CHAPTER 6:

FIREWALL
MTCNA TRAINING PROGRAM

1
Agenda
 Firewall Filter
 Bridge Firewall
 NAT (Network Address Translation)
 Hotspot
 Proxy

2
 Firewall
CLICK TO EDIT MASTERFilter
TITLE STYLE

3
Firewall
 Protects your router and clients from unauthorized access
 This can be done by creating rules in Firewall Filter and NAT
facilities

Source: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter 4
Firewall Filter
 Consists of user defined rules that work on the IF-Then principle
 These rules are ordered in Chains
 There are predefined Chains, and User created Chains

Source: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter 5
Filter Chains
 Rules can be placed in three default chains
 input (to router)
 output (from router)
 forward (trough the router)

6
Filter Chains
 Filter chain menu
3 5
1
6
4

7
Filter Chains Flow

8
Filter Input Example
 Chain contains filter rules that protect the router itself
 Scenario: Let’s block your laptop to access router based layer 3
address, but you still can connect to internet

9
Filter Input Example
3
1

4 5
6

7 9

10
Filter Input Example
 You can still connect with MAC-address, Firewall Filter is only for IP
 Try to ping gateway. The firewall is working

11
Filter Input MAC Server
 You can disable MAC access in the MAC Server menu
3

1
2

12
Filter Address-List
 Address-list allows you to filter group of the addresses with one rule
 Automatically add addresses by address-list and then block
 Create different lists
 Subnets, separates ranges, one host addresses are supported
1

2/5/8
3 4 6 7 9
10

Source: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Address_list 13
Filter Address-List Example
 Change your existing rule using address list one-host
3 5
1

6
4

7 9
2
8

Source: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Address_list 14
Dynamic Address List Example
 Scenario:
 Automatically add everyone who “ping” the router to address list for 15 seconds
 Block those address list
3 5
1
6
4

7
10
2
8

15
Dynamic Address List Example
 Try to ping router with IP 172.16.X.1
 In the same time, view addess list table

16
Dynamic Address List Example
 Change existing rule that block your IP using Dynamic Address List
 Try to ping router with IP 172.16.X.1
3 5
1
6 7

17
Filter Forward
 Chain contains rules that control packets going trough the router
 Control traffic to and from the clients

18
Filter Forward Example
 Create a rule that will block TCP port 80 (web browseing) to internet
 Must select protocol to block port
3 5
1
6
4

8
2

9
11
19
10
Filter Forward Example Test
 Try to open www.mikrotik.com
 Try to ping www.mikrotik.com
 Why we still can ping www.mikrotik.com while can not open the
page with browser?

20
Well-Known Port

21
Firewall Log
 Let’s log your existing chain input rules
 Log rule should be added before other action
3 5 7
1

4
6

22
Firewall Log Test and View

23
Connection State

Source: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter 24
Connection State
 Advise, drop invalid connections
 Firewall should proceed only new packets, it is recommended to
exclude other types of states
 Filter rules have the “connection state” matcher for this purpose

Connection State = invalid packets  Drop

Connection State = established packets  Accept
Connection State = related packets  Accept
Connection State = new packets  Check by firewall filter

Source: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter 25
Connection State in Firewall Rules

26
Connection State Suggestion
 Router Protection
/ip firewall filter add chain=input connection-state=invalid action=drop \
comment=“Drop Invalid Connections”

add chain=input connection-state=established action=accept \

comment=“Allow Established Connections”

add chain=input connection-state=related action=accept \

comment=“Allow Related Connections”

add chain=input src-address=172.16.1.1/24 action=accept \

Interface=ether5 comment=“Allow Laptop IP”

add chain=input action=drop \

comment=“Drop Everything Else”

Source: https://wiki.mikrotik.com/wiki/Firewall 27
Connection State Suggestion
 Customer Protection (Block "bogon" IP addresses)
/Add chain=forward src-address=0.0.0.0/8 action=drop
/Add chain=forward dst-address=0.0.0.0/8 action=drop
/Add chain=forward src-address=172.0.0.0/8 action=drop
/Add chain=forward dst-address=172.0.0.0/8 action=drop
/Add chain=forward src-address=224.0.0.0/3 action=drop
/Add chain=forward dst-address=224.0.0.0/3 action=drop

Source: https://wiki.mikrotik.com/wiki/Firewall 28
Firewall chains
 Except of the built-in chains (input, forward, output), custom
chains can be created
 Make firewall structure more simple
 Decrease load of the router

29
Firewall chains Sequence

 Sequence of the firewall

custom chains
 Custom chains can be for
viruses, TCP, UDP protocols,
etc.

