After successfully configured your ROS there are some firewall rules to be configured to secure your router.
Change the admin account name.
Change the default admin login port.
RouterOS MAC-access
RouterOS has built-in options for easy management access to network devices. The particular services should be shutdown on production networks.
MAC-Telnet
Disable mac-telnet services,
/tool mac-server set allowed-interface-list=none
/tool mac-server print
MAC-Winbox
Disable mac-winbox services,
/tool mac-server mac-winbox set allowed-interface-list=none
/tool mac-server mac-winbox print
MAC-Ping
Disable mac-ping service,
/tool mac-server ping set enabled=no
/tool mac-server ping print
Neighbor Discovery
MikroTik Neighbor discovery protocol is used to show and recognize other MikroTik routers in the network, disable neighbor discovery on all interfaces,
/ip neighbor discovery-settings set discover-interface-list=none
Or disable MAC Discovery for all interfaces by using following
/ip firewall filter
add action=drop chain=input comment="Block mikrotik discovery" disabled=no dst-port=5678 protocol=udp
add action=drop chain=input comment="DROP ALL WINBOX REQUEST By MAC Address" disabled=no dst-port=20561 protocol=udp
Create firewall filter rules to protect router from incoming (input) connections:
/ip firewall filter
add chain=input comment="Accept established and related packets" connection-state=established,related
add chain=input comment="Accept all connections from local network" in-interface=LAN
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid
Create firewall filter rules to protect your local network from passing (forwards) connections:
/ip firewall filter add chain=forward comment="Accept established and related packets" connection-state=established,related add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid