Testwiki/Network security

From MikroTik Wiki
< Testwiki
Revision as of 15:34, 20 August 2010 by Andriss (talk | contribs) (Mangle feature)
Jump to: navigation, search

Network security

Firewall filter

In generally network security provides administrator to protect the network and services from unauthorized access using policy rules adopted by the network administrator. The list of policy rules more often called firewall filter. All data flow to/from and through router pass via firewall which checks each of data massage and determines whether to block this massage or not.

Firewall filter that operates with data link, network and transport layer header information sometimes called also simply as packet filter examines each packet passing through the firewall and accepts or denies it based on user-defined rules. Packet can be filtered based on various parameters of packet like source IP address, destination IP address, source and destination port number, type of service (ToS) bits, TTL values, packet size, MAC address and various other parameters. Firewall often works together with Network address translation service it translate private IP address to public and vice verse. The hosts behind NAT commonly have addresses from private address range and NAT functionality provides to hide the true address of hosts from outside (Internet).

MikroTik RouterOS has very powerful firewall allows filter traffic by different attributes:

  • Source, destination address or address range
  • Input, output interface
  • TCP/UDP port or port range
  • source MAC address
  • DSCP (ToS) bits
  • Connection type or state
  • Packet size
  • and much more!

Properly configured firewall plays a key role in efficient and secure network infrastructure deployment.

The firewall is defined as list of rules. Each rule consists of two parts - the matcher which matches traffic flow against given conditions and the action which defines what to do with the matched packet. Basically a list of rules are reads like if-then statements it means that if given rule is met, then appropriate action is executed. If the specific rule isn’t met, nothing happens and the next rule is evaluated until find appropriate rule if there is no that rule packet passes through router without any restriction.

Firewall filtering rules are grouped together in chains. It allows a packet to be matched against one common criterion in one chain, and then passed over for processing against some other common criteria to another chain.

There are three predefined chains, which cannot be deleted:

  • input - used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router's addresses. Packets passing through the router are not processed against the rules of the input chain
  • forward - used to process packets passing through the router
  • output - used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain

When processing a chain, rules are taken from the chain in the order they are listed there from top to bottom.

Simple firewall rule example:

/ip firewall filter> add chain=forward protocol=tcp dst-address= action=drop \ 

This firewall rule drops all TCP traffic that is destined to host and going through the router.

RouterOS supports more different actions like accept, drop, log, jump, reject and more other.

Other firewall example:

For example our local network is and public (WAN) interface is ether1. We will set up firewall to deny access from internet to the router via Telnet (protocol TCP, port 23).

 /ip firewall filter add chain=input protocol=tcp dst-port=23 action=drop \
 in-interface=ether1 disabled=no

Full firewall command reference and examples can be found here.

Network address translation (NAT)

Original intention for Network address translation (NAT) was to solve problem with IP address exhaustion by allowing many private IP addresses to be represented by some smaller number of public IP addresses. NAT basically means that you can to use the same IP address range (private addresses) into separate LANs (intranets) and all hosts can to connect to the Internet as well. NAT is used on a border router of your network, typically between different intranets or between intranet and your Internet server provider network. Border router performs IP address translation function by packets that travel to/from LAN. The major advantage associated with NAT is that it allows to conserve your public registered address space and therefore we haven’t run out of IPv4 addresses.

All packets have source and destination IP address and both or either of the source and destination address may be translated as well as NAT allows also translate TCP/UDP source and destination port numbers. Thereby NAT is implemented in a variety of schemes of translating addresses.

Source NAT

NAT which involves translation of the source IP address and/or source port is called source NAT. This type of NAT is performed on packets that are originated from a natted network. A LAN that uses NAT is referred as natted network. A NAT router replaces the private source IP address and/or source port number of an IP packet with a new public IP address and/or source port as it travels through the router. A reverse operation is applied to the reply packets travelling in the other direction.

Destination NAT

NAT which involves translation of the destination IP address and/or destination port number is called destination NAT or dstnat. This type of NAT is performed on packets that are destined to the natted network. It is most commonly used to make hosts on a private network to be accessible from the Internet. A NAT router performing dstnat replaces the destination IP address of an IP packet as it travel through the router towards a private network.

NAT configuration examples


Source NAT configuration

I’m going to start by using Figure 7.1. If you want to "hide" the private LAN "behind" one address given to you by the ISP, you should use the source network address translation (masquerading) feature of the MikroTik router. The masquerading will change the source IP address and port of the packets originated from the network to the address of the router when the packet is routed through it.

Simple source NAT example:

/ip firewall nat> add chain=srcnat action=src-nat src-address= to-addresses=

All outgoing connections from the network will have source address of the router and source port above 1024.

