Professional Documents
Culture Documents
FIREWALL
MTCNA TRAINING PROGRAM
1
Agenda
Firewall Filter
Bridge Firewall
NAT (Network Address Translation)
Hotspot
Proxy
2
Firewall
CLICK TO EDIT MASTERFilter
TITLE STYLE
3
Firewall
Protects your router and clients from unauthorized access
This can be done by creating rules in Firewall Filter and NAT
facilities
Source: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter 4
Firewall Filter
Consists of user defined rules that work on the IF-Then principle
These rules are ordered in Chains
There are predefined Chains, and User created Chains
Source: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter 5
Filter Chains
Rules can be placed in three default chains
input (to router)
output (from router)
forward (trough the router)
6
Filter Chains
Filter chain menu
3 5
1
6
4
7
Filter Chains Flow
8
Filter Input Example
Chain contains filter rules that protect the router itself
Scenario: Let’s block your laptop to access router based layer 3
address, but you still can connect to internet
9
Filter Input Example
3
1
4 5
6
7 9
10
Filter Input Example
You can still connect with MAC-address, Firewall Filter is only for IP
Try to ping gateway. The firewall is working
11
Filter Input MAC Server
You can disable MAC access in the MAC Server menu
3
1
2
12
Filter Address-List
Address-list allows you to filter group of the addresses with one rule
Automatically add addresses by address-list and then block
Create different lists
Subnets, separates ranges, one host addresses are supported
1
2/5/8
3 4 6 7 9
10
Source: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Address_list 13
Filter Address-List Example
Change your existing rule using address list one-host
3 5
1
6
4
7 9
2
8
Source: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Address_list 14
Dynamic Address List Example
Scenario:
Automatically add everyone who “ping” the router to address list for 15 seconds
Block those address list
3 5
1
6
4
7
10
2
8
15
Dynamic Address List Example
Try to ping router with IP 172.16.X.1
In the same time, view addess list table
16
Dynamic Address List Example
Change existing rule that block your IP using Dynamic Address List
Try to ping router with IP 172.16.X.1
3 5
1
6 7
17
Filter Forward
Chain contains rules that control packets going trough the router
Control traffic to and from the clients
18
Filter Forward Example
Create a rule that will block TCP port 80 (web browseing) to internet
Must select protocol to block port
3 5
1
6
4
8
2
9
11
19
10
Filter Forward Example Test
Try to open www.mikrotik.com
Try to ping www.mikrotik.com
Why we still can ping www.mikrotik.com while can not open the
page with browser?
20
Well-Known Port
21
Firewall Log
Let’s log your existing chain input rules
Log rule should be added before other action
3 5 7
1
4
6
22
Firewall Log Test and View
23
Connection State
Source: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter 24
Connection State
Advise, drop invalid connections
Firewall should proceed only new packets, it is recommended to
exclude other types of states
Filter rules have the “connection state” matcher for this purpose
Source: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter 25
Connection State in Firewall Rules
26
Connection State Suggestion
Router Protection
/ip firewall filter add chain=input connection-state=invalid action=drop \
comment=“Drop Invalid Connections”
Source: https://wiki.mikrotik.com/wiki/Firewall 27
Connection State Suggestion
Customer Protection (Block "bogon" IP addresses)
/Add chain=forward src-address=0.0.0.0/8 action=drop
/Add chain=forward dst-address=0.0.0.0/8 action=drop
/Add chain=forward src-address=172.0.0.0/8 action=drop
/Add chain=forward dst-address=172.0.0.0/8 action=drop
/Add chain=forward src-address=224.0.0.0/3 action=drop
/Add chain=forward dst-address=224.0.0.0/3 action=drop
Source: https://wiki.mikrotik.com/wiki/Firewall 28
Firewall chains
Except of the built-in chains (input, forward, output), custom
chains can be created
Make firewall structure more simple
Decrease load of the router
29
Firewall chains Sequence
30
Firewall chains Example
add chain=forward protocol=tcp action=jump jump-target=tcp
add chain=forward protocol=udp action=jump jump-target=udp
add chain=forward protocol=icmp action=jump jump-target=icmp
31
Firewall chains Example
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"
32
Firewall Tips
33
Firewall Tips
34
Firewall Tips
Add comments to your rules
Use connection tracking or torch
Connection tracking manages information about all active
connection
It should be enable for filter and NAT
35
Connection Tracking
36
Torch
Realtime Traffic Monitor called also torch is used for monitoring
traffic that is going through an interface
You can monitor traffic classified by:
protocol name
source address
destination address
Port
Torch shows the protocols you have chosen and mean
transmitted and received data rate for each of them
Menu Tools > Torch
37
Torch
38
Firewall Action
accept - accept the packet. Packet is not passed to next firewall rule.
