I can not agree more, great content and please continue in the same way supporting customers. My journey with Mikrotik has been a pure pleasure so far.
Shouldn't the 6th rule with IP 150.140.130.13 be moved upper? When firewall sees a rule for .13 it will accept it because it belongs to 150.140.130.0/24 network. Then router will stop looking for filter for this IP, because it has been already accepted. So in my opinion the trick is to move this rule up (on position 5 or smaller) to block the .13 address, and then firewall will stop looking for filtering, because it has been already blocked.
Agreed. From the docs: If a packet matches the criteria of the rule, then the specified action is performed on it, and no more rules are processed in that chain (the exception is the passthrough action). If a packet has not matched any rule within the built-in chain, then it is accepted.
Thanks for the video and to ruf3st for pointing out the adjustment. I've been working to understand the firewall and NAT for a while before implementing a MikroTik router to replace a old dd-wrt unit. It's a big step for someone new to this because it seems a mistake could compromise network security and you may not know until too late. I have found information and guides on-line that don't work and seem wrong but as a newbee it's difficult to decide, maybe just not the best way to achieve something. For something this important and with a router as versatile as the MikroTik there is a huge learning curve. It's a big responsibility advising or teaching how to secure a network.
As many have said, those are really useful videos, so please, keep them coming. I've worked as a MT admin 13 years ago and I forgot a lot of this stuff since then, so this makes the onboarding again really simple. Thank you very much.
This is a great starter/intro video to the FW and I sincerely hope there are more for the future - perhaps topics like point to point VPN, home AP, throttling Kids devices etc...
@@mikrotikDo you guys have a support department of kinds where you can book a network engineer to help you make your best dream network? As a Home user who prefers privacy and safety I would pay for a ready made secure plug and play file that I can just sync to the device and set a password, or finish up with some small modifications.
Thanks, excellent video for first steps in firewall. Watching 20 minutes of long video was not boring. Thank you Normis! It takes a lot of courage to make good videos, but you are doing great! Keep up ;)
I wish people in the industry were as sincere as you were, from the beginig (windows 95 begginig) by saying : "No network is completely secure..." . What you said kind of defies the reason to why choose mikrotik instead of any other, but anyway, also a great reason for a "heck, why not !" right ?
Really good to see tutorials like this, keep going, make more. You have a great product range with great features, however features bring complexity. I feel the biggest hurdle for your home users to be able to use your gear will be the lack of knowledge. Tutorials will be a huge help for people to learn and buy more of you great gear.
My router is configured in DHCP with ISp providers. I use rb1100 . In order to block certain pages . On new rule forward chain in.interfwfe list . I could not find any interfaces . What can I do
I don't understand the remote IP. I get /24 at the end specifies all devices from that IP. But how does substituting that for .13 identify not only the public IP but then the specific internal IP behind that router?
OK got it thanks to Mr Google. 0.0.0.0/0. Easy. But this might have been a helpful little bit of info to have included when talking about denying access to the router from the internet side.
I appreciate such videos, but I miss IPv6 Firewall Rules. Many people use IPv6 in their home routers because of missing IPv4 addresses (e.g. DS-Lite). Could you do an advanced video about firewalling with IPv6?
MikroTik devices also have default IPv6 firewall, you can learn from the default rules. To load them, enable IPv6 pacage and reset routerOS config to defaults, it will load the rules
....let's say i trust my colleagues. even though I don't.... nice touch :-D nice and useful video... I expect advanced firewalling also.... thank you...
I have local DNS Microsoft server, could you tell me how to prevent LAN users to change their client device to external like 8.8.8.8 rather than my local DNS 10.1.1.234? Thank in advance.
Make a dst-nat rule that captures DNS requests and use action "redirect" to capture them. See our video about dst-nat rules th-cam.com/video/a_8AV6vIDYQ/w-d-xo.html
Domain blocking doesn't work for me. My Filter Rules are empty and this drop is alone in list. Chain: forward Protocol: tcp In. Interface List: LAN TLS Host: *mikrotik* Action: drop What I need more in Firewall for this blocking?
Hola como puedo hacer, tengo un router mikrotik 4011, tengo un segmento de red 192.168.1.1/24 tengo que llegar a la red10.10.1.1/24 y no puedo me pueden ayudar por favor.