You can do this function in shorter way by using action “masquerade”. Masquerade is a special form of src-nat, in this case you are not able to specify “to-addresses” option outgoing interface address is used automatically. Let’s take a look at simple configuration of adding firewall rule with action “masquerade”:

/ip firewall nat> add chain=srcnat action=masquerade out-interface=ether1

In this case no access from the Internet will be possible to the Local addresses. If you want to allow connections to the server on the private network, you should use destination Network Address Translation (NAT).

Destination NAT configuration

If you want that server ( within private network is reachable from outside you should use destination address translation feature of the MikroTik router.

Destination NAT example that allows to connect at server from Internet:

/ip firewall nat> add chain=dstnat action=dst-nat dst-address= to-addresses=

ONE-to-ONE mapping

One-to-One NAT means that we have pool of public IP addresses that we will provide each user on the private network. For example, if you want to public IP subnet to local one, you should use destination address translation and source address translation features with action=netmap.

 /ip firewall nat add chain=dstnat dst-address= \
         action=netmap to-addresses=
 /ip firewall nat add chain=srcnat src-address= \
         action=netmap to-addresses=  

Port mapping

Port mapping is the technique of taking packets destined for a specific host and specific TCP or UDP port and 'forwards' them to a different port and/or host. This is done “transparently”, meaning that network clients can not to see that port mapping is being done.

For example, we have web server on the private network with IP address and on 8080 port, we want that all users from outside can to connect them. You need implement port mapping like this:

 /ip firewall nat> add chain=dstnat protocol=tcp action=dst-nat 
 dst-address= dst-port=80 to-addresses= to-ports=8080

Verify your NAT configuration:

/ip firewall nat> print detail 
/ip firewall nat> print all
/ip firewall nat> print stats

Here should be taken into account also that each NAT translation introduces switching path delay and increases router’s CPU usage.

Traffic marking

Mangle feature

The traffic marking facility allows to mark IP packets with special marks. In RouterOS software – Mangle feature (/ip firewall mangle) performs traffic classification and marking. These marks are used by various other router facilities (NAT, queue tree, routing) to identify the packets. Additionally, the mangle facility is used to modify some fields in the IP header, like ToS (DSCP) field, and TTL fields.


Note: Keep in mind that mangle marks exist only locally within the router, they are not transmitted across the network and used to other routers.

Example of traffic marking

Marking each packet is quite CPU resource expensive especially if many of IP header parameters are matching or matching IP address list containing hundreds of entries.

The same as configuring firewall and NAT also here is important to understand chain. Order as packets are processed in RouterOS is described and illustrated here.


Figure 7.2 Available chains under mangle facilities

In this case chain determines when mangle feature will be executed in RouterOS and which functions are before and which is processed after them. For example, when we use chain=prerouting defined by mangle Connection Tracking function is executed before this mangle.

Mark by IP address and port number:

Mark packets by source IP address ( and destination port number 23 (telnet):

/ip firewall mangle add chain=prerouting action=mark-packet new-packet-mark=mymark protocol=tcp \ 
src-address= dst-port=23 passthrough=no

All traffic from that destined to port 23 is marked with “mymark” and can be used in other router facilities, for example by implementing policy routing:

/ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark=table2 passthrough=no \ 

It says, that packets marked with mymark will be passed through router table routing table table2.

Marking rule looks quite simple and probably will work without problems in small networks. If we multiply count of rules by 10, add few hundred entries in address list, run 50-100Mbit of traffic over this router and you will see how rapidly CPU usage is increasing.

Mark by protocol and port number:

/ip firewall mangle add chain=forward protocol=tcp dst-port=80 action=add-src-to-address-list \ 
address-list=first address-list-timeout=1h 

Check all traffic forwarded through router if packet is destined to TCP port 80 packet’s source IP address is added to Address list specified by address-list parameter after them address list can be used for other purposes. For example, check all traffic forwarded through router and matches destination address of a packet against previously defined address list “first” if packet destination IP address match with address from address list packet will be marked with mark “abc”.

/ip firewall mangle add chain=forward dst-address-list=first action=mark-packet new-packet-mark=abc

Know we can to use the marked packet in some other RouterOS facilities like rate limitation using queues and queue trees in RouterOS that allows to manage traffic data rate and provides Quality of Service for network users.

For example, implement download limitation for marked traffic:

/queue tree add name="queue1" packet-marks=abc priority=8 queue=default/default limit-at=0/256k \
max-limit=0/512k burst-limit=0/0 burst-threshold=0/0 

Guaranteed download rate is at least 256kbps and maximal allowed data rate is 512kbps. Read more about bandwidth limitation in next section.