Mikrotik MTCNA Version 20.

0 1
Module 6:
Mikrotik RouterOS
Firewall

Mikrotik MTCNA Version 20.0 205

 Firewall
A firewall is positioned between the local network
and a public network, aims to protect computers
from attacks, and effectively control the data
connection to the router, from the router, and
through the router. ( to protect our Router & protect
clients behind our Router )

Mikrotik MTCNA Version 20.0 206

 Mikrotik Firewall

Firewall Features of Mikrotik

 Control ( allow /deny ) network access
 Modify network ( IP Address ) header
 Marking of packet for further processing

Mikrotik MTCNA Version 20.0 207

 Mikrotik Firewall
 Layer 7 Protocols
 Address List
 Service Ports
 Raw
 Connections ( For monitoring only )

Mikrotik MTCNA Version 20.0 208

 Mikrotik Firewall Concept
 There are three different tables in MikroTik
firewall and all of them have different
functions.
 Filter Rules
 NAT
 Mangle
 All firewall rules run from top to bottom and
follow the rule number.
 If the first rule match, it will not process to
the next rule but except if passthrough
option has been selected.
Mikrotik MTCNA Version 20.0 209
 Firewall Filter Rules
 Is a way to filter packets, done to improve
network security, and regulate the flow of
data from, to the client, or router
 The reading of the rule filters is made from
top to bottom ( Sequential Order ) in order..
If it passes the appropriate rule criteria it
will become specified action, if appropriate,
will be analyzed to the next line
 There are three default chain in firewall
filter - input, output and forward.
Mikrotik MTCNA Version 20.0 210
 Firewall Filter Rules Chain

Example
 Block MSN access of host computer – Chain of ? _____
 Block SSH access of the network – Chain of ? ________
Mikrotik MTCNA Version 20.0 211
 Input Chain
 The Input Chain matches traffic headed inbound
towards the router itself, addressed to an interface on
the device.
 This could be Winbox traffic, SSH or Telnet sessions,
or an administrator pinging the router directly.
 Typically most Input traffic to the WAN is dropped in
order to stop port scanners, malicious login attempts,
etc.
 Input traffic from inside local networks is dropped as
well in some organizations, because Winbox, SSH, and
other administrative traffic is limited to a
Management VLAN.
Mikrotik MTCNA Version 20.0 212
 Output Chain
 The Output Chain matches traffic headed outbound
from the router itself.
 This could be an administrator sending a ping directly
from the router to an ISP gateway to test connectivity.
It could also be the router sending a DNS query on
behalf of an internal host, or the router reaching out
to mikrotik.com to check for updates.
 Many organizations don't blocked firewall Output
traffic, because traffic that matches the Output chain
has to originate on the router itself. This is generally
considered to be "trusted" traffic, assuming the
device has not been compromised somehow.
Mikrotik MTCNA Version 20.0 213
 Forward Chain
 The Forward Chain matches traffic headed across the
router, from one interface to another. This is routed
traffic that the device is handing off from one network
to another. For most organizations the bulk of their
firewalled traffic is across this chain.
 An example of traffic matching the Forward chain
would be packets sent from a LAN host through the
router outbound to a service provider's gateway via
the default route. In one interface and out another,
directed by the routing table.
 Example: we want to block users to access facebook,
we will use firewall forward chain to do it.
Mikrotik MTCNA Version 20.0 214
 Filter Rules IF-THEN Condition

 IF packet match with our define criteria,

THEN what will we do for that packet ?
Matching: To match packet to firewall filter condition.
It's operate by General, Advanced and Extra tab.
Action: What we do if the packet match. It's perform
by action tab.
Status: How many packet/bytes has been match. It's use
to monitor whether our rule have any affect or not. You
can see the status in Statistics tab.
Mikrotik MTCNA Version 20.0 215
 Firewall Filter Action
 accept - Packets are not modified or
rerouted, they are simply allowed to travel
through the firewall.
 drop - block packets in the firewall, silently
discarding them with no reject message to
the traffic source. This is the preferred
method for handling unwanted packets, as
it doesn't send anything back that a port
scanner could use to fingerprint the device.
Mikrotik MTCNA Version 20.0 216
 Firewall Filter Action
 reject - reject the packet and send ICMP
"reject" messages to the traffic's source.
Receiving the ICMP reject shows that the
packet did in fact arrive, but was blocked.
 tarpit - refuse, but keep the incoming TCP
connections (reply with a SYN / ACK for
incoming TCP SYN packets)
 log - add information to the log data packets
Note: Log adds prefix to the packet and passes it through