Will mikrotik integrate more specific firewall functions such as https proxy, https ispection (tls 1.3), ips and ids functions, smtp proxy and UTM functions in the future? Thanks in advance for the answer
@@mikrotik i know, i am aware of It, It was a question to ask if the future you will also integrate third-party services for the aforementioned functions. Thanks.
Nice, Great to know about the SAFEMODE feature.. to me it means not to reset my router and getting kicked out of it when ever i'm experiencing with the ip adressess things XD thank you sir
Hi, I'm using firmware version is 7.1 and when I try your teaching, in the interface list I don't see the LAN option and it required me to put select protocol is this normal? So I just used in the "in interface List - ALL" and then I put protocol 6(tcp) it work.
Don’t bother watching this from a phone! The content of this video was fantastic and extremely useful for a beginner like me - although the presentation of it could have been a lot better. As it is, this video is nearly useless for viewing on a mobile phone (even a 13 Pro Max) because the focused content is not zoomed to make it readable. I had to AirPlay to my 70• screen in order to be able to make out what was on the screen. It would have also been fine on a tablet or PC. I definitely recommend watching the video - but just bookmark it for now (if you’re on a phone) and watch it later from a larger screen device. I hope future videos will keep this in mind since it’s not often convenient for me to watch from a larger screen device.
Yes, since there is a screen recording of a computer screen, you need to view this video in 4K when watching on a phone screen, then it looks very clear even on the smaller iPhone 13 pro (non max). For lower bandwidth connections, you would need a bigger screen, as details will be lost in 1080p or less.
At 12:10 this doesn't seem right. If it's public address, adding whole subnet will allow not only Your office, but also other public addresses, that are sharing the mask. Am I correct? Or I missed something? :) I mean, this is an example, but should be more precisely explained if my thinking is correct :) Other than that, great video!
It's correct, but usually the company has a whole subnet of IP addresses. At least in this example. If you only have one IP, use it like this 159.148.172.204/32
Hello, very good to have videos of the brand, I want to tell you that the webpages blocking rule does not work with youtube or putting it at the beginning of the rules. please be more specific with your rules and not so general. Thank you
Hey friend I noticed that you are using winbox and a macbook. Why does Mikrotik not have windobox for mac? This would be important, as we have to use emulated solutions. And in view of an official channel. Here's the tip.
Is it just me or anyone else always select "show inline comments"? The way WinBox shows comments (in separate line) doesn't make any sense to me. Anyway, good vid!
The documentation and tutorials for Mikrotik put all of the other manufacturers to shame. Looking at you Ubiquiti!
the "let say i trust my colleagues, even though i don't" part really made my day
I'm about to comment the same then I read yours! :) - seems it not just about the network security anymore... hahaha.
Great content Normis & MikroTik :)! Please keep these awesome MikroTips coming, I know many people enjoy watching them!
Don’t listen to Berg. He’s started doing Fortigate stuff. Absolutely terrible person. 😂
I can not agree more, great content and please continue in the same way supporting customers. My journey with Mikrotik has been a pure pleasure so far.
Shouldn't the 6th rule with IP 150.140.130.13 be moved upper? When firewall sees a rule for .13 it will accept it because it belongs to 150.140.130.0/24 network. Then router will stop looking for filter for this IP, because it has been already accepted. So in my opinion the trick is to move this rule up (on position 5 or smaller) to block the .13 address, and then firewall will stop looking for filtering, because it has been already blocked.
Agreed. From the docs: If a packet matches the criteria of the rule, then the specified action is performed on it, and no more rules are processed in that chain (the exception is the passthrough action). If a packet has not matched any rule within the built-in chain, then it is accepted.
There is a mistake @15min, the drop rule will not work since the connection will be accepted by the rule preceding the drop.
good catch, had to move it one position more!
Hmmm 🤔
Thanks for the video and to ruf3st for pointing out the adjustment. I've been working to understand the firewall and NAT for a while before implementing a MikroTik router to replace a old dd-wrt unit. It's a big step for someone new to this because it seems a mistake could compromise network security and you may not know until too late. I have found information and guides on-line that don't work and seem wrong but as a newbee it's difficult to decide, maybe just not the best way to achieve something. For something this important and with a router as versatile as the MikroTik there is a huge learning curve. It's a big responsibility advising or teaching how to secure a network.
