In this webinar, we started the discussion with the basic concepts of firewall in mikrotik. We then focusing on firewall mangle as it is said in title.
we discussed three most-used mangle action on mikrotik routerOS, they are: mark-packet, mark-connection, mark-routing. each mangle action has its own example case of its usage.
The recording is available on youtube (GLC Networks Channel): https://www.youtube.com/channel/UCI611_IIkQC0rsLWIFIx_yg
3. www.glcnetworks.com
What is GLC?
● Garda Lintas Cakrawala (www.glcnetworks.com)
● An Indonesian company
● Located in Bandung
● Areas: Training, IT Consulting
● Mikrotik Certified Training Partner/Consultant/Distributor
● Ubiquiti Certified Trainer/Consultant
● RedHat Certified Trainer
3
4. www.glcnetworks.com
About GLC webinar?
● First webinar: january 1, 2010 (title:
tahun baru bersama solaris - new
year with solaris OS)
● As a sharing event with various
topics: linux, networking, wireless,
database, programming, etc
● Regular schedule: every 2 weeks
● Irregular schedule: as needed
● Checking schedule:
http://www.glcnetworks.com/main/sc
hedule
● You are invited to be a presenter
○ No need to be an expert
○ This is a forum for sharing: knowledge,
experiences, information
4
5. www.glcnetworks.com
Trainer Introduction
● Name: Achmad Mardiansyah
● Base: bandung, Indonesia
● Linux user (since 1999), Mikrotik user (since 2007),
ubnt user (since 2011)
● Certified Trainer (Mikrotik, Ubiquiti, Redhat)
● Certified Consultant
● Work: Telco engineer, Sysadmin, PHP programmer,
and Lecturer
● Personal website: http://achmadjournal.com
● More info:
http://au.linkedin.com/in/achmadmardiansyah
5
8. www.glcnetworks.com
What is Mikrotik firewall?
● Is a feature to
○ Control network access (filter)
○ Modify network header (NAT)
○ Marking packet for further processing (mangle)
● Developed from linux
● Consist of 2 parts: matcher & action
● Executed sequentially
● Netadmin must understand the application’s characteristics in order to build a
matcher (e.g. browsing -> using TCP port 80)
8
9. www.glcnetworks.com
How firewall works?
● Setup matcher -> then action
● Mikrotik has lots of options for matcher
-> very flexible
● Matcher + Action = Firewall rule
● Rule is executed sequentially
9
16. www.glcnetworks.com
What happen on packets after mangle?
● Depends on action
● In most case, mangle is used for marking -> sequence is important
●
16
17. www.glcnetworks.com
Mangle action: mark-packet
● Is used to identify packets
● Only one direction. example:
○ Packet to google DNS
/ip firewall mangle add chain=forward dst-address=8.8.8.8 action=mark-packet
new-packet-mark=packet-to-googledns passthrough=no
○ Packet from google DNS
/ip firewall mangle add chain=forward src-address=8.8.8.8 action=mark-packet
new-packet-mark=packet-from-googledns passthrough=no
17
ISP1 ISP28.8.8.8
192.168.1.10
Packets
from
8.8.8.8
Packets to
8.8.8.8
18. www.glcnetworks.com
Mangle action: mark-connection
● Connection: is a relationship between 2 hosts, identified by:
○ A pair of IP addresses: source & destination
○ A pair of ports: source & destination (if used). Some protocols donot use ports
● Mark-connection is two-way
○ Example: a connection between google DNS and webserver
/ip firewall mangle add chain=forward dst-address=8.8.8.8 src-address=192.168.1.10
action=mark-connection new-connection-mark=conn-googledns passthrough=no
● Check it on firewall-connection
18
ISP1 ISP28.8.8.8
192.168.1.10
Conn between
8.8.8.8 and
192.168.1.10
19. www.glcnetworks.com
● Is used to mark packet for routing purpose. Router is forwarding packets, not
connection :-p
● Should be done before reading the routing table -> prerouting
● Need support from routing table. example:
○ /ip firewall mangle add chain=forward dst-address=8.8.8.8 src-address=192.168.1.10
action=mark-routing new-routing-mark=via-isp1 passthrough=no
○ /ip route add dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-mark=via-isp1
Mangle action: mark-routing
19
ISP1 ISP28.8.8.8
192.168.1.10
1.1.1.1 2.2.2.2
Packet from
192.168.1.10 will be
forwarded via isp1 by
routing table, because it
has “via-isp1” mark
21. www.glcnetworks.com
End of slides
● Thank you for your attention
● Please submit your feedback: http://bit.ly/glcfeedback
● Like our facebook page: “GLC networks”
● Slide: http://www.slideshare.net/r41nbuw
● Recording: https://www.youtube.com/channel/UCI611_IIkQC0rsLWIFIx_yg
● Stay tune with our schedule
21