Quick Guide: Sizing Up And Selecting A Mikrotik Router

rsaeon · January 31, 2026, 9:13am

Yeah, you would not believe the number of intrusions I saw when I temporarily turned on logging for blocking incoming connections from WAN, it’s crazy.

MrGordon · January 31, 2026, 10:17am

I got one of these from @smnrock, and replaced my hap ac2 and a small 5 port POE switch with the RB5009 UPR. Working great so far.

bobbyprajan · January 31, 2026, 4:00pm

I did consider one but the Hex is more than enough for the features I need and the bandwidth I have. Really top of the line hardware, the RB5009UPR

jayanttyagi · January 31, 2026, 4:28pm

Try crowdsec and fail2ban.

rsaeon · January 31, 2026, 8:00pm

I’ve heard of those and I still need to look into them but I think It’s way better with Mikrotik.

Basically, a simple firewall filter that blocks any new incoming connections to the router itself that didn’t physically originate from the LAN interfaces

Sheer elegance:

/ip firewall filter add action=drop chain=input in-interface-list=!LAN

And then Wireguard or Tailscale for services that you do need to expose to the internet.

jayanttyagi · February 1, 2026, 3:31am

Wireguard(if using mikrotik bounce servers) or tailscale are not internet/dmz.

So you don’t need anything special unless you are opening a port. Make sure ipv6 is disabled on lan if your isp supports it or add rule for that as well.

Fail2ban can give extra later of protection if a lan device somehow gets compromised and uses brute force attack on ssh port of your servers. So it can ban local as well as wireguard ips.

smnrock · February 1, 2026, 3:56am

That’s the beauty of RouterOS/mikrotik, even decade old devices can continue to work with latest releases without sweat Except container(restricted to arm64) feature, all other features should working perfectly fine in the older devices.

bobbyprajan · February 1, 2026, 3:58am

One issue I faced is that Interface Lists do not support VLAN interfaces. The default rules use Interface Lists everywhere and I had to write custom rules.

Input blocking excludes dstnat, so opening a port should not need any new rules, right ?

smnrock · February 1, 2026, 4:01am

It is supported.. What exactly the issue?

bobbyprajan · February 1, 2026, 4:05am

I could’t find the VLAN interfaces in the selection. I will check it again once I reach home

rsaeon · February 1, 2026, 4:09am

Yeah, I haven’t publicly exposed ports/services since the ICQ days.

Theoretically, VLAN isolation should help with compromised LAN devices but I guess once something is already in your lan, or a lan device is compromised, then you have bigger issues to deal with.

I do need to figure out better network security some day.

bobbyprajan · February 1, 2026, 1:05pm

I can see it now in the list. I was in an older release before doing netinstall. Did this feature come in a recent release ?

smnrock · February 1, 2026, 1:16pm

Not sure about RoS 6.x, but it was there from 7.x!

bobbyprajan · February 1, 2026, 1:30pm

I was on 7.x, which one I am not sure. Thanks for clarifying

Yet to put the Hex back online. Went back to Openwrt on ERLite-3 for now till I fix this

babhishek · February 5, 2026, 6:38am

Replaced rhe power adapter so its not the cause ..

Happy to ship

MrGordon · February 5, 2026, 6:48am

What I meant is that a full firmware refresh using netinstall will fix most issues. My case was triggered by the faulty power supply, but it still needed a netinstall.