Skip to main content
ISPbills logoISPbills
← Back to Blog
MikroTik14 min readApril 24, 2026

MikroTik Firewall for ISPs: Production-Ready Rules & Configuration

A properly configured MikroTik firewall is the difference between a resilient ISP and one that goes down every time a script kiddie runs a port scan. This guide provides production-tested firewall rules covering input protection, forward chain filtering, NAT, and subscriber traffic management.

Firewall Rule Design Principles for ISPs

ISP firewalls are fundamentally different from enterprise firewalls. You are not protecting a single network — you are protecting the router itself, your management plane, and filtering traffic for thousands of subscribers. The three chains you must configure are: input (traffic TO the router), forward (traffic THROUGH the router), and output (traffic FROM the router).

The golden rule: start with a default-drop policy and explicitly permit only what you need. Every open port is a potential attack vector.

Connection Tracking Optimisation

Before adding filter rules, optimise connection tracking. ISP routers handle millions of connections. Default settings cause memory exhaustion.

routeros
# Optimise connection tracking for ISP workloads
/ip firewall connection tracking
set enabled=yes tcp-established-timeout=3h     tcp-close-timeout=10s tcp-close-wait-timeout=10s     tcp-fin-wait-timeout=10s tcp-time-wait-timeout=10s     tcp-syn-sent-timeout=30s tcp-syn-received-timeout=30s     udp-timeout=30s udp-stream-timeout=120s     generic-timeout=10m icmp-timeout=30s     max-entries=1048576

The default tcp-established-timeout is 1 day — far too long for ISP use. Reduce to 3 hours. Set max-entries based on your RAM (1M entries uses ~256MB RAM).

Input Chain: Protecting the Router

The input chain protects the router itself. This is your most critical chain:

routeros
/ip firewall filter
# Accept established and related connections
add chain=input action=accept connection-state=established,related     comment="INPUT: Accept established/related"

# Drop invalid
add chain=input action=drop connection-state=invalid     comment="INPUT: Drop invalid"

# Accept ICMP with rate limit
add chain=input action=accept protocol=icmp limit=20,5:packet     comment="INPUT: Rate-limited ICMP"
add chain=input action=drop protocol=icmp     comment="INPUT: Drop excess ICMP"

# Accept PPPoE discovery (required for PPPoE server)
add chain=input action=accept protocol=pppoe-discovery     in-interface-list=LAN comment="INPUT: PPPoE discovery"

# Management access from trusted IPs only
add chain=input action=accept protocol=tcp dst-port=8291     src-address-list=management comment="INPUT: Winbox"
add chain=input action=accept protocol=tcp dst-port=22     src-address-list=management comment="INPUT: SSH"
add chain=input action=accept protocol=tcp dst-port=8728,8729     src-address-list=management comment="INPUT: API"

# Accept RADIUS responses
add chain=input action=accept protocol=udp     src-address-list=radius-servers src-port=1812,1813     comment="INPUT: RADIUS responses"

# Accept DNS from subscribers (if router is DNS server)
add chain=input action=accept protocol=udp dst-port=53     in-interface-list=LAN comment="INPUT: DNS from LAN"
add chain=input action=accept protocol=tcp dst-port=53     in-interface-list=LAN comment="INPUT: DNS TCP from LAN"

# Accept NTP
add chain=input action=accept protocol=udp dst-port=123     comment="INPUT: NTP"

# Default drop
add chain=input action=drop comment="INPUT: Drop everything else"

Forward Chain: Subscriber Traffic Filtering

The forward chain handles traffic passing through the router — essentially all subscriber traffic:

routeros
/ip firewall filter
# Accept established and related
add chain=forward action=accept connection-state=established,related     comment="FORWARD: Accept established/related"

# Drop invalid
add chain=forward action=drop connection-state=invalid     comment="FORWARD: Drop invalid"

# Limit new connections per subscriber (anti-DDoS + botnet)
add chain=forward action=drop connection-limit=300,32     src-address=10.10.0.0/16 protocol=tcp connection-state=new     comment="FORWARD: Limit TCP conn per subscriber"

# Block subscriber-to-subscriber traffic (prevent lateral attacks)
add chain=forward action=drop src-address=10.10.0.0/16     dst-address=10.10.0.0/16 comment="FORWARD: Block subscriber-to-subscriber"

# Block subscribers from accessing management networks
add chain=forward action=drop dst-address-list=management-networks     src-address=10.10.0.0/16 comment="FORWARD: Block sub→management"

# Anti-spoofing
add chain=forward action=drop in-interface-list=WAN     src-address=10.0.0.0/8 comment="FORWARD: Anti-spoof RFC1918"
add chain=forward action=drop in-interface-list=WAN     src-address=172.16.0.0/12 comment="FORWARD: Anti-spoof RFC1918"
add chain=forward action=drop in-interface-list=WAN     src-address=192.168.0.0/16 comment="FORWARD: Anti-spoof RFC1918"

# Accept everything else through
add chain=forward action=accept comment="FORWARD: Accept all valid traffic"

NAT Configuration for ISP

Configure source NAT (masquerade) for subscriber internet access and any destination NAT rules for port forwarding:

routeros
# Source NAT for subscriber internet access
/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=WAN     src-address=10.10.0.0/16 comment="NAT: Subscriber internet"

# If using CGNAT with public IP pool
add chain=srcnat action=src-nat to-addresses=203.0.113.0/28     out-interface-list=WAN src-address=100.64.0.0/10     comment="NAT: CGNAT pool"

# Redirect subscribers to payment page when suspended
add chain=dstnat action=dst-nat to-addresses=10.10.0.5 to-ports=80     protocol=tcp dst-port=80 src-address-list=suspended-subscribers     comment="NAT: Redirect suspended to payment page"

Address Lists for Dynamic Management

Use address lists to keep your firewall rules clean and dynamic:

routeros
# Management IPs (your NOC, office, ISPbills server)
/ip firewall address-list
add list=management address=10.10.0.5 comment="ISPbills server"
add list=management address=10.10.0.10 comment="NOC workstation"

# RADIUS servers
add list=radius-servers address=10.10.0.5 comment="Primary RADIUS"
add list=radius-servers address=10.10.0.6 comment="Backup RADIUS"

# Management networks (protect from subscriber access)
add list=management-networks address=10.10.0.0/24 comment="Management VLAN"
add list=management-networks address=10.20.0.0/24 comment="OLT management"

How ISPbills Integrates with MikroTik Firewalls

ISPbills works with your firewall rules to manage subscriber access:

  • Suspended subscriber list — when an invoice is overdue, ISPbills adds the subscriber to the "suspended-subscribers" address list via API
  • Payment redirect — combined with a dst-nat rule, suspended subscribers see a payment page instead of the internet
  • Auto-restoration — once payment is received, ISPbills removes the subscriber from the suspended list
  • Active subscriber list — ISPbills maintains an "active-subscribers" address list for policy-based routing and QoS

Ready to Automate Your ISP?

ISPbills handles billing, network provisioning, and customer management — free for up to 99 subscribers.

Start Free Trial →

Tags

MikroTikFirewallSecurityNATRouterOSISP NetworkingConnection Tracking
← Back to BlogView All Integrations →

Related Articles

MikroTik Security Essentials

Read more →

What is a RADIUS Server?

Read more →

NetFlow Traffic Analysis for ISPs

Read more →

Ready to Transform Your ISP Business?

Join hundreds of ISPs across Bangladesh and South Asia who trust ISPbills to manage their operations. Start your free trial today — no credit card required.

Online DemoStart Free Trial