jump - jump to the user defined chain specified by the value of jump-target parameter
log - add a message to the system log containing following data: in-interface, out-interface, src-mac, protocol, src-
ip:port->dst-ip:port and length of the packet. After packet is matched it is passed to next rule in the list, similar
as passthrough
passthrough - ignore this rule and go to next one (useful for statistics).
return - passes control back to the chain from where the jump took place
tarpit - captures and holds TCP connections (replies with SYN/ACK to the inbound TCP SYN packet)
39
MikroTik Fast path
Fast path allows to forward packets without additional processing
in the Linux kernel
Improves forwarding speeds significantly
For fast path to work, interface support and specific configuration
conditions are required
Source: https://wiki.mikrotik.com/wiki/Manual:Fast_Path#IPv4_FastTrack_handler 40
List of Devices with FastPath Support
RB6xx series = ether1,2 RB2011 series all ports
RB7xx series all ports CRS series routers all ports
RB800 = ether1,2 CCR series routers all ports
RB9xx series all ports All devices
wireless interfaces, if wireless-fp
RB1000 all ports or wireless-cm2 package used
RB1100 series = ether1-11 bridge interfaces (since 6.29)
vlan, vrrp interfaces (since 6.30)
bonding interfaces - rx only
(since 6.30)
Source: https://wiki.mikrotik.com/wiki/Manual:Fast_Path#IPv4_FastTrack_handler 41
FastPath Handlers
IPv4
IPv4 Fasttrack
(http://wiki.mikrotik.com/index.php?title=Manual:IP/Fasttrack)
Traffic Generator
MPLS
Bridge
Source: https://wiki.mikrotik.com/wiki/Manual:Fast_Path#IPv4_FastTrack_handler 42
FastTrack Initial configuration
/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related
/ip firewall filter add chain=forward action=accept connection-state=established,related
43
Bridge
CLICK TO EDIT Firewall
MASTER TITLE STYLE
44
Bridge Firewall Overview
The bridge firewall implements packet filtering and thereby
provides security functions that are used to manage data flow to,
from and through bridge
It is possible to force bridge traffic to go through /ip firewall
filter rules
You can put packet marks in bridge firewall (filter and NAT),
which are the same as the packet marks in IP firewall put by '/ip
firewall mangle'. In this way, packet marks put by bridge firewall
can be used in 'IP firewall', and vice versa.
Source: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge 45
Bridge Firewall Filter
filter - bridge firewall with three predefined chains:
input - filters packets, where the destination is the bridge (including
those packets that will be routed, as they are destined to the bridge
MAC address anyway)
output - filters packets, which come from the bridge (including those
packets that has been routed normally)
forward - filters packets, which are to be bridged (note: this chain is
not applied to the packets that should be routed through the router,
just to those that are traversing between the ports of the same
bridge)
Source: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge 46
Bridge Firewall NAT
nat - bridge network address translation provides ways for
changing source/destination MAC addresses of the packets
traversing a bridge. Has two built-in chains:
srcnat - used for "hiding" a host or a network behind a different MAC
address. This chain is applied to the packets leaving the router
through a bridged interface
dstnat - used for redirecting some packets to other destinations
Source: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge 47
Packet Flow Diagram RouterOS v6
Source: https://wiki.mikrotik.com/wiki/Manual:Packet_Flow 48
Bridge Firewall Example
Create bridge with name bridge1 and add interface ether1 to the bridge
Drop your PC MAC Address to access internet
[admin@ST-1] > interface bridge add
[admin@ST-1] > interface bridge port add interface=ether1 bridge=bridge1
49
NAT (Network
CLICK Address TITLE
TO EDIT MASTER Translation)
STYLE
50
NAT Introduction
Network Address Translation is an Internet standard that allows
hosts on local area networks to use one set of IP addresses for
internal communications and another set of IP addresses for
external communications
There are two types of NAT:
source NAT or srcnat. This type of NAT is performed on packets that
are originated from a natted network. A NAT router replaces the private
source address of an IP packet with a new public IP address as it travels
through the router. A reverse operation is applied to the reply packets
travelling in the other direction.
