RouterOS: basic firewall policy and rules model

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Cheddoleum

Member
Feb 19, 2014
103
23
18
Hi. I'm evaluating MicroTik RouterOS for use at the edge. And as I build up the firewall, reading their documentation, recommendations and official MicroTik staff replies on their forums, I'm getting the distinct impression that their sole supported approach is "policy accept, rules reject (or drop)".

I'm a lot more comfortable with "policy drop, rules accept", both on principle and based on mostly iptables experience.

There's not much mention of RouterOS on this site. I wonder if anyone else has a take on this? It doesn't even seem to offer access to the policy, and the staff suggest instead you just put a "drop" rule at the end of the relevant input and forward chains. Given how easy it is to mess things up that way when it comes to dynamic rules addition/insertion, I'm not very impressed with that approach. Any thoughts appreciated.
 
Last edited:

RTM

Well-Known Member
Jan 26, 2014
956
359
63
Given the significant amount of vulnerabilities found in their software, I do not suggest using Mikrotik equipment as more than a layer 2 device (if you must I suggest hardening the device and implementing controls around them to limit attack surface).
This is just my own personal opinion/belief, I believe they make great equipment, but they may have added too many features to the OS for them to be able to support it.

Maybe RouterOS 7 (they have recently released a beta version), will change some of this, only time will tell I guess.

My suggestion would be to use something different for routing and firewalling, like a decent x86 based machine with pfSense.
 

ChuckMountain

Member
Nov 6, 2019
30
4
8
Have they got any outstanding vulnerabilities at the moment?

I was looking for a solution to get a decent firewall at a reasonable price point that doesn't sound like a jet engine and drink electricity like there is no tomorrow.

I was looking at pfSense either custom build or one of the premade boxes but that was approaching the best part of $1,000 for one with a 10gigabit port which I wanted to hook up to my network backbone. My Internet connection is just over 1.1Gbps and on a single port can't get the throughput.

I then saw the Mikrotik RB4011 which has a SFP+ port which at a $199 price point seems to do the trick. However, the vulnerabilities concern me and the amount of time. To work though I would have to it behind the ISP router anyway as it cannot be replaced :(
 

RTM

Well-Known Member
Jan 26, 2014
956
359
63
Have they got any outstanding vulnerabilities at the moment?

I was looking for a solution to get a decent firewall at a reasonable price point that doesn't sound like a jet engine and drink electricity like there is no tomorrow.

I was looking at pfSense either custom build or one of the premade boxes but that was approaching the best part of $1,000 for one with a 10gigabit port which I wanted to hook up to my network backbone. My Internet connection is just over 1.1Gbps and on a single port can't get the throughput.

I then saw the Mikrotik RB4011 which has a SFP+ port which at a $199 price point seems to do the trick. However, the vulnerabilities concern me and the amount of time. To work though I would have to it behind the ISP router anyway as it cannot be replaced :(
Outstanding vulnerabilities are typically not announced or made readily available in the public forum, so don't expect people to answer that part. :)

It is also difficult/impossible to tell, if the issues are from bad software quality or because many people are actively looking for vulnerabilities.

For a quantification look at the statistics from cvedetails.com:
Mikrotik: 22 vulnerabilities
Ubiquiti: 1 vulnerability

Note: above is not to say that Ubiquiti software is any better (I doubt that is the case), it is just to show some statistics on it, it is quite possible that there are significant issues with the dataset (1 vulnerability for Ubiquiti seems unlikely)

It certainly makes a lot of sense to consider Mikrotik hardware, especially given the pricepoint and your requirements. So as I wrote above, if you believe it is the right choice for you, harden the device and consider implementing controls around it (like a separate interface for management), I also forgot to mention earlier that keeping your device updated will obviously also help a lot there.

Maybe if you are lucky, some nice person will port OpenWRT to it, but don't bet on it :)
 

ChuckMountain

Member
Nov 6, 2019
30
4
8
Outstanding vulnerabilities are typically not announced or made readily available in the public forum, so don't expect people to answer that part. :)
Sorry I should have been clearer on that one, I meant published ones liked the CVE ones that have not been fixed :) Some took far too long to fix which is definitely an issue.

It is also difficult/impossible to tell, if the issues are from bad software quality or because many people are actively looking for vulnerabilities.

For a quantification look at the statistics from cvedetails.com:
Mikrotik: 22 vulnerabilities
Ubiquiti: 1 vulnerability

Note: above is not to say that Ubiquiti software is any better (I doubt that is the case), it is just to show some statistics on it, it is quite possible that there are significant issues with the dataset (1 vulnerability for Ubiquiti seems unlikely)

It certainly makes a lot of sense to consider Mikrotik hardware, especially given the pricepoint and your requirements. So as I wrote above, if you believe it is the right choice for you, harden the device and consider implementing controls around it (like a separate interface for management), I also forgot to mention earlier that keeping your device updated will obviously also help a lot there.

Maybe if you are lucky, some nice person will port OpenWRT to it, but don't bet on it :)
While it is bad they have been found it is also good they are getting fixed. It's the significant time to fix in some cases that is putting me off at the moment but the majority are denial of service from poor code\design.