Mikrotik MTCNA Version 20.0 217

 Firewall Best Practices
 Only allow necessary traffic

Mikrotik MTCNA Version 20.0 218

 Firewall Best Practices
 Use a "deny all" rule at the end of each chain

Mikrotik MTCNA Version 20.0 219

Firewall Filter Rules

Mikrotik MTCNA Version 20.0 220

RouterOS Services

Mikrotik MTCNA Version 20.0 221

 Lab 6-1: Simple Blocking using
Filter Rules

Block connection to the router

winbox entering through the
public interface (WLAN)

Mikrotik MTCNA Version 20.0 222

Lab 6-1: Simple Blocking using
Filter Rules

Mikrotik MTCNA Version 20.0 223

 Lab 6-2: Simple Blocking using
Filter Rules

Drop www.mikrotik.com Access

/ip firewall filter

add action=drop chain=forward
comment="Block Mikrotik" dst-
address=159.148.147.196

Mikrotik MTCNA Version 20.0 224

 Lab 6-3: Simple Blocking using
Filter Rules (Content Option)

Block users from accessing websites using

content option in Mikrotik Firewall rule.

One rule per content you want to block. So

if you want to block, for example, mikrotik,
cisco, etc, you have to create rule for each
content.

Mikrotik MTCNA Version 20.0 225

 Lab 6-3: Simple Blocking using
Filter Rules (Content Option)
Drop access to www.mikrotik.com
/ip firewall filter add chain=forward src-
address=192.168.X.0/24 protocol=tcp dst-port=80
content=“mikrotik" action=drop comment="Block
Mikrotik HTTP"
/ip firewall filter add chain=forward src-
address=192.168.X.0/24 protocol=tcp dst-port=443
content=“mikrotik" action=drop comment="Block
Mikrotik HTTPS"

Mikrotik MTCNA Version 20.0 226

 Lab 6-4: Simple Blocking using
Layer 7 Protocols
 layer7-protocol is a method of searching for
patterns in ICMP/TCP/UDP streams, using
regular expressions
 https://wiki.mikrotik.com/wiki/Manual:IP/Fire
wall/L7

 www.regexr.com
- REGEX PRACTICE

Mikrotik MTCNA Version 20.0 227

 Lab 6-4: Simple Blocking using
Layer 7 Protocols
 When using layer-7 protocol you must specify
on which protocol you are going to use it. (TCP/
UDP) so that latency dependent connections
will not be affected by the filtering
 Never user layer-7 on ICMP it will cause latency
issues
 Limit usage of Layer-7 on your firewall, use it
only if necessary to minimized delay of transit
of the packets on the router

Mikrotik MTCNA Version 20.0 228

 Lab 6-4: Simple Blocking using
Layer 7 Protocols

 Under the Regex field, put the following:

^.+(youtube.com|facebook.com).*$
 .You can add more sites by typing in the Domain, and separating them with
the pipe "|" symbol.
 @ Filter Rules Create Rule chain=forward with layer 7 then action=drop
Mikrotik MTCNA Version 20.0 229
 Lab 6-4: Simple Blocking using
Layer 7 Protocols
/ip firewall layer-7-protocol
add name=Youtube
regexp=(googlevideo|youtube|ytimg)
/ip firewall mangle
add chain=forward protocol=tcp layer-7-
protocol=Youtube new-connection-mark=YT-con
add chain=forward protocol=udp layer-7-
protocol=Youtube new-connection-mark=YT-con
Note: This script can capture a youtube traffic on the application layer

