The protection of NAT and a firewall on Mikrotik?

As Mikrotik to prevent the next attack? https://habrahabr.ru/post/134638/

When you add a rule to the forward chain on the port service provider, 192.168.0.0/16 Dst? adress breaks outbound NAT.
July 2nd 19 at 13:19
2 answers
July 2nd 19 at 13:21
Solution
it is not in NAT and filter.
best practics - you need to add the address sheet bogon addresses wiki.mikrotik.com/wiki/BOGON_Address_List
then deny from interface provider traffic where the packet header scr equal bogon networks and it will be absolutely correct
The packets headers which specify the src-address from the bogon networks definitely should be banned. But in the above article, as I understand it, describes an attack when the WAN interface coming packets with bogon addresses as dst-address in the header and can be routed to the internal network, in accordance with the routing tables.
You need to add a rule that denies packets from the WAN interface, the headings of which dst-address - bogon or is it impractical? - helga80 commented on July 2nd 19 at 13:24
: I finally added rules for both cases. - colin.Jaskolski commented on July 2nd 19 at 13:27
: Added rules for both cases, also duplicated them in the INPUT chain. All 4 rules are processed, the counters increase. - helga80 commented on July 2nd 19 at 13:30
July 2nd 19 at 13:23
/ip firewall filter
add chain=forward in-interface=WANinterface connection-nat-state=!dstnat action=drop

Substitute the correct interface name.
Right, I forgot about nat-state. Thank you! - helga80 commented on July 2nd 19 at 13:26

Find more questions by tags Computer networksMikrotikFirewallNetwork administration