destination NAT or dstnat. This type of NAT is performed on packets
that are destined to the natted network. It is most comonly used to make
hosts on a private network to be acceesible from the Internet. A NAT
router performing dstnat replaces the destination IP address of an IP
packet as it travel through the router towards a private network.
Source: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT 51
NAT Chains
To achieve these scenarios you have to order your NAT rules in
appropriate chains: dstnat or srcnat
NAT rules work on IF-THEN principle
52
SRC-NAT
SRC-NAT changes packet’s source address
You can use it to connect private network to the Internet through
public IP address
Masquerade is one type of SRC-NAT
53
Verify NAT Masquerade
Verify NAT Masquerade IP > Firewall > NAT
1 3
54
SRC-NAT Limitations
Connecting to internal servers from outside is not possible (DST-NAT needed)
Some protocols require NAT helpers to work correctly
55
DST-NAT
DST-NAT changes packet’s destination address and port
It can be used to direct internet users to a server in your private
network
56
DST-NAT Example
If someone access your wlan1 interface, it will be redirected to
your PC
57
DST-NAT Example
Verify your wlan1 IP Address
1 2
3
58
DST-NAT Example
DST-NAT Configuration
3 5
1
4 6
7
10 13
8
2 11
9
12
59
Redirect
Special type of DST-NAT
This action redirects packets to the router itself
It can be used for proxying services (DNS, HTTP)
60
Redirect Example
Let’s make local users to use Router DNS cache
Make rule for TCP and UDP protocol port 53
1 3 9
2 4 11
5 4
10
6 5
7
6
8
61
NAT Action
accept - accept the packet. Packet is not passed to next NAT rule.
add-dst-to-address-list - add destination address to Address list specified
by address-listparameter
add-src-to-address-list - add source address to Address list specified
by address-listparameter
dst-nat - replaces destination address and/or port of an IP packet to values
specified by to-addresses and to-ports parameters
jump - jump to the user defined chain specified by the value of jump-
target parameter
log - add a message to the system log containing following data: in-interface,
out-interface, src-mac, protocol, src-ip:port->dst-ip:port and length of the packet.
After packet is matched it is passed to next rule in the list, similar as passthrough
62
NAT Action
masquerade - replace source address of an IP packet to IP determined by routing facility.
netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used
to distribute public IP addresses to hosts on private networks
passthrough - ignore this rule and go to next one (useful for statistics).
