← ClaudeAtlas

routeros-firewalllisted

RouterOS firewall filter, NAT, mangle, and address-list configuration. Use when: writing firewall rules in RouterOS, configuring NAT, setting up address-lists or interface-lists, writing idempotent firewall scripts, configuring DNS redirect or port forwarding, or when the user mentions /ip/firewall, chain=forward, chain=input, connection-state, address-list, interface-list, or layer7-protocol on MikroTik.
tikoci/routeros-skills · ★ 18 · API & Backend · score 81
Install: claude install-skill tikoci/routeros-skills
# RouterOS Firewall ## Rule Ordering — Sequential, Not Priority-Based Rules are evaluated **top-to-bottom** — first match wins. This is the biggest source of iptables confusion. - `place-before=0` inserts at the top; default `add` appends at the bottom - An `action=accept` rule must appear BEFORE any `action=drop` for the same traffic - **Non-terminal actions do NOT stop evaluation:** `action=add-src-to-address-list`, `action=add-dst-to-address-list`, `action=log`, and any rule with `passthrough=yes` continue to the next rule. A `drop` rule below an `add-src-to-address-list` will still fire. ```routeros # WRONG — drop fires before accept can match /ip/firewall/filter/add chain=input action=drop /ip/firewall/filter/add chain=input src-address=10.0.0.1 action=accept # CORRECT — accept first, drop catches the rest /ip/firewall/filter/add chain=input src-address=10.0.0.1 action=accept place-before=0 /ip/firewall/filter/add chain=input action=drop ``` ## Address-Lists as Dynamic Selectors LLMs rarely suggest this pattern — they write one rule per IP address instead. Address-lists scale to hundreds of IPs with a single firewall rule. ```routeros # Build the list (static or dynamic with auto-expiry) /ip/firewall/address-list/add list=trusted-mgmt address=192.168.1.0/24 /ip/firewall/address-list/add list=trusted-mgmt address=10.0.0.5 timeout=1h # One rule handles all list members /ip/firewall/filter/add chain=input src-address-list=trusted-mgmt action=accept \ comment="mya