Internet Not Working After Adding Firewall Rules (MikroTik)

🔴 Problem Description

One of the most common issues on MikroTik routers is losing internet access immediately after adding or modifying firewall rules. The router itself may still have internet access, but client devices behind it cannot browse, ping, or resolve DNS.

This problem usually appears after:

• Adding new firewall filter rules

• Copying rules from another router

• Applying a “secure firewall” template without adjustments

• 

🔍 Common Symptoms

• Clients have IP addresses but no internet

• Ping works to gateway but not to public IPs

• DNS requests fail

• Internet works temporarily, then stops

🔍 Possible Causes

1️⃣ Firewall Rule Order (Top to Bottom)

MikroTik processes firewall rules from top to bottom.
If a drop rule appears before an accept rule, traffic will be blocked.

Common mistake:
A general drop all rule placed too early.

2️⃣ Missing Allow Rules for Established & Related Connections

If these rules are missing, return traffic is blocked.

Required rule:

Without it, internet will not work reliably.

3️⃣ LAN to WAN Traffic Blocked

Firewall rules may allow traffic to the router but block traffic passing through it.

Check:

• chain=forward

• Source = LAN

• Destination = WAN

4️⃣ Incorrect Interface List Usage

If firewall rules depend on interface lists (LAN / WAN), wrong assignments will break connectivity.

Verify:

• WAN interface is correctly added to WAN list

• LAN interfaces are added to LAN list

5️⃣ NAT Is Working but Firewall Blocks Traffic

NAT alone does not guarantee internet access.
Firewall filter rules can still block forwarded traffic.

Always check firewall before NAT rules.

✅ Step-by-Step Solution

✅ Step 1: Check Firewall Rule Order

Move essential allow rules to the top:

✅ Step 2: Verify Interface Lists

Go to:

Confirm:

• WAN = correct internet interface

• LAN = bridge or internal interfaces

✅ Step 3: Confirm Forward Chain Rules

You should explicitly allow LAN to WAN traffic:

✅ Step 4: Check for Overly Broad Drop Rules

Look for rules like:

If found:

• Narrow it down

• Move it to the bottom

✅ Step 5: Test Connectivity

After changes:

• Ping 8.8.8.8 from client

• Test DNS resolution

• Check firewall counters (hit counts)

Firewall counters often reveal the blocking rule.

🧠 Best Practices (From Real Experience)

• Never paste firewall rules blindly

• Always add logging temporarily when troubleshooting

• Comment every firewall rule

• Test after every change

Small changes can break everything.

⚠️ Common Mistakes

• Forgetting established/related rule

• Blocking forward chain instead of input

• Mixing LAN and WAN interfaces

• Assuming NAT fixes firewall issues

🔚 Final Thoughts

When internet stops working after adding firewall rules on MikroTik, the problem is almost always related to rule order, missing allow rules, or incorrect interface lists. Understanding how MikroTik processes firewall rules makes troubleshooting faster and more effective.

Fix the logic—not just the rule.