30
Firewall chains Example
add chain=forward protocol=tcp action=jump jump-target=tcp
add chain=forward protocol=udp action=jump jump-target=udp
add chain=forward protocol=icmp action=jump jump-target=icmp

add chain=tcp protocol=tcp dst-port=69 action=drop \

comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop \
comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=135 action=drop \
comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop \
comment="deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop \
comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"

31
Firewall chains Example
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"

add chain=icmp protocol=icmp icmp-options=0:0 action=accept \

comment="echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept \
comment="net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept \
comment="host unreachable"
add chain=icmp protocol=icmp icmp-options=3:4 action=accept \
comment="host unreachable fragmentation required"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept \
comment="allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept \
comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept \
comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept \
comment="allow parameter bad"
add chain=icmp action=drop comment="deny all other types"

32
Firewall Tips

33
Firewall Tips

34
Firewall Tips
 Add comments to your rules
 Use connection tracking or torch
 Connection tracking manages information about all active
connection
 It should be enable for filter and NAT

35
Connection Tracking

36
Torch
 Realtime Traffic Monitor called also torch is used for monitoring
traffic that is going through an interface
 You can monitor traffic classified by:
 protocol name
 source address
 destination address
 Port
 Torch shows the protocols you have chosen and mean
transmitted and received data rate for each of them
 Menu Tools > Torch
37
Torch

38
Firewall Action
 accept - accept the packet. Packet is not passed to next firewall rule.

 add-dst-to-address-list - add destination address to address list specified by address-listparameter

 add-src-to-address-list - add source address to address list specified by address-listparameter

 drop - silently drop the packet

 jump - jump to the user defined chain specified by the value of jump-target parameter

 log - add a message to the system log containing following data: in-interface, out-interface, src-mac, protocol, src-
ip:port->dst-ip:port and length of the packet. After packet is matched it is passed to next rule in the list, similar
as passthrough

 passthrough - ignore this rule and go to next one (useful for statistics).

 reject - drop the packet and send an ICMP reject message

 return - passes control back to the chain from where the jump took place

 tarpit - captures and holds TCP connections (replies with SYN/ACK to the inbound TCP SYN packet)

39
MikroTik Fast path
 Fast path allows to forward packets without additional processing
in the Linux kernel
 Improves forwarding speeds significantly
 For fast path to work, interface support and specific configuration
conditions are required

Source: https://wiki.mikrotik.com/wiki/Manual:Fast_Path#IPv4_FastTrack_handler 40
List of Devices with FastPath Support
 RB6xx series = ether1,2  RB2011 series all ports
 RB7xx series all ports  CRS series routers all ports
 RB800 = ether1,2  CCR series routers all ports
 RB9xx series all ports  All devices
 wireless interfaces, if wireless-fp
 RB1000 all ports or wireless-cm2 package used
 RB1100 series = ether1-11  bridge interfaces (since 6.29)
 vlan, vrrp interfaces (since 6.30)
 bonding interfaces - rx only
(since 6.30)

Source: https://wiki.mikrotik.com/wiki/Manual:Fast_Path#IPv4_FastTrack_handler 41
FastPath Handlers
 IPv4
 IPv4 Fasttrack
(http://wiki.mikrotik.com/index.php?title=Manual:IP/Fasttrack)
 Traffic Generator
 MPLS
 Bridge

Source: https://wiki.mikrotik.com/wiki/Manual:Fast_Path#IPv4_FastTrack_handler 42
FastTrack Initial configuration
/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related
/ip firewall filter add chain=forward action=accept connection-state=established,related

43
 Bridge
CLICK TO EDIT Firewall
MASTER TITLE STYLE

44
Bridge Firewall Overview
 The bridge firewall implements packet filtering and thereby
provides security functions that are used to manage data flow to,
from and through bridge
 It is possible to force bridge traffic to go through /ip firewall
filter rules
 You can put packet marks in bridge firewall (filter and NAT),
which are the same as the packet marks in IP firewall put by '/ip
firewall mangle'. In this way, packet marks put by bridge firewall
can be used in 'IP firewall', and vice versa.