Mikrotik MTCNA Version 20.0 230

 Address List
 We can do the grouping IP
Address to Address List
 Address List (as well as
mangle) can be used as a
parameter in the manufacture
of filters, queue, mangle, NAT,
etc.
 With Filter and Mangle, we can
automatically insert certain IP
addresses in the address list and
also determine its period expired.
Note: The same IP address can be included in multiple address-list and can be used
separately from each another

Mikrotik MTCNA Version 20.0 231

 Lab 6-5: Address-List Config

 Make a rule that will automatically

insert the src-address of the
machine who ping the router, to
address list (your name ex: Roy )
and after 15 seconds
automatically remove the IP of the
address-list.

Mikrotik MTCNA Version 20.0 232

Lab 6-5: Address-List Config

Mikrotik MTCNA Version 20.0 233

Lab 6-5: Address-List Config

Mikrotik MTCNA Version 20.0 234

 Network Address Translation (NAT)

 Network Address Translation ( NAT ) is a

networking technique for replacing IP
Protocol address and ports of packets as
they pass through the Router.
 There are two types of NAT:
 Source NAT ( SRC-NAT ) for replacing
source IP address and/or port
 Destination NAT ( DST-NAT ) for replacing
the destination IP address and/or port

Mikrotik MTCNA Version 20.0 235

Firewall NAT

Mikrotik MTCNA Version 20.0 236

Firewall NAT

Mikrotik MTCNA Version 20.0 237

 Firewall NAT Chains
 NAT Rules are organized in Chains
 There are two built-in chains:
 Dstnat-used for changing destination
address and ports ( action src-nat and
masquerade cannot be used in this chain )
 Scrnat- used for changing source address
and ports ( action dst-nat and redirect
cannot be used in this chain )
Note:
 Firewall NAT Rules process only the first packet of each connection
 Connection Tracking should be enabled for NAT and filter to work

Mikrotik MTCNA Version 20.0 238

 NAT Known Actions
 accept - accept the packet. Packet is not
passed to next NAT rule.
 add-dst-to-address-list - add
destination address to Address List specified
by address-list parameter
 add-src-to-address-list - add source
address to Address List specified by address-
list parameter
 dst-nat - replaces destination address
and/or port of an IP packet to values specified
by to-addresses and to-ports parameters
Mikrotik MTCNA Version 20.0 239
 NAT Known Actions
 jump - jump to the user defined chain
specified by the value of jump-
target parameter
 log - add a message to the system log
containing following data: in-interface, out-
interface, src-mac, protocol, src-ip:port->dst-
ip:port and length of the packet. After packet is
matched it is passed to next rule in the list,
similar as passthrough
 masquerade - replace source address of an
IP packet to IP determined by routing facility.
Mikrotik MTCNA Version 20.0 240
 NAT Known Actions

 netmap - creates a static 1:1 mapping of

one set of IP addresses to another one.
Often used to distribute public IP addresses
to hosts on private networks
 passthrough - if packet is matched by the
rule, increase counter and go to next rule
(useful for statistics).
 redirect - replaces destination port of an
IP packet to one specified by to-
ports parameter and destination address to
one of the router's local addresses
Mikrotik MTCNA Version 20.0 241
 NAT Known Actions

 return - passes control back to the chain

from where the jump took place
 same - gives a particular client the same
source/destination IP address from supplied
range for each connection. This is most
frequently used for services that expect the
same client address for multiple connections
from the same client
 src-nat - replaces source address of an IP
packet to values specified by to-
addresses and to-ports parameters
Mikrotik MTCNA Version 20.0 242
 SRC-NAT Example

 Action “src-nat” changes packet’s source address

and/or port to specified address and/or port
 This action can take place only in “chain=src-nat”
 Typical application: Hide specific LAN resources
behind specific public IP address
Mikrotik MTCNA Version 20.0 243
SRC-NAT Example

Mikrotik MTCNA Version 20.0 244

 Masquerade Example

Action “masquerade” changes packet source address

to router’s address and specified port
This action can take place only in “chain=src-nat”
Typical application : Hide specific LAN resources
behind one dynamic public address
Mikrotik MTCNA Version 20.0 245
Masquerade Example

