Why This Setup Is Different

  • Running a homelab with a public IP block alongside private addressing means part of your network is directly reachable from the internet. The threat model is no longer “my home router” — it is “a small exposed datacenter.”
  • The goal is not paranoia but confidence: a layered setup where a single mistake or a single compromised host does not cascade into the whole network.
  • Firewall design is the foundation and is covered separately in the Firewall Architecture article. This one assumes that base is in place and builds the rest of the hardening around it.

1. Management Plane: Lock Down How You Log In

  • Move management services (SSH, the admin UI) off their default ports. This does not stop a targeted attacker, but it removes you from the constant noise of automated scans.
  • Bind those services to specific source networks only — your trusted VLAN, the VPN, a rescue address — never to the public interface.
  • SSH: keys only, password authentication disabled, strong crypto enabled. Limit concurrent sessions.
  • Disable every management service you do not use: Telnet, FTP, the API, legacy web variants. Each disabled service is one less attack surface to reason about.
/ip service
set ssh    address=10.10.10.0/24,10.10.70.0/24 port=1234 max-sessions=1
set winbox address=10.10.10.0/24,10.10.70.0/24 port=1234 max-sessions=1
set telnet disabled=yes
set ftp    disabled=yes
set api    disabled=yes
set api-ssl disabled=yes

/ip ssh set password-authentication=no strong-crypto=yes

2. Remote Access: VPN Over Port Forwarding

  • Do not expose management interfaces to the internet, ever. Reach them through a VPN instead – WireGuard is fast, simple, and has a tiny attack surface.
  • Give the VPN its own subnet and place it in your trusted interface list, so VPN clients get management access without any port being open to the world except the VPN listener itself.
  • Use one allowed-address per peer (a /32) so each client maps to exactly one identity. Revoking access is then a single peer removal.
/interface wireguard add listen-port=22 name=vpn

/interface wireguard peers add interface=vpn allowed-address=10.10.70.2/32 comment=Laptop public-key="..."

3. Segment Public-Facing Services Into a DMZ

  • Anything reachable from the internet — a web host behind Cloudflare, a game server — belongs in a dedicated DMZ VLAN, isolated from your trusted network.
  • Put the DMZ in a WAN_ONLY interface list: it can reach the internet, but the firewall forbids it from initiating connections into the LAN. If the host is breached, the attacker is trapped in the segment.
  • Route the DMZ out through your public IP and forward only the specific ports it needs. Nothing else from the public block should be reachable.
  • This is the difference between “they got my web server” and “they got my whole house.”

4. Quarantine Untrusted Devices (IoT)

  • Smart-home gear, cameras, and anything you cannot keep patched are the weakest links. Treat them as already compromised.
  • Give them their own VLAN, also WAN_ONLY, with client isolation enabled so devices cannot even talk to each other. A hidden SSID and a client cap add minor friction for opportunistic attacks.
  • If a device needs a local service (a DNS resolver, a controller), allow exactly that one flow and nothing more — do not open the whole VLAN to the LAN.
  • Be deliberate about where shared services live. A resolver that sits in the IoT VLAN but also serves your trusted network means an IoT compromise can affect name resolution everywhere. Prefer hosting shared infrastructure in a more trusted segment.

5. Cloudflare: Protect the Origin

  • If you serve a site through Cloudflare, ensure the origin can only be reached via Cloudflare — never directly by IP. One firewall rule that drops WAN traffic to 80/443 from any source not on Cloudflare’s published list enforces this.
  • Keep that address list current automatically with a scheduled script rather than editing it by hand. This and the rule itself are detailed in the Firewall Architecture article.
  • The payoff: scanners hitting your public IP directly get nothing, and the only path to your web host runs through Cloudflare’s WAF and DDoS protection.

6. Disable What You Don’t Use

  • If you do not run IPv6, disable it and add an explicit drop for IPv6 from the WAN as defence in depth — an unconfigured protocol that quietly turns on is a blind spot.
  • Turn off discovery and convenience features facing untrusted networks: neighbor discovery scoped to trusted interfaces only, MAC-server and bandwidth-server disabled, the WPS button disabled.
  • Disable automatic media/SMB sharing if you are not deliberately serving files. An auto-share that activates on the next USB stick is an exposure you did not intend.
/ipv6 settings set disable-ipv6=yes forward=no
/ip neighbor discovery-settings set discover-interface-list=TRUSTED

/tool mac-server set allowed-interface-list=none
/tool mac-server ping set enabled=no
/tool bandwidth-server set enabled=no
/system routerboard wps-button set enabled=no
/disk settings set auto-media-sharing=no auto-smb-sharing=no

7. Visibility: You Cannot Secure What You Cannot See

  • Ship logs off the router to a remote syslog target. If a device is compromised or reboots, local logs vanish exactly when you need them — remote logs survive.
  • Export flow data (IPFIX/NetFlow) to a collector so you can see what is actually talking to what. Unexpected outbound traffic from the IoT or DMZ segment is an early warning sign.
  • Log the final firewall drops, not every blocked packet — signal, not noise.
/system logging action set remote remote=10.10.10.2 src-address=10.10.10.1
/system logging add action=remote topics=info,critical,error,warning

8. Recoverability: Plan for the Day You Lock Yourself Out

  • Keep a rescue path: a dedicated physical port in the trusted list on a separate management subnet, reachable even if your VLANs or routing break.
  • Schedule automatic configuration backups and keep a copy off the device. A backup that only lives on the router you just bricked is no backup.
  • Always work behind Safe Mode when editing firewall or routing — covered in the Firewall Architecture article. It auto-reverts changes if your session drops.
/system scheduler add name=weekly-backup interval=1w on-event="/system backup save name=weekly" policy=read,write,sensitive start-time=07:00:00

9. Keep the System Honest

  • Reboot and patch on a schedule. RouterOS gets security fixes; running months behind is its own risk.
  • Keep accurate time via NTP with the correct timezone. Wrong clocks corrupt your logs’ timeline and break certificate validity — both matter precisely when you are investigating an incident.
  • Review your config periodically and delete rules, leases, and forwards you no longer use. Dead config is where mistakes hide.

Summary: Layers, Not Walls

  • Management locked to trusted sources on non-default ports, keys only.
  • Remote access through VPN, never exposed admin ports.
  • Public services in a WAN_ONLY DMZ; untrusted devices quarantined the same way.
  • Origin protected behind Cloudflare; unused protocols and services disabled.
  • Logs and flows shipped off-box; backups and a rescue path ready.
  • Patched, time-synced, and periodically pruned.
  • No single layer is perfect — the point is that compromising one does not hand over the rest.