@@mikrotik add a note on video :)
@@donatasdicmanas5009 Pretty sure that TH-cam removed the ability to add annotations a while ago.
As many have said, those are really useful videos, so please, keep them coming. I've worked as a MT admin 13 years ago and I forgot a lot of this stuff since then, so this makes the onboarding again really simple. Thank you very much.
This is a great starter/intro video to the FW and I sincerely hope there are more for the future - perhaps topics like point to point VPN, home AP, throttling Kids devices etc...
It was a good starting for MIKROTIK FIREWALL, thanks by this approaching to the comunity!
Great job!
I love mikrotik routers and support material has improved a lot too now. Great job
As someone about to pick up my first mikrotik device this was a great beginner how to vid for the much feared firewall config, thanks!
Great to hear! Be sure to watch our other videos too, we have more beginner tips
@@mikrotikDo you guys have a support department of kinds where you can book a network engineer to help you make your best dream network?
As a Home user who prefers privacy and safety I would pay for a ready made secure plug and play file that I can just sync to the device and set a password, or finish up with some small modifications.
Thank you! Can't wait for next video. Bying a Mikrotik router for home was a great choice. Forced me to an extrmely interesting study process
I am waiting for NGFW from MikroTik Device and I am still looking for how to configure MikroTik Router like NGFW (IPS, IDS)
Hmmm just to clarify
On 15:27, will rule #6 for blocking X.X.X.13 actually work?
Preceeding rule #5 is accepting whole subnet traffic...
Ah ruf3st already pointed on the same nuance before me:)
Thanks, excellent video for first steps in firewall. Watching 20 minutes of long video was not boring. Thank you Normis!
It takes a lot of courage to make good videos, but you are doing great! Keep up ;)
These videos are great. Keep it up.
We will!
I hope to see it in Russian soon
Well done! Keep it up.
Is this the new Mikrotik Logo?
I wish people in the industry were as sincere as you were, from the beginig (windows 95 begginig) by saying : "No network is completely secure..." . What you said kind of defies the reason to why choose mikrotik instead of any other, but anyway, also a great reason for a "heck, why not !" right ?
please discuss about advance firewall some other day. we are waiting. Thnaks
how to block the raw ip as well as the domain? somene might just punch in the raw IP of the webpage
Just add one more rule and block the IP also. How to block IP is also in this video
@@mikrotik what part of the video is the raw ip covered?
Amazing video and very informative, Mikrotik hardware and software are fantastic
what would i do when i want to block bulk of domains. it is hard to enter every web-site.
Really good to see tutorials like this, keep going, make more. You have a great product range with great features, however features bring complexity. I feel the biggest hurdle for your home users to be able to use your gear will be the lack of knowledge. Tutorials will be a huge help for people to learn and buy more of you great gear.
Kkkkk gmn ox
This - 100%. Even the Prosumer market needs guidance, especially because we tend to sell and move on if it doesn't work out.
Please help some websites can't access using the set firewall.
Shouldn't the new input drop rule for .13 be above accept rule to work?
Yes, small mistake in moving the rule. Other commenters also said the same
@@mikrotik ah, sorry, missed them. need to keep those colleagues you can’t trust at bay, you know ;) you have great product, keep it up!
Good day. May I ask if you can demo how to maximize the use of Mikrotik if I wanted to use firewall for deception? Thanks!
can you please use a magnifying glass? Even in 1080p I cannot see.
Can you provide the default firewall rules for rb5009ug+?
My router is configured in DHCP with ISp providers. I use rb1100 . In order to block certain pages . On new rule forward chain in.interfwfe list . I could not find any interfaces . What can I do
More, MikroTik. More 😊
شكرا لطريقة الشرح
اول فيديو شاهدتو وعجبتني المعلومات وطريقة شرحك شكرا
Really good to see tutorials like this, keep going, and make more
It would be very useful to have a video about setting up a hotspot with vouchers.
I don't understand the remote IP. I get /24 at the end specifies all devices from that IP. But how does substituting that for .13 identify not only the public IP but then the specific internal IP behind that router?
How do I specify all internet traffic for a deny all rule? I know where to put it, I just don't know how to express it.
OK got it thanks to Mr Google. 0.0.0.0/0. Easy. But this might have been a helpful little bit of info to have included when talking about denying access to the router from the internet side.
