrlh or Backspace key. delete a sign in front of the cursor and move the cursor to one sign.

Other key combinations

The following are the other capabilities of the Mikrotik console, which were not listed earlier:

  • Ctrlc. interrupt the command.
  • Ctrld. complete the session and leave the console (the input field should be empty).
  • Ctrll or F5. Clean the screen.
  • Ctrlr or F3. Search on the history of entered commands.
  • CTRLX or F4. activation/deactivation of a safe mode.
  • Ctrlp or. moving back on the history of teams.
  • Ctrln or. moving forward on the history of the teams.

Functional keys

  • F1. contextually oriented assistance.
  • F2. not used.
  • F3. Search for the history of entered commands.
  • F4. activation/deactivation of a safe mode.
  • F5. Clean the screen.
  • F6. switching between windows in Winbox.
  • F7. activation/deactivation of the Hot Lock mode.
  • F8. F12. are not used.

Acceleration of commands input

In the Routeros console, you can accelerate the introduction of commands after a unique combination of symbols is introduced, which will uniquely identify the command in the current section. To accelerate the input of commands, you can use:

Below we will analyze these methods in more detail.

Key [Tab]

This option has already versed in this article earlier, but in a slightly different context.

In fact, the following sequence of the IP/F [Tab] F [Tab] commands was introduced. T.e. In total, seven keystrokes were made. The rest was automatically substituted.

Reducing the name of the path

  • We are in the root of the console, entered S and pressed the Enter key.
  • The system gave an error, t.to. From the letter S, more than one name or command (SNMP, Special-Login, System) begins.
  • We entered SN and pressed the Enter key.
  • We find ourselves in the /SNMP section because the combination of symbols “SN” is unique and only the name of the System section begins with it.
  • We are in the root of the console, entered the IP/Fi/FI and pressed the Enter key.
  • We find ourselves in the/IP/Firewall/Filter section because “IP” is the full name of the invested section that is available from the root; The first “FI” is a unique part, which is only in the name “Firewall”, which is available in section /IP. And the second “FI” is a unique part, which is only in the “Filter” section, which is available in the /IP /Firewall section.

The above example is similar to the previous one, but the difference is that instead of IP/Fi/FI, we indicated an even shorter option IP/F/F and the system successfully accepted it. The logic of acceptance is the same as in the previous version.

Reducing teams

Using the unique part of the team can be used not only to reduce the name of the path, but also to reduce commands. Instead of [admin@mikrotik] ping Count 3 Size 100 can be specified [admin@mikrotik] Pi 10.1 C 3 Si 100.

mikrotik, firewall, configuration, text, form

Hot Lock mode

Using the F7 key in the Mikrotik Routeros console, the Hot Lock mode is activated in which the commands are automatically supplemented to complete spelling as soon as a unique set of characters is introduced, which will uniquely identify this command.

  • We pressed the F7 key and then the Enter key.
  • The console went into the Hot Lock mode. This is evidenced by the change in if you focus on the visual issue, it may seem that IP/Firewall/Filter has been introduced. In fact, only the following IP/FF characters were introduced. And everything else was automatically substituted.

In the above example, we indicated IP/fi. And in the end, an undesirable result was obtained. FI characters are unique for the Firewall path in section /IP. But the shortest unique part is the very first symbol f. Therefore, as soon as this symbol was introduced by the issuance of the console was automatically supplemented to IP/ Firewall/ and after that symbol I was added. And in the section /IP /Firewall there is nothing that would begin on the symbol I. That is why in practice the Hot Lock mode is rarely used due to the fact that for its use you need to confidently know the unique parts of all teams.


I characterize this category of pseudo.line buildings: “This article on the Internet looks smart. I also want to introduce this to myself “. Administrators take some settings and absolutely not understanding what it is, why is it and what it is eaten by copying settings to themselves. The following miracle settings are most often found.


This setting is in the top in popularity among all kinds of pseudoscience of the firewall. It looks as follows: first, a list of addresses with the name “Bogon” is made and after that in Fayervol this very “Bogon” is prohibited for an incoming integration.

