3.4 KiB
RouterOS Firewall Optimization
When the user asks you to audit a MikroTik firewall for duplicate or redundant rules, follow this process.
Initial scan
Fetch the full rule list:
/ip firewall filter print detail
/ip firewall nat print detail
/ip firewall mangle print detail
Use print detail (not print stats) — it shows the actual rule text, not counters.
What to look for
1. Rules covered by broader rules above them
If rule 8 accepts ALL traffic from subnet X to WAN interface, any later rule like "allow UDP 5060 from subnet X to WAN" is fully redundant — the broader rule already passes it.
This is the most common redundancy in MikroTik firewalls. Signal: protocol=tcp/udp + specific port + same src-address + same out-interface as an earlier accept-all rule.
2. Disabled rules with stale references
Rules with disabled=yes and comments referencing interfaces, IPs, or services that don't exist (e.g., "RemoteWinboxVPN5 not ready"). These are dead weight.
3. Rules serving the same purpose
Two separate rules for "Allow VPN to LAN" and "Allow VPN to WAN" are not redundant if they cover different destination networks. But check if the src-address-list is consistently populated across both — if one uses VPN_CLIENTS and the other also does, they serve different purposes and are fine.
4. Subnet overlap
If rule 15 allows SSH+Winbox from 10.1.0.0/24 and rule 16 allows Winbox from 10.1.1.0/24, check whether 10.1.1.0/24 is a subset of 10.1.0.0/24. If so, rule 16 is redundant. If they're separate subnets, fine.
Sensitivity analysis
Not all technically-redundant rules are safe to remove. Flag these cases:
-
"Allow established/related" with
untracked— Addinguntrackedto the established/related rule is intentional. Traffic that bypasses connection tracking (via raw rules) still needs to pass through the firewall. Removing thisuntrackedflag could break that traffic. -
Rules with counters — A rule that's "covered" by a broader rule but has a non-zero packet counter is still doing something — it's matching and counting traffic that the broader rule hasn't reached yet (due to earlier specific matches). Don't remove it just because it looks redundant on paper.
-
Dynamic rules — Rules with
dynamic=yes(usually at index 0) are system-generated and should not be removed.
Removal process
- Present your findings clearly: what's redundant, what's worth noting, why
- Wait for user confirmation before any changes
- Remove with
/ip firewall filter remove [find comment="..." or for specific rule numbers]
For rule-number-based removal:
/ip firewall filter remove numbers=10,11,12
For comment-based removal (safer — works across RouterOS versions):
/ip firewall filter remove [find comment="Allow VOICE VLAN to WAN SIP UDP 5060"]
Pitfalls
- Index shift after removal — Removing rules 10-12 shifts remaining rules down. If you reference rule numbers in your report vs what the user expects, clarify that indexes are just insertion order, not intrinsic IDs.
/exportshows the full rule set — if the user shares an export instead of live access, work from that. The rules are in the/ip firewall filtersection.- Some rules look redundant but serve as traffic shapers — A rule accepting all VOICE→WAN doesn't make a later port-specific rule wrong if the port rule also has a
connection-markorpacket-markfor QoS. Check for marks.