Source: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge 45
Bridge Firewall Filter
 filter - bridge firewall with three predefined chains:
 input - filters packets, where the destination is the bridge (including
those packets that will be routed, as they are destined to the bridge
MAC address anyway)
 output - filters packets, which come from the bridge (including those
packets that has been routed normally)
 forward - filters packets, which are to be bridged (note: this chain is
not applied to the packets that should be routed through the router,
just to those that are traversing between the ports of the same
bridge)

Source: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge 46
Bridge Firewall NAT
 nat - bridge network address translation provides ways for
changing source/destination MAC addresses of the packets
traversing a bridge. Has two built-in chains:
 srcnat - used for "hiding" a host or a network behind a different MAC
address. This chain is applied to the packets leaving the router
through a bridged interface
 dstnat - used for redirecting some packets to other destinations

Source: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge 47
Packet Flow Diagram RouterOS v6

Source: https://wiki.mikrotik.com/wiki/Manual:Packet_Flow 48
Bridge Firewall Example
 Create bridge with name bridge1 and add interface ether1 to the bridge
 Drop your PC MAC Address to access internet
[admin@ST-1] > interface bridge add
[admin@ST-1] > interface bridge port add interface=ether1 bridge=bridge1

49
 NAT (Network
CLICK Address TITLE
TO EDIT MASTER Translation)
STYLE

50
NAT Introduction
 Network Address Translation is an Internet standard that allows
hosts on local area networks to use one set of IP addresses for
internal communications and another set of IP addresses for
external communications
 There are two types of NAT:
 source NAT or srcnat. This type of NAT is performed on packets that
are originated from a natted network. A NAT router replaces the private
source address of an IP packet with a new public IP address as it travels
through the router. A reverse operation is applied to the reply packets
travelling in the other direction.
 destination NAT or dstnat. This type of NAT is performed on packets
that are destined to the natted network. It is most comonly used to make
hosts on a private network to be acceesible from the Internet. A NAT
router performing dstnat replaces the destination IP address of an IP
packet as it travel through the router towards a private network.
Source: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT 51
NAT Chains
 To achieve these scenarios you have to order your NAT rules in
appropriate chains: dstnat or srcnat
 NAT rules work on IF-THEN principle

52
SRC-NAT
 SRC-NAT changes packet’s source address
 You can use it to connect private network to the Internet through
public IP address
 Masquerade is one type of SRC-NAT

53
Verify NAT Masquerade
 Verify NAT Masquerade IP > Firewall > NAT

1 3

[admin@ST-1] > ip firewall nat print

Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade log=no log-p
[admin@ST-1] >

54
SRC-NAT Limitations
 Connecting to internal servers from outside is not possible (DST-NAT needed)
 Some protocols require NAT helpers to work correctly

55
DST-NAT
 DST-NAT changes packet’s destination address and port
 It can be used to direct internet users to a server in your private
network

56
DST-NAT Example
 If someone access your wlan1 interface, it will be redirected to
your PC

57
DST-NAT Example
 Verify your wlan1 IP Address

1 2
3

58
DST-NAT Example
 DST-NAT Configuration
3 5
1
4 6

7
10 13
8
2 11
9

12

59
Redirect
 Special type of DST-NAT
 This action redirects packets to the router itself
 It can be used for proxying services (DNS, HTTP)

60
 Redirect Example
 Let’s make local users to use Router DNS cache
 Make rule for TCP and UDP protocol port 53
1 3 9
2 4 11

5 4
10
6 5
7

6
8

61
NAT Action
 accept - accept the packet. Packet is not passed to next NAT rule.
 add-dst-to-address-list - add destination address to Address list specified
by address-listparameter
 add-src-to-address-list - add source address to Address list specified
by address-listparameter
 dst-nat - replaces destination address and/or port of an IP packet to values
specified by to-addresses and to-ports parameters
 jump - jump to the user defined chain specified by the value of jump-
target parameter
 log - add a message to the system log containing following data: in-interface,
out-interface, src-mac, protocol, src-ip:port->dst-ip:port and length of the packet.
After packet is matched it is passed to next rule in the list, similar as passthrough

62
NAT Action
 masquerade - replace source address of an IP packet to IP determined by routing facility.
 netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used
to distribute public IP addresses to hosts on private networks
 passthrough - ignore this rule and go to next one (useful for statistics).
 redirect - replaces destination port of an IP packet to one specified by to-ports parameter
and destination address to one of the router's local addresses
 return - passes control back to the chain from where the jump took place
 same - gives a particular client the same source/destination IP address from supplied range
for each connection. This is most frequently used for services that expect the same client
address for multiple connections from the same client
 src-nat - replaces source address of an IP packet to values specified by to-addresses andto-
ports parameters