Through the console it looks something like this:

Delassment of the myth

First of all, we will decide what “Bogon” is. Bogon is an IP address that should not be found in Internet routing tables. This term describes private and reserved addresses of addresses. The list of these networks is described in RFC 1918, RFC 5735 and RFC 6598. Please note that we are talking about tables of routing devices for Internet providers, and not about all the routing tables in a row. Such addresses can often be used for DDOS attacks as an IP address of the source. In addition to just Bogon, there is also Fullbogon about which for some reason they forget.

Such networks have one very important nuance that I have never met yet to take into account: neither Bogon nor Fullbogon lists are static. The ranges of IP addresses can both be added and remove from these lists. Therefore, BOGON-list-relevant Bogon registrations today may turn out to be irrelevant tomorrow and the firewall will begin to block legitimate traffic.

Here I like to ask a question. Why did you decide to block the network, but at the same time did not block 192.0. 3.0/24 or 192.0. four.0/24 or 192.0. 5.0/24? This question usually cannot answer. knowledgeable refer to RFC1166 which states that the network is is reserved for “Test-Net-1”, which can be used in the documentation or in examples. To the oncoming question: “What does not suit a normally closed firewall?”As a rule, they can no longer answer, t. to. A normal closed firewall is most likely already used and with this question comes the understanding that such a rule is “oil oil”.

Move on. Suppose we somehow received the dynamic Bogon and FullBogon lists that will always be in the current state. Maybe then the blocking of these very gods will make sense? Perhaps then it will have, but it is much easier to configure the firewall correctly so that it is not required to create additional rules. To do this, it is enough for us to configure the firewall in normal closed mode and block the Invalid traffic.

The rule that blocks invalid traffic must be the second immediately behind the rule that Established and Related traffic permissions. If you do, for example, like this:

then we risk obtaining vulnerability in the form of an opportunity to send an illegitimate ICMP traffic to us. And this will happen as follows:

  • The first malicious package in which the address will be indicated as source from any network in T. h. and from Bogon, will be processed on the second rule that ICMP traffic allows. In simple language: someone will send supposedly the answer to Ping questions that were not actually sent.
  • All further packages will be processed by the very first rule that ESTABLISHED RELATED traffic permits.
  • The rule that blocks invalid traffic will not reach. Namely, it would have to stop the attack regardless of where the attack from the Bogon network or from some other.


In order not to get problems with Bogon networks, just configure the firewall in normal closed mode. At the same time, in setting up a Bogon network, they may not directly participate in any way.

Blocking TCP connections via flags

This pseudo.building has many different variations. In general terms, she looks like an attempt to block something on the basis of the TCP connection flag using the TCP-Flag option. This pseudo.building Firewall on Mikrotik has many different variations. Usually they are united by the fact that there are several rules in which something in a likeness will certainly meet:

Dummies’ rules

For the most part, these rules are reduced to one thing: resolving what is not prohibited.

This category of pseudo.line.ups does nothing but meaningless consumption of router resources. It all looks something like this:

Delassment of the myth

With a package that enters the firewall with such a set of rules, one of two:

  • The package falls under one of the rules and is permitted.
  • The package does not fall under the action of any of the rules and since there is no prohibiting rule, the package is permitted.

T. e. In any case, the package is permitted.

mikrotik, firewall, configuration, text, form


I recommend making a firewall normally closed. T. e. Depending on the specific configuration at the end, there should be a rule prohibiting everything that is not separately allowed. You can’t use a normally open firewall, t. to. In this case, the device is vulnerable.

Examples of devices protection

Example #1. A classic example of home router protection. The router will be allowed all traffic for the router and devices in the local network of the Internet that are going through this router, except for incoming traffic, not related to Established and Related. This means that if a router or device on a local network has installed a connection with a resource on the Internet, for example, go to the search engine site, then the retaliatory traffic from the server will be allowed, and the rest of the traffic will be blocked from the Internet.

It is necessary to create two rules, the first for the input chain. Second for Forward chain. t.to. The first chain means traffic that does not meditate on this device, the second chain means traffic passing through the router. On the General tab in the Chain Field (chain), indicate Input (incoming traffic), in the in.Interface field we select the integration of the provider’s wire, in the Connection State section, select Established. Related and in the square at the beginning of the field we put an exclamation mark by pressing it, this means logical, the record will be read like packages not established and not retaled. In other words, everything except the chosen.

On the Action tab in the Action field, select Drop.