Mikrotik MTCNA Version 20.0 246

Lab 6-6: SRC-NAT

Mikrotik MTCNA Version 20.0 247

 DST-NAT Example

Action “dst-nat” changes packet destination address

and port to specified address and port
This action can take place only in “chain=dst-nat”
Typical application : Ensure access to local network
services from public network
Example: Action=dst-nat is used to redirect client’s traffic to a specific Mail Server /
SMTP on the network

Mikrotik MTCNA Version 20.0 248

DST-NAT Example

Mikrotik MTCNA Version 20.0 249

 Redirect Example

Action “redirect” changes packet destination address

to the router and specified port on the router
This action can take place only in “chain=dst-nat”
Typical application : Transparent proxying of network
services ( DNS,HTTP )

Mikrotik MTCNA Version 20.0 250

Redirect Example

Mikrotik MTCNA Version 20.0 251

 Lab 6-7: DST-NAT

Redirect all DNS to Norton ConnectSafe IP addresses: 199.85.126.20 and

199.85.127.20 to block all pornographic sites in the internet
Mikrotik MTCNA Version 20.0 252
 Firewall Mangle
 Firewall mangle use to mark IP packets with
special marks.
 These marks are used by other router facilities
like
 Routing ( policy routing )
 firewall filter, other mangle rules
 bandwidth management ( simple queue /
queue tree )
 Moreover it also used to modify some fields in
the IP header, like TOS (DSCP) and TTL fields.
Note: The mangle marks exist only within the router, they are not transmitted
across the network.

Mikrotik MTCNA Version 20.0 253

Firewall Mangle

Mikrotik MTCNA Version 20.0 254

Firewall Mangle

Mikrotik MTCNA Version 20.0 255

Firewall Mangle Chains

Mikrotik MTCNA Version 20.0 256

 Firewall Mangle Chains
There are 5 default chain in firewall mangle.
 Input - all traffic going IN to an in-interface is
inspected
 Output - all traffic going OUT on the out-interface
is inspected
 Prerouting - all traffic with NO routing decision
yet are inspected
 Postrouting - all traffic that has been successfully
routed are inspected
 Forward - traffic is inspected on all interface it
will go through
Mikrotik MTCNA Version 20.0 257
 Firewall Mangle Actions
 accept - accept the packet. Packet is not passed
to next firewall rule.
 add-dst-to-address-list - add destination address
to Address list specified by address-list parameter
 add-src-to-address-list - add source address to
Address list specified by address-list parameter
 change-dscp - change Differentiated Services
Code Point (DSCP) field value specified by the
new-dscp parameter
 change-mss - change Maximum Segment Size
field value of the packet to a value specified by
the new-mss parameter
Mikrotik MTCNA Version 20.0 258
 Firewall Mangle Actions
 change-ttl - change Time to Live field value of the
packet to a value specified by the new-ttl
parameter
 clear-df - clear 'Do Not Fragment' Flag
 jump - jump to the user defined chain specified
by the value of jump-target parameter
 log - add a message to the system log containing
following data: in-interface, out-interface, src-
mac, protocol, src-ip:port->dst-ip:port and length
of the packet. After packet is matched it is passed
to next rule in the list, similar as passthrough
Mikrotik MTCNA Version 20.0 259
 Firewall Mangle Actions
 return - pass control back to the chain from
where the jump took place
 route - forces packets to a specific gateway IP by
ignoring normal routing decision (prerouting
chain only)
 set-priority - set priority specified by the new-
priority parameter on the packets sent out
through a link that is capable of transporting
priority (VLAN or WMM-enabled wireless
interface).
 strip-ipv4-options - strip IPv4 option fields from
IP header.
Mikrotik MTCNA Version 20.0 260
 Firewall Mangle Actions
 mark-connection - place a mark specified by the
new-connection-mark parameter on the entire
connection that matches the rule
 mark-packet - place a mark specified by the new-
packet-mark parameter on a packet that matches
the rule
 mark-routing - place a mark specified by the new-
routing-mark parameter on a packet. This kind of
marks is used for policy routing purposes only
 passthrough - if packet is matched by the rule,
increase counter and go to next rule (useful for
statistics).
Mikrotik MTCNA Version 20.0 261
 Marking Connections
 Marking the connection means that you mark your
data as a Whole Connection
 instead of marking EVERY packet as it flows though your
Mikrotik Router, you choose what you want to identify /
mark and you mark the connection at the start and then all
packets from that connection are a part of that connection
mark
 Connection mark are stored in the connection
tracking table.
 There can only be one connection mark for one
connection.
 Connection tracking helps to associate each packet
to a specific connection ( connection mark )
Mikrotik MTCNA Version 20.0 262
Mark Connection Rule