63
Saving Configuration
 Saving NAT configuration on every router
1
2

3
4

64
CLICK TO EDIT Hotspot
MASTER TITLE STYLE

65
Hotspot Introduction
 HotSpot is a way to authorize users to access some network
resources, but does not provide traffic encryption
 To log in, users may use almost any web browser (either HTTP
or HTTPS protocol), so they are not required to install additional
software
 The gateway is accounting the uptime and amount of traffic each
client have used, and also can send this information to a
RADIUS server
 The HotSpot system may limit each particular user's bitrate, total
amount of traffic, uptime and some other parameters

Source: https://wiki.mikrotik.com/wiki/Manual:Hotspot_Introduction 66
HotSpot Requirements
 Valid IP addresses on Internet and Local Interfaces
 DNS servers addresses added to ip dns
 At least one HotSpot user

67
Restore Previous Configuration
1 3

68
Hotspot Setup
3
1 4

2 6
7

10

69
Hotspot Setup
11 13 15

12 14 16

19 17

18
21

20

70
Important Notes
 Users connected to HotSpot interface will be disconnected from
the Internet
 Client will have to authorize in HotSpot to get access to Internet
 HotSpot default setup creates additional configuration:
 DHCP-Server on HotSpot Interface
 Pool for HotSpot Clients
 Dynamic Firewall rules (Filter and NAT)

71
HotSpot Help
 HotSpot login page is provided when user tries to access any web-page
 To logout from HotSpot you need to go to http://router_IP or
http://HotSpot_DNS

72
HotSpot Network Hosts
 Information about clients connected to HotSpot router

73
HotSpot Active Table
 Information about authorized HotSpot clients

74
User Management
 Add/Edit/Remove HotSpot users

75
HotSpot Walled-Garden
 Tool to get access to specific
resources without HotSpot
authorization
 Walled-Garden for HTTP and
HTTPS
 Walled-Garden IP for other
resources (Telnet, SSH,
Winbox, etc.)
 Example: Allow access to
mikrotik.com

76
HotSpot IP Binding
 Bypass specific clients over
HotSpot
 VoIP phones, printers,
superusers
 IP-binding is used for that

77
HotSpot Bandwidth Limits
 It is possible to set every HotSpot user with automatic bandwidth
limit
 Dynamic queue is created for every client from profile

78
HotSpot User Profile
 User Profile - set of options
used for specific group of
HotSpot clients

79
Saving Configuration
 Saving Hotspot configuration on every router
1 2

3
4

80
 Proxy TITLE STYLE
CLICK TO EDIT MASTER

81
What is Proxy
 It can speed up WEB browsing by caching data and HTTP Firewall
 MikroTik RouterOS performs proxying of HTTP and HTTP-proxy (for FTP,
HTTP and HTTPS protocols) requests
 MikroTik RouterOS implements the following proxy server features:
 Regular HTTP proxy – customer (itself) specify what is proxy server for him
 Transparent proxy – customer does not know about the proxy being enabled and
there isn’t need any additional configuration for web browser of client
 Access list by source, destination, URL and requested method (HTTP firewall)
 Cache access list to specify which objects to cache, and which not.
 Direct Access List – to specify which resources should be accessed directly, and
which - through another proxy server
 Logging facility – allows to get and to store information about proxy operation
 Parent proxy support – allows to specify other proxy server

82
What is Proxy
 A Web proxy (cache) watches
requests coming from client,
saving copies of the responses
for itself. Then, if there is
another request for the same
URL, it can use the response
that it has, instead of asking
the origin server for it again. If
proxy has not requested file, it
downloads that from the
original server.

83
Enable Proxy
 The main option is Enable,
other settings are optional

84
Transparent Proxy
 User no need to set additional configuration to browser to use
Proxy
 Transparent proxy allows to direct all users to proxy
automatically
 DST-NAT rules required for transparent proxy
 HTTP traffic should be redirected to router

85
Restore Previous Configuration
1 3

4
5

86
Transparent Proxy Example
1

2 6 9

3
8

87
HTTP Firewall
 Proxy access list provides option to filter DNS names
 You can make redirect to specific pages
1 4 5 8
2

88
Menu IP > Web Proxy
Web-page logging
 Proxy can log visited Web-Pages by users
 Make sure you have enough resources for logs (it is better to send them to remote)
1
Menu System > Logging
2
3 4

Menu Log

89
Disk
 Manage all external disks
 Newly connected disk should be formatted

2
4
3

90
Add Disk
 Add disk to save proxy to external disk
 Disk supports proxy, user-manager, dude
2

91
Cache on Disk
 Cache can be stored on the
external drives
 Store manipulates all the
external drives
 Cache can be stored to IDE,
SATA, USB, CF, MicroSD
drives

92
Saving Configuration
 Saving Proxy configuration on every router
1 2

3
4

93
THANK YOU

94