The protection of NAT and a firewall on Mikrotik?

As Mikrotik to prevent the next attack?

When you add a rule to the forward chain on the port service provider, Dst? adress breaks outbound NAT.
July 2nd 19 at 13:19
2 answers
July 2nd 19 at 13:21
it is not in NAT and filter.
best practics - you need to add the address sheet bogon addresses
then deny from interface provider traffic where the packet header scr equal bogon networks and it will be absolutely correct
The packets headers which specify the src-address from the bogon networks definitely should be banned. But in the above article, as I understand it, describes an attack when the WAN interface coming packets with bogon addresses as dst-address in the header and can be routed to the internal network, in accordance with the routing tables.
You need to add a rule that denies packets from the WAN interface, the headings of which dst-address - bogon or is it impractical? - helga80 commented on July 2nd 19 at 13:24
: I finally added rules for both cases. - colin.Jaskolski commented on July 2nd 19 at 13:27
: Added rules for both cases, also duplicated them in the INPUT chain. All 4 rules are processed, the counters increase. - helga80 commented on July 2nd 19 at 13:30
July 2nd 19 at 13:23
/ip firewall filter
add chain=forward in-interface=WANinterface connection-nat-state=!dstnat action=drop

Substitute the correct interface name.
Right, I forgot about nat-state. Thank you! - helga80 commented on July 2nd 19 at 13:26

Find more questions by tags Computer networksMikrotikFirewallNetwork administration