FIREWALL / QUICKSTART
Harden a fresh MikroTik, one paste at a time.
Four numbered steps. Each gives you a snippet you can read, paste, and verify before moving on. Reads in about 10 minutes; the full script at the bottom is copy-and-go when you've already understood the parts.
⚠ Before you paste
If your management session is over WAN, the rules below can lock you out. Have console access ready (serial cable on a CCR / hAP, or Winbox on the LAN side of a separate device).
01 · Clean slate
Remove any previous mikrotikfilters rules so re-runs are idempotent. We
namespace everything we add with a mtkf: comment prefix and a
mtkf- address-list prefix so this regex match is precise — we
never touch rules you wrote.
# 1. clean slate — remove any previous mikrotikfilters rules
/ip firewall filter
remove [find comment~"^mtkf:"]
/ip firewall address-list
remove [find list~"^mtkf-"] # 1. clean slate — remove any previous mikrotikfilters rules
/ip/firewall/filter
remove [find comment~"^mtkf:"]
/ip/firewall/address-list
remove [find list~"^mtkf-"] 02 · Fetch the scanners list
Pull the curated scanners list as an .rsc over HTTPS and import
it. The same add list=mtkf-scanners … syntax works on v6 and v7,
so this step is shared.
# 2. fetch the scanners list and import it as an address-list
/tool fetch mode=https \
url="https://mikrotikfilters.com/api/lists/scanners.rsc" \
dst-path=mtkf-scanners.rsc
/import file-name=mtkf-scanners.rsc Verify the import worked:
/ip firewall address-list print count-only where list=mtkf-scanners 03 · Drop scanner traffic
One rule on the input chain (drops scans hitting the router itself) and one on the forward chain (drops scans aimed at NATted hosts behind the router). Both rules sit at the top of their chains; everything else falls through to your existing rules.
# 3. drop scanner traffic on the input chain
/ip firewall filter
add chain=input action=drop \
src-address-list=mtkf-scanners \
comment="mtkf: drop scanners (input)"
add chain=forward action=drop \
dst-address-list=mtkf-scanners \
comment="mtkf: drop scanners (forward)" # 3. drop scanner traffic on the input chain
/ip/firewall/filter
add chain=input action=drop \
src-address-list=mtkf-scanners \
comment="mtkf: drop scanners (input)"
add chain=forward action=drop \
dst-address-list=mtkf-scanners \
comment="mtkf: drop scanners (forward)" Why the syntax differs
v6 uses space-separated paths (/ip firewall filter).
v7 prefers slash-separated paths (/ip/firewall/filter) but accepts the v6 form for compatibility. We use the v7-native form on v7 because it's clearer in editors.
04 · Schedule a daily refresh
The list updates as new scanner ranges are reported. A daily fetch is enough for the volume — the worst case is a one-day delay on new entries. The schedule command itself is the same on v6 and v7.
# 4. schedule a daily refresh — set-and-forget
/system scheduler add name=mtkf-refresh interval=1d \
on-event="/tool fetch mode=https url=\"https://mikrotikfilters.com/api/lists/scanners.rsc\" dst-path=mtkf-scanners.rsc; /import mtkf-scanners.rsc" A note on the daily pull cap
Anonymous fetches are capped at 10 pulls per day per IP across all our lists combined (PLAN.md §3.4). If you schedule 15 lists, the last 5 return 429 and your scheduler logs an error. The fix is either (a) cull the list to 10, or (b) become a supporter — supporters get a higher cap and the bundle builder which combines many lists into a single fetch.