I appreciate such videos, but I miss IPv6 Firewall Rules. Many people use IPv6 in their home routers because of missing IPv4 addresses (e.g. DS-Lite). Could you do an advanced video about firewalling with IPv6?
MikroTik devices also have default IPv6 firewall, you can learn from the default rules. To load them, enable IPv6 pacage and reset routerOS config to defaults, it will load the rules
Very nice. I would love more firewall tutorials. 👍
Hallo, how do manage to use winbox on your apple laptop?
We have a video about it: th-cam.com/video/TCPhYh9Wajw/w-d-xo.html
Winbox dark mode....please
Great video, but it seems to work for some sites and doesn't work on some other sites. Any reason or solution for this?
Like in the video, check the webpage certificate details and see, maybe it is issued to other domains, that you can also try to block.
also follow this nice video on more details about how to find the correct tls-host value: th-cam.com/video/cFtZNbY-2Qo/w-d-xo.html
....let's say i trust my colleagues. even though I don't.... nice touch :-D
nice and useful video... I expect advanced firewalling also.... thank you...
Will the whole Mikrotik brand change its identity to like this logo and colour anytime soon? It looks great!
my lhg5 is connected to wifi router port and i am unable to login using mac address what to do
I have local DNS Microsoft server, could you tell me how to prevent LAN users to change their client device to external like 8.8.8.8 rather than my local DNS 10.1.1.234? Thank in advance.
Make a dst-nat rule that captures DNS requests and use action "redirect" to capture them.
See our video about dst-nat rules th-cam.com/video/a_8AV6vIDYQ/w-d-xo.html
Domain blocking doesn't work for me. My Filter Rules are empty and this drop is alone in list.
Chain: forward
Protocol: tcp
In. Interface List: LAN
TLS Host: *mikrotik*
Action: drop
What I need more in Firewall for this blocking?
Make sure your device is working as a router, not a switch or bridge.
@@mikrotik It's working now but why can't work on youtube or google?
why is drop rule second because you allow everyone to access port in first.
Great video thank you ! This MicroTips series is perfect !
I'm curious about the new MikroTik icon in the macOS dock, new software soon ? 🤔
Hola como puedo hacer, tengo un router mikrotik 4011, tengo un segmento de red 192.168.1.1/24 tengo que llegar a la red10.10.1.1/24 y no puedo me pueden ayudar por favor.
great video, then P2P selection box is gone from the mangle rule general tab. How is this option chosen now? (It would assist me greatly.
It was removed, because none of those p2p protocols exist anymore
Do you use the M1 MacBook? How did you manage to install winbox? BR Nice Video Thank you!
Follow my other video about it th-cam.com/video/FXhT2QGxgp0/w-d-xo.html
It works on M1 devices if you use Wine 6.21 or newer
@@mikrotik i did not found wine 6.21 only 5.7 like in your video suggested.
Will mikrotik integrate more specific firewall functions such as https proxy, https ispection (tls 1.3), ips and ids functions, smtp proxy and UTM functions in the future?
Thanks in advance for the answer
This is a router, not an ids
@@mikrotik i know, i am aware of It, It was a question to ask if the future you will also integrate third-party services for the aforementioned functions.
Thanks.
Thanks for review and I can't wait to see russian version of this video
Right click and select "inline comments" definitely more readable.
Nice, Great to know about the SAFEMODE feature.. to me it means not to reset my router and getting kicked out of it when ever i'm experiencing with the ip adressess things XD
thank you sir
Hi, I'm using firmware version is 7.1 and when I try your teaching, in the interface list I don't see the LAN option and it required me to put select protocol is this normal? So I just used in the "in interface List - ALL" and then I put protocol 6(tcp) it work.
In that case, use a specific interface (probably bridge). The interface lists are part of default configuration of our home devices, not all have it
Don’t bother watching this from a phone!
The content of this video was fantastic and extremely useful for a beginner like me - although the presentation of it could have been a lot better. As it is, this video is nearly useless for viewing on a mobile phone (even a 13 Pro Max) because the focused content is not zoomed to make it readable. I had to AirPlay to my 70• screen in order to be able to make out what was on the screen. It would have also been fine on a tablet or PC.
I definitely recommend watching the video - but just bookmark it for now (if you’re on a phone) and watch it later from a larger screen device.
I hope future videos will keep this in mind since it’s not often convenient for me to watch from a larger screen device.