redirect - replaces destination port of an IP packet to one specified by to-ports parameter
and destination address to one of the router's local addresses
return - passes control back to the chain from where the jump took place
same - gives a particular client the same source/destination IP address from supplied range
for each connection. This is most frequently used for services that expect the same client
address for multiple connections from the same client
src-nat - replaces source address of an IP packet to values specified by to-addresses andto-
ports parameters
63
Saving Configuration
Saving NAT configuration on every router
1
2
3
4
64
CLICK TO EDIT Hotspot
MASTER TITLE STYLE
65
Hotspot Introduction
HotSpot is a way to authorize users to access some network
resources, but does not provide traffic encryption
To log in, users may use almost any web browser (either HTTP
or HTTPS protocol), so they are not required to install additional
software
The gateway is accounting the uptime and amount of traffic each
client have used, and also can send this information to a
RADIUS server
The HotSpot system may limit each particular user's bitrate, total
amount of traffic, uptime and some other parameters
Source: https://wiki.mikrotik.com/wiki/Manual:Hotspot_Introduction 66
HotSpot Requirements
Valid IP addresses on Internet and Local Interfaces
DNS servers addresses added to ip dns
At least one HotSpot user
67
Restore Previous Configuration
1 3
68
Hotspot Setup
3
1 4
2 6
7
10
69
Hotspot Setup
11 13 15
12 14 16
19 17
18
21
20
70
Important Notes
Users connected to HotSpot interface will be disconnected from
the Internet
Client will have to authorize in HotSpot to get access to Internet
HotSpot default setup creates additional configuration:
DHCP-Server on HotSpot Interface
Pool for HotSpot Clients
Dynamic Firewall rules (Filter and NAT)
71
HotSpot Help
HotSpot login page is provided when user tries to access any web-page
To logout from HotSpot you need to go to http://router_IP or
http://HotSpot_DNS
72
HotSpot Network Hosts
Information about clients connected to HotSpot router
73
HotSpot Active Table
Information about authorized HotSpot clients
74
User Management
Add/Edit/Remove HotSpot users
75
HotSpot Walled-Garden
Tool to get access to specific
resources without HotSpot
authorization
Walled-Garden for HTTP and
HTTPS
Walled-Garden IP for other
resources (Telnet, SSH,
Winbox, etc.)
Example: Allow access to
mikrotik.com
76
HotSpot IP Binding
Bypass specific clients over
HotSpot
VoIP phones, printers,
superusers
IP-binding is used for that
77
HotSpot Bandwidth Limits
It is possible to set every HotSpot user with automatic bandwidth
limit
Dynamic queue is created for every client from profile
78
HotSpot User Profile
User Profile - set of options
used for specific group of
HotSpot clients
79
Saving Configuration
Saving Hotspot configuration on every router
1 2
3
4
80
Proxy TITLE STYLE
CLICK TO EDIT MASTER
81
What is Proxy
It can speed up WEB browsing by caching data and HTTP Firewall
MikroTik RouterOS performs proxying of HTTP and HTTP-proxy (for FTP,
HTTP and HTTPS protocols) requests
MikroTik RouterOS implements the following proxy server features:
Regular HTTP proxy – customer (itself) specify what is proxy server for him
Transparent proxy – customer does not know about the proxy being enabled and
there isn’t need any additional configuration for web browser of client
Access list by source, destination, URL and requested method (HTTP firewall)
Cache access list to specify which objects to cache, and which not.
Direct Access List – to specify which resources should be accessed directly, and
which - through another proxy server
Logging facility – allows to get and to store information about proxy operation
Parent proxy support – allows to specify other proxy server
82
What is Proxy
A Web proxy (cache) watches
requests coming from client,
saving copies of the responses
for itself. Then, if there is
another request for the same
URL, it can use the response
that it has, instead of asking
the origin server for it again. If
proxy has not requested file, it
downloads that from the
original server.
83
Enable Proxy
The main option is Enable,
other settings are optional
84
Transparent Proxy
User no need to set additional configuration to browser to use
Proxy
Transparent proxy allows to direct all users to proxy
automatically
DST-NAT rules required for transparent proxy
HTTP traffic should be redirected to router
85
Restore Previous Configuration
1 3
4
5
86
Transparent Proxy Example
1
2 6 9
3
8
87
HTTP Firewall
Proxy access list provides option to filter DNS names
You can make redirect to specific pages
1 4 5 8
2
88
Menu IP > Web Proxy
Web-page logging
Proxy can log visited Web-Pages by users
Make sure you have enough resources for logs (it is better to send them to remote)
1
Menu System > Logging
2
3 4
Menu Log
89
Disk
Manage all external disks
Newly connected disk should be formatted
2
4
3
90
Add Disk
Add disk to save proxy to external disk
Disk supports proxy, user-manager, dude
2
91
Cache on Disk
Cache can be stored on the
external drives
Store manipulates all the
external drives
Cache can be stored to IDE,
SATA, USB, CF, MicroSD
drives
92
Saving Configuration
Saving Proxy configuration on every router
1 2
3
4
93
THANK YOU
94