MikroTik Firewall Connection States

In this LAB, I will show you how you can secure your MikroTik router using the connections states. At this moment, I am on the LAB scenario where R1 is connected to the internet and sharing internet to my PC.

What are the connection states? There are 5 different connection states in the MikroTik firewall that you can use.

Those connection states are:

  • New
  • Established
  • Related
  • Invalid
  • Untracked

The most important ones are the first 4.

Let’s speak about each one of them:

[mepr-show rules=”319″ unauth=”message”]

  • New – The 1st packet observed by the Firewall will be New. The Firewall will check the packet and if allowed then the next packet going to the other direction of that stream will create an Established connection
  • Established – a stream of packets that successfully has passed both directions of the firewall. Established packets will not be evaluated by the firewall.
  • Related – they are not considered part of the connection itself but related to it.
  • Invalid – Packets arrived out-of-order to the router or with invalid sequence number. Advise to drop them always.
  • Untracked – A packet that was set to bypass connection tracking in the Firewall RAW table.

To make it clearer to you, let’s check this illustration:

Here you can see that the 1st packet seen by the firewall has a new state. Established comes always after new, and that’s when there was a reply to the host initiating the 1st connection.

In the 2nd line you see the black rectangle, that’s invalid connection coming out of order. This should always be dropped.

In the 3rd line you can see that on the 3rd packet, there is a related connection. Related is not part of the main stream, but it is related to it. Think like when you open Facebook website and then you see a YouTube video in Facebook. Then the YouTube connection is related to the connection that you have made to Facebook, but it is not part of it.

Now we know about the connection states, let’s apply this to a LAB.

I decided to protect the input chain on my router, that means all traffic coming to the router itself.

  • I will drop the invalid state
  • I will allow established, related and untracked
  • I will allow ICMP traffic so I can ping the router
  • I will allow Winbox and SSH to the router
  • Then I will disable everything else at the end

Let’s start doing that.

Drop the invalid state

Allow established, related and untracked

Allow ICMP traffic

Allow Winbox to the router

Allow SSH to the router

Disable everything else at the end

Now filter rules have been created. I can still get connected to Winbox and SSH to the router, and I can ping it.

Let’s ping to the router and check:

Ping is still working ????

What if I try to open the Webfig? Do you think it will work? Based on our configuration, only Winbox and SSH ports are open, so logically Webfig should not open. Let’s try:

Indeed, it is not open. That’s because it has checked the first 5 rules that we have created and they were not matched, then it went to the last rule which is to drop everything – that’s why Webfig did not work ????

I hope by now you have a better understand of how filter rules work on MikroTik Firewall.



Submit a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.

Please Login to Reply or add a comment!