Mikrotik MTCNA Version 20.0 263

 Marking Packets
 When you choose mark packet, you will mangle
/ mark every single packet as it flows through
the Mikrotik Router. This eats up more CPU than
just marking a connection
 Packets can be marked:
 Indirectly – using the connection tracking facility, based
on the previously created connection marks ( faster )
 Directly – without the connection tracking. No
connection marks necessary, router will compare each
packet to a given condition ( this process imitates some
of the connection tracking features )
Mikrotik MTCNA Version 20.0 264
Mark Packet Rule

Mikrotik MTCNA Version 20.0 265

 Passthrough
Passthrough = no
 means that if the appropriate parameters, then
the next line is no longer readable mangle
 mangle value is final, no irreversible
Passthrough = yes
 will continue to read the next line mangle
 mangle value can be changed again in the next
line
Note:
 mark-connection, passthrough = yes
 mark-packet, passthrough = no

Mikrotik MTCNA Version 20.0 266

 Sample Config using Passthrough

 Test : Ping 8.8.8.8 -t

Mikrotik MTCNA Version 20.0 267

 Lab 6-8: Mangle

 Configure Load Balancing using Firewall

Marking

Mikrotik MTCNA Version 20.0 268

 Lab 6-8: Load Balancing using Firewall Marking
(Load Balancing Over Multiple Gateways)

Let us create two Local Area Networks : network 192.168.X.0/24

for LAN1 and network 172.16.X.0/24 for LAN2 .
The IP addresses are assigned as follows:
 192.168.X.2-254 are used for Group A workstations
 172.16..X.2-254 are used for Group B workstations
 192.168.X.1 and 172.16.X.1 are used for the router. Interfaces.
Mikrotik MTCNA Version 20.0 269
Lab 6-8: Load Balancing using Firewall Marking
(Load Balancing Over Multiple Gateways)

 Add IP address of the Router using Ether1 port

Mikrotik MTCNA Version 20.0 270
Lab 6-8: Load Balancing using Firewall Marking
(Load Balancing Over Multiple Gateways)

 Add IP address of the Router using Ether2 port

Mikrotik MTCNA Version 20.0 271
 Lab 6-8: Load Balancing using Firewall Marking
(Load Balancing Over Multiple Gateways)

We need to add IP Firewall Mangle rule to mark the packets originated from Group A
 Chain prerouting and Src. Address 192.168.X.0/24
 Action mark routing and New Routing Mark GroupA.
Mikrotik MTCNA Version 20.0 272
 Lab 6-8: Load Balancing using Firewall Marking
(Load Balancing Over Multiple Gateways)

We need to add IP Firewall Mangle rule to mark the packets originated from Group B
 Chain prerouting and Src. Address 172.16.X.0/24
 Action mark routing and New Routing Mark GroupB
Mikrotik MTCNA Version 20.0 273
 Lab 6-8: Load Balancing using Firewall Marking
(Load Balancing Over Multiple Gateways)

 Next, we should specify two default routes (destination 0.0.0.0/0) with

appropriate routing marks and gateways
Mikrotik MTCNA Version 20.0 274
 Lab 6-8: Load Balancing using Firewall Marking
(Load Balancing Over Multiple Gateways)

 Test the setup by tracing the route to some IP address

on the Internet

Mikrotik MTCNA Version 20.0 275