In this webinar, we started the discussion with the basic concepts of firewall in mikrotik. We then focusing on firewall mangle as it is said in title. we discussed three most-used mangle action on mikrotik routerOS, they are: mark-packet, mark-connection, mark-routing. each mangle action has its own example case of its usage. The recording is available on youtube (GLC Networks Channel): https://www.youtube.com/channel/UCI611_IIkQC0rsLWIFIx_yg

1. www.glcnetworks.com
Firewall Mangle
GLC webinar, 5 october 2017
Achmad Mardiansyah
achmad@glcnetworks.com
GLC Networks, Indonesia
1

2. www.glcnetworks.com
Agenda
● Introduction
● Firewall
● Firewall mangle
● Demo
● Q & A
2

3. www.glcnetworks.com
What is GLC?
● Garda Lintas Cakrawala (www.glcnetworks.com)
● An Indonesian company
● Located in Bandung
● Areas: Training, IT Consulting
● Mikrotik Certified Training Partner/Consultant/Distributor
● Ubiquiti Certified Trainer/Consultant
● RedHat Certified Trainer
3

4. www.glcnetworks.com
About GLC webinar?
● First webinar: january 1, 2010 (title:
tahun baru bersama solaris - new
year with solaris OS)
● As a sharing event with various
topics: linux, networking, wireless,
database, programming, etc
● Regular schedule: every 2 weeks
● Irregular schedule: as needed
● Checking schedule:
http://www.glcnetworks.com/main/sc
hedule
● You are invited to be a presenter
○ No need to be an expert
○ This is a forum for sharing: knowledge,
experiences, information
4

5. www.glcnetworks.com
Trainer Introduction
● Name: Achmad Mardiansyah
● Base: bandung, Indonesia
● Linux user (since 1999), Mikrotik user (since 2007),
ubnt user (since 2011)
● Certified Trainer (Mikrotik, Ubiquiti, Redhat)
● Certified Consultant
● Work: Telco engineer, Sysadmin, PHP programmer,
and Lecturer
● Personal website: http://achmadjournal.com
● More info:
http://au.linkedin.com/in/achmadmardiansyah
5

6. www.glcnetworks.com
Please introduce yourself
● Your name
● Your company/university?
● Your networking experience?
● Your mikrotik experience?
● Your expectation from this course?
6

7. www.glcnetworks.com
Firewall
7

8. www.glcnetworks.com
What is Mikrotik firewall?
● Is a feature to
○ Control network access (filter)
○ Modify network header (NAT)
○ Marking packet for further processing (mangle)
● Developed from linux
● Consist of 2 parts: matcher & action
● Executed sequentially
● Netadmin must understand the application’s characteristics in order to build a
matcher (e.g. browsing -> using TCP port 80)
8

9. www.glcnetworks.com
How firewall works?
● Setup matcher -> then action
● Mikrotik has lots of options for matcher
-> very flexible
● Matcher + Action = Firewall rule
● Rule is executed sequentially
9

10. www.glcnetworks.com 10
Where the packet
is processed?
A: see packet flow
Note: ipsec is removed in this
diagram

11. www.glcnetworks.com 1111
What's the
difference between
forward and input?
FORWARD
INPUT

12. www.glcnetworks.com 12
On which chain
can you apply
filter?

13. www.glcnetworks.com 13
On which chain
can you apply
NAT?

14. www.glcnetworks.com 14
On which chain
can you apply
mangle?

15. www.glcnetworks.com
Firewall mangle
15

16. www.glcnetworks.com
What happen on packets after mangle?
● Depends on action
● In most case, mangle is used for marking -> sequence is important
●
16

17. www.glcnetworks.com
Mangle action: mark-packet
● Is used to identify packets
● Only one direction. example:
○ Packet to google DNS
/ip firewall mangle add chain=forward dst-address=8.8.8.8 action=mark-packet
new-packet-mark=packet-to-googledns passthrough=no
○ Packet from google DNS
/ip firewall mangle add chain=forward src-address=8.8.8.8 action=mark-packet
new-packet-mark=packet-from-googledns passthrough=no
17
ISP1 ISP28.8.8.8
192.168.1.10
Packets
from
8.8.8.8
Packets to
8.8.8.8

18. www.glcnetworks.com
Mangle action: mark-connection
● Connection: is a relationship between 2 hosts, identified by:
○ A pair of IP addresses: source & destination
○ A pair of ports: source & destination (if used). Some protocols donot use ports
● Mark-connection is two-way
○ Example: a connection between google DNS and webserver
/ip firewall mangle add chain=forward dst-address=8.8.8.8 src-address=192.168.1.10
action=mark-connection new-connection-mark=conn-googledns passthrough=no
● Check it on firewall-connection
18
ISP1 ISP28.8.8.8
192.168.1.10
Conn between
8.8.8.8 and
192.168.1.10

19. www.glcnetworks.com
● Is used to mark packet for routing purpose. Router is forwarding packets, not
connection :-p
● Should be done before reading the routing table -> prerouting
● Need support from routing table. example:
○ /ip firewall mangle add chain=forward dst-address=8.8.8.8 src-address=192.168.1.10
action=mark-routing new-routing-mark=via-isp1 passthrough=no
○ /ip route add dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-mark=via-isp1
Mangle action: mark-routing
19
ISP1 ISP28.8.8.8
192.168.1.10
1.1.1.1 2.2.2.2
Packet from
192.168.1.10 will be
forwarded via isp1 by
routing table, because it
has “via-isp1” mark

20. www.glcnetworks.com
Interested?
Just come to our
training...
Special price for webinar
attendees…
http://www.glcnetworks.c
om/main/schedule
20

21. www.glcnetworks.com
End of slides
● Thank you for your attention
● Please submit your feedback: http://bit.ly/glcfeedback
● Like our facebook page: “GLC networks”
● Slide: http://www.slideshare.net/r41nbuw
● Recording: https://www.youtube.com/channel/UCI611_IIkQC0rsLWIFIx_yg
● Stay tune with our schedule
21