RouterOS: basic firewall policy and rules model

Discussion in 'Networking' started by Cheddoleum, Nov 18, 2019.

  1. Cheddoleum

    Cheddoleum Member

    Joined:
    Feb 19, 2014
    Messages:
    87
    Likes Received:
    16
    Hi. I'm evaluating MicroTik RouterOS for use at the edge. And as I build up the firewall, reading their documentation, recommendations and official MicroTik staff replies on their forums, I'm getting the distinct impression that their sole supported approach is "policy accept, rules reject (or drop)".

    I'm a lot more comfortable with "policy drop, rules accept", both on principle and based on mostly iptables experience.

    There's not much mention of RouterOS on this site. I wonder if anyone else has a take on this? It doesn't even seem to offer access to the policy, and the staff suggest instead you just put a "drop" rule at the end of the relevant input and forward chains. Given how easy it is to mess things up that way when it comes to dynamic rules addition/insertion, I'm not very impressed with that approach. Any thoughts appreciated.
     
    #1
    Last edited: Nov 18, 2019
  2. RTM

    RTM Active Member

    Joined:
    Jan 26, 2014
    Messages:
    445
    Likes Received:
    144
    Given the significant amount of vulnerabilities found in their software, I do not suggest using Mikrotik equipment as more than a layer 2 device (if you must I suggest hardening the device and implementing controls around them to limit attack surface).
    This is just my own personal opinion/belief, I believe they make great equipment, but they may have added too many features to the OS for them to be able to support it.

    Maybe RouterOS 7 (they have recently released a beta version), will change some of this, only time will tell I guess.

    My suggestion would be to use something different for routing and firewalling, like a decent x86 based machine with pfSense.
     
    #2
  3. ChuckMountain

    ChuckMountain New Member

    Joined:
    Nov 6, 2019
    Messages:
    16
    Likes Received:
    0
    Have they got any outstanding vulnerabilities at the moment?

    I was looking for a solution to get a decent firewall at a reasonable price point that doesn't sound like a jet engine and drink electricity like there is no tomorrow.

    I was looking at pfSense either custom build or one of the premade boxes but that was approaching the best part of $1,000 for one with a 10gigabit port which I wanted to hook up to my network backbone. My Internet connection is just over 1.1Gbps and on a single port can't get the throughput.

    I then saw the Mikrotik RB4011 which has a SFP+ port which at a $199 price point seems to do the trick. However, the vulnerabilities concern me and the amount of time. To work though I would have to it behind the ISP router anyway as it cannot be replaced :(
     
    #3
  4. RTM

    RTM Active Member

    Joined:
    Jan 26, 2014
    Messages:
    445
    Likes Received:
    144
    Outstanding vulnerabilities are typically not announced or made readily available in the public forum, so don't expect people to answer that part. :)

    It is also difficult/impossible to tell, if the issues are from bad software quality or because many people are actively looking for vulnerabilities.

    For a quantification look at the statistics from cvedetails.com:
    Mikrotik: 22 vulnerabilities
    Ubiquiti: 1 vulnerability

    Note: above is not to say that Ubiquiti software is any better (I doubt that is the case), it is just to show some statistics on it, it is quite possible that there are significant issues with the dataset (1 vulnerability for Ubiquiti seems unlikely)

    It certainly makes a lot of sense to consider Mikrotik hardware, especially given the pricepoint and your requirements. So as I wrote above, if you believe it is the right choice for you, harden the device and consider implementing controls around it (like a separate interface for management), I also forgot to mention earlier that keeping your device updated will obviously also help a lot there.

    Maybe if you are lucky, some nice person will port OpenWRT to it, but don't bet on it :)
     
    #4
  5. ChuckMountain

    ChuckMountain New Member

    Joined:
    Nov 6, 2019
    Messages:
    16
    Likes Received:
    0
    Sorry I should have been clearer on that one, I meant published ones liked the CVE ones that have not been fixed :) Some took far too long to fix which is definitely an issue.

    While it is bad they have been found it is also good they are getting fixed. It's the significant time to fix in some cases that is putting me off at the moment but the majority are denial of service from poor code\design.
     
    #5
  6. ehorn

    ehorn Active Member

    Joined:
    Jun 21, 2012
    Messages:
    342
    Likes Received:
    52
Similar Threads: RouterOS basic
Forum Title Date
Networking Very basic question: SFP+ / SFP28 compatibility Jan 14, 2020
Networking VMWare NSX - I've some basic design questions Dec 17, 2019
Networking Basic pfSense Interface & Addressing Issues Jan 20, 2019
Networking Arista 7050 basic switching Jul 31, 2017
Networking Basic Networking/Gnodal Jul 18, 2017

Share This Page