Yes, since there is a screen recording of a computer screen, you need to view this video in 4K when watching on a phone screen, then it looks very clear even on the smaller iPhone 13 pro (non max). For lower bandwidth connections, you would need a bigger screen, as details will be lost in 1080p or less.
Sir about games apps like mobile legend what is the TLS HOST?
And this config work in manggle rules? I'd like to limit the bandwidth of mobile legend
you can block mobile legends game in your network, by blocking ports 3000-30999
Winbox via homebrew?
No, just install Wine and run the exe
requesting to prepared video ospf filter && routed base vpn with juniper SRX ..
اناامتلك جهاز روار 1100وهناك مشاكل في ضعف الارسال اعتقد من جدار الحمايه اريد انت تساعدني تشكيل جدار حمايه هل يمكنك مساعدتي
bro where chalk up u been, it is so cool
thanks, it actually let me through so i could download it.
how did you connect from Mac?
Winbox on MacOS M1 in two steps
th-cam.com/video/TCPhYh9Wajw/w-d-xo.html
Great ;
Normis , the basic building block of Mikrotik. :)
The website rule do not work for me
How use winbox on macos?
th-cam.com/video/FXhT2QGxgp0/w-d-xo.html
At 12:10 this doesn't seem right. If it's public address, adding whole subnet will allow not only Your office, but also other public addresses, that are sharing the mask. Am I correct? Or I missed something? :)
I mean, this is an example, but should be more precisely explained if my thinking is correct :)
Other than that, great video!
It's correct, but usually the company has a whole subnet of IP addresses. At least in this example. If you only have one IP, use it like this 159.148.172.204/32
Thanks for making this video, top quality 😀 Will show this to firewall n00bs to make them pro.
Hello, very good to have videos of the brand, I want to tell you that the webpages blocking rule does not work with youtube or putting it at the beginning of the rules. please be more specific with your rules and not so general. Thank you
It works fine for us, make sure you disable fast track and use correct chain
Thanks for video it very help full for me. keep making
was that the winbox for osx or safari for windows?
Winbox runs perfectly fine in Wine 6 for macOS, even on M1 architecture. Follow our other video for more: th-cam.com/video/FXhT2QGxgp0/w-d-xo.html
Please make a video and show how to limit the internet only for WhatsApp and full internet access from the userman to other users.
plz fix WAVE2 wifi and Capsman (!) for 128Mb routers (!!!)
Capsman works fine
Greetings from Austria ;-)
At first: Great Video! when will it possible to get some new devices ? The stock-situation is .... best wishes for 2023 !!!
New devices are going out every now and then. Make sure you put your reservation in, don’t just wait
thank you for this Normis
seems you cant block youtube using the TLS, anyone had any luck blocking yourtube?
It works fine, make sure you follow the video exactly, including disabling of fast track and rule order
Thanks for Safe mode feature))
Hi, don't worry, I wanted to know how to monitor which sites the user has visited in Mikrotik
Great video , keep going !!!!
nice video and very good content
great content!
Great tutorial!
Labs video! Varbūt var nākotnē kaut ko par CAPsMan un Wifi ar VLAN'iem? :)
Tāds video jau mums ir, skat nedaudz vecākos 😊
Thank you !!
New logo?
very cool ! I like that
its just loading and not responding
Thanks a lot. If it’s possible pls make same for Russian speakers user. Thanks 😊
The webpage blocking rule would be totally useless if your browser using DoH, I guess. Thanks
This is what encryption is for, yes. It would be great if everyone would be using encryption everywhere.
@@mikrotik Yes, but just don't tell it to (big companies') network admins :-)
Superīgs video. Paldies.
Indeed
❤❤
Hey friend
I noticed that you are using winbox and a macbook.
Why does Mikrotik not have windobox for mac?
This would be important, as we have to use emulated solutions.
And in view of an official channel.
Here's the tip.
Because - as you see it works 😂
If it's not clear we can't follow along.
Is it just me or anyone else always select "show inline comments"? The way WinBox shows comments (in separate line) doesn't make any sense to me.
Anyway, good vid!
Normis Malacis! Liels Paldies!
Ur guaranteed to bang views here lads
Others are like, Yeah, so just make a crazy lody and drum and setup.
nice
Please make a Russian version or Russian subtitles.
good :)