We create the same rule for the Forward chain. In order not to fill all the fields again, we press twice on the created rule, in the window opened, click the Copy button. In the new window opened in the Chain field, we change Input to Forward. Press the OK buttons in both windows. Two prohibitory rules will appear in the Filter Rules list.

On the command line the rules will look like this:

06 Mikrotik Firewall full Course | Security of input,output,forward rules Setup With MikroTik

Example #2. We have Firewall as in example #1, but we need the device to be available on the ICMP protocol (we can check the availability of the device using the Ping command) from the Ping).

Our Firewall works according to the scheme, everything is allowed except what is prohibited, then from the local network access to the device is not limited, and from the external network, access limits the rules from example #1. In order to realize access to the device from the Internet, all the rules related to this should be located above the prohibitory in the list of rules.

We create a new rule for the Input chain. t.to. In this case, access is allowed to this device (router), in the Protocol field we exhibit ICMP. In the field in. Interface selects an integration to which the provider’s wire is connected.

Adding the rule from the command line will look like this:

After pressing the OK button, the rule will be added to the very bottom of the table, drag it above the prohibiting rules by capturing the mouse.

Example #3. Firewall is configured as in the examples #1 and #2. It is necessary to resolve the access of RDP (port 3389) to one of the computers in the local network from a certain (trusted) IP address, NAT setting up, we consider only filtering.

As in the previous example, the resolving rule should be located above the prohibiting due to the fact that prohibiting rules block access from the external network.

We create a new rule for the Forward chain. t.to. The device is located behind the router, in the SRC field. Address make an IP address from which access is allowed, in the Protocol field we set 6 (TCP). In the DST field. Port We write 3389 (RDP port by default) in the field in the field. Interface selects an integration to which the provider’s wire is connected.

On the Action tab, select Accept. click OK and move the rule above prohibiting.

I remind you that here we are considering only the filtering of traffic, NAT settings are lowered.

In the command line, the addition of the rule will look as follows:

Example #4. It is necessary to configure Firewall according to the #2 scheme (everything that is not allowed is prohibited), while it is necessary that the traffic of the local network from the router and vice versa would go, access to the router from outside of certain IPs and the Internet was access only from certain IP addresses of the local network.

In order to prohibit all the traffic in Firewall to the end of the list of rules, you need to add three prohibiting rules for three standard chains: Input. Output and Forward. But! Before adding them, you need to take care of the permissive rules in order not to at least lose access to the device.

  • We allow access to the router for the local network and back. Let our local network have addressing Local networks are combined into Bridge.local-Net Bridge. IP addresser address We create two resolving rules for incoming and outgoing traffic. and
  • We allow access to the router from the external network for several IP. We have several IP addresses, which we trust completely (work, cottage, weifika from your beloved girl) and from these IP addresses we want to have access to our device. We create a list with such IP addresses in IP. Firewall. Address Lists calling him Whitelist. Create two resolving rules for Input and output chains. Accordingly, indicating for each chain as an incoming and outgoing integration one to which the provider’s wire is connected. On the General tab, we only set the type of chain and incoming/outgoing intenses. On the Advanced tab in the SRC field. Address List select the previously created list of IP addresses Whitelist. The reverse rule is created similarly. Commands to add rules from the terminal:


If problems arise, any of the rules can be sent to LOG, for this, the rules on the Action tab include logging and in the Log Prefix field we add an explanation to simplify the search in logs.

In the LOG section, when working out the rules, there will be approximately the following records:

After debugging, do not forget to disconnect the logistics in the rules.

If you look at the passage scheme of the package, then we see that the incoming package first of all gets into the RAW PREROUTIG block. And at the exit to Raw Output. This is the first wall of Firewall, the first thing the package is checked here, then goes to further processing and gets to the Filter section. It turns out that by processing the package in the RAW table we will spend less than the computing power of the device, this may have a significant advantage if, for example, it is necessary to close from DDOS attacks, the packages will be eliminated at the entrance itself.

Setting up the rules in the RAW table is similar to setting in the Filter section, the only differences are that the package has not yet passed the processing in the Connection Tracking, so the capabilities for filtering are less. In the Chain section there are only two types of chains of Prerouting and Output. The first is the package that has come to the Inte Weeis, the second package sent from the Inte Wee, type (Connection stat) and marking of the package at this stage are not available.