MikroTik and PCI Compliance

I met with an operator today that is the primary technician for a hospitality operator.  His background is primarily in Microsoft support so advanced routers like those made by MikroTik with complex firewalling functionality are still new to him.  He explained that his PCI compliance required scanning each of his nine sites for open ports using a PCI compliance service’s software.  All nine locations had failed due to open ports and upon inspection there were firewall rules in place.  I showed him my web site http://MikroTikConfig.com and how easy it is to create a basic firewall.  Here is the firewall script we created:

# Generate by ISP Supplies | LearnMikroTik.com's Firewall tool
# Available at http://mikrotikconfig.com
/ip firewall filter
add action=drop chain=forward comment="Drop invalid connections through router" connection-state=invalid
add chain=forward comment="Allow established connections through router" connection-state=established
add chain=forward comment="Allow related connections through router" connection-state=related
add chain=forward comment="Allow new connections through router coming in LAN interface" connection-state=new \
add action=drop chain=forward comment="Drop all other connections through the router"
add chain=input comment="Allow everything from the LAN interface to the router" in-interface=bridge1
add chain=input comment=\
   "Allow established  connections to the router, these are OK because we aren't allowing new connections" \
add chain=input comment=\
   "Allow related connections to the router, these are OK because we aren't allowing new connections" \
add chain=input comment=\
   "Allow from our VPN subnet" src-address-list=VPNAddreses
add action=drop chain=input comment="Drop everything else to the router" disabled=yes
/ip firewall address-list
add address= comment="VPN Subnet" list=VPNAddresses

This firewall allowed any activity through the router, access to the router from the LAN interface and from VPN clients.  We then ran the PCI test tool and all nine sites passed.

MikroTik RouterOS is a great tool for establishing a firewall that will pass any PCI test tool and do so in a cost efficient manner.