SlideShare a Scribd company logo

Firewall mangle PBR: steering outbound path similar to inbound

GLC Networks
GLC Networks

Webinar topic: Firewall mangle PBR: steering outbound path similar to inbound Presenter: Achmad Mardiansyah In this webinar, we explore how to use firewall mangle rules and policy-based routing to steer outbound traffic along a similar path to inbound traffic. This technique can help to balance outbound traffic across multiple links, ensure that outbound traffic exits the network through a particular gateway, and more. We provide a detailed overview of the configuration process and offer examples to illustrate the benefits of this approach. Whether you are a network administrator or just want to optimize your internet connectivity, this presentation has something for you! Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback Check our schedule for future events: https://www.glcnetworks.com/en/schedule/ Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram also discord Recording is available on youtube: https://youtu.be/BFT2tNasdqk

Internet
1 of 45
Download to read offline
www.glcnetworks.com Firewall mangle PBR: steering outbound path similar to inbound GLC WEBINAR, 5 Jan 2022, 19:30 GMT+7 Achmad Mardiansyah achmad@glcnetworks.com GLC Networks, Indonesia Firewall Mangle
www.glcnetworks.com Agenda ● Introduction ● Review prerequisite knowledge ● Firewall mangle ● Policy Based Routing ● Steering outbound traffic ● Live practice ● Q & A 2
www.glcnetworks.com Introduction 3
www.glcnetworks.com What is GLC? ● Garda Lintas Cakrawala (www.glcnetworks.com) ● Based in Bandung, Indonesia ● Areas: Training, IT Consulting ● Certified partner for: Mikrotik, Ubiquity, Linux foundation ● Product: GLC radius manager ● Regular event 4
www.glcnetworks.com Trainer Introduction ● Name: Achmad Mardiansyah ● Base: bandung, Indonesia ● Linux user since 1999, mikrotik user since 2007, UBNT 2011 ● Mikrotik Certified Trainer (MTCNA/RE/WE/UME/INE/TCE/IPv6) ● Mikrotik/Linux Certified Consultant ● Website contributor: achmadjournal.com, mikrotik.tips, asysadmin.tips ● More info: http://au.linkedin.com/in/achmadmardiansyah 5
www.glcnetworks.com Past experience ● 2020-2022 (Congo DRC, PNG, Malaysia): network support, radius/billing integration ● 2019, Congo (DRC): build a wireless ISP from ground-up ● 2018, Malaysia: network revamp, develop billing solution and integration, setup dynamic routing ● 2017, Libya (north africa): remote wireless migration for a new Wireless ISP ● 2016, United Kingdom: workshop for wireless ISP, migrating a bridged to routed network ● 2015, Kalimantan, wireless support ● See our website for more details 6
www.glcnetworks.com Please introduce yourself ● Your name ● Your company/university? ● Your networking experience? ● Your mikrotik experience? ● Your expectation from this course? 7
www.glcnetworks.com Prerequisite This presentation some prerequisite knowledge ● We assume you already know: ○ TCP/IP ○ Mikrotik ○ Routing protocol ○ BGP 8
www.glcnetworks.com Review prerequisite knowledge 9
www.glcnetworks.com 7 OSI layer & protocol ● OSI layer Is a conceptual model from ISO (International Standard Organization) for project OSI (Open System Interconnection) ● When you send a message with a courier, you need to add more info to get your message arrived at the destination (This process is called encapsulation) ● What is protocol ○ Is a set of rules for communication ○ Available on each layer ● Communication consist of series encapsulation ○ SDU: service data unit (before PDU) ○ PDU: protocol data unit (after header is added) 10
www.glcnetworks.com Layered model (TCP/IP vs ISO) and encapsulation 11 / datagram
www.glcnetworks.com Did you notice? ● There is a big overhead on encapsulation process ● More encapsulation means less payload? 12
www.glcnetworks.com Router and Routing 13 ● Router is a network device that is used to forward packets, based on layer 3 information (layer 3 header) ● Routing is the process of selecting a path for traffic in a network, or between or across multiple networks Physical router Router icon
www.glcnetworks.com Typical connection (physical) 14 R2 R1 R3 ● Router connects layer 2 segments ● Router works on layer 3, connecting L2 segments ● Meaning, each layer 2 segment has network ID
www.glcnetworks.com Typical connection (logical) and routing table 15 Routing table: ● A table at router that is used to forward packet ● Available on every devices (router and host) ● Entry is executed sequentially 192.168.0.0/26 R1 192.168.0.1/26 192.168.0.3/26 192.168.0.2/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24 destination gateway 192.168.0.0/26 direct 192.168.1.0/24 direct 192.168.2.0/24 192.168.0.2 192.168.3.0/24 192.168.0.3 192.168.16.3/32 192.168.0.2 0.0.0.0/0 (default gw) 192.168.0.3
www.glcnetworks.com Forwarding packets using routing table 16 ● It works like a firewall: match and action ● When a packet arrived, routing table is used to forward packets ● You should think in binary to understand how it works destination gateway 192.168.16.3/32 11000000 10101000 00001000 00000011 192.168.0.2 192.168.0.0/26 11000000 10101000 00000000 00 direct 192.168.1.0/24 11000000 10101000 00000001 direct 192.168.2.0/24 11000000 10101000 00000010 192.168.0.2 192.168.3.0/24 11000000 10101000 00000011 192.168.0.3 0.0.0.0/0 (no match) 192.168.0.3
www.glcnetworks.com A packet arrived at R1… (example) 17 Destination IP address of the packet is 192.168.2.6, which gateway do we use? A: 192.168.2.6 = (11000000 10101000 00000010 00000110) destination gateway 192.168.16.3/32 11000000 10101000 00001000 00000011 192.168.0.2 192.168.0.0/26 11000000 10101000 00000000 00 direct 192.168.1.0/24 11000000 10101000 00000001 direct 192.168.2.0/24 11000000 10101000 00000010 192.168.0.2 192.168.3.0/24 11000000 10101000 00000011 192.168.0.3 0.0.0.0/0 192.168.0.3
www.glcnetworks.com Where routing table lookup happens? 18
www.glcnetworks.com How routing works & Administrative distance (analogy) 19 19 CITY 1 100 km CITY 2 120 km CITY 2 90 km CITY 3 500 km CITY 4 250 km 10.10.10.0/24 192.168.0.1 10 10.10.20.0/24 192.168.0.2 12 10.10.20.0/24 192.168.0.3 9 10.10.30.0/24 192.168.0.3 50 10.10.40.0/24 192.168.0.4 25
www.glcnetworks.com Administrative distance 20 ● Distance is considered when prefix length is same ● Lowest distance wins ● Administrative distance policy is depends on vendor ● Table on the right shows an example of administrative distance on cisco router
www.glcnetworks.com Static routing 21 ● Entries on routing table is created manually ● Admin must manage routing table in all routers ● Admin have full control 192.168.0.0/26 R1 192.168.0.1/26 192.168.0.3/26 192.168.0.2/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24 destination gateway 192.168.0.0/26 direct 192.168.1.0/24 direct 192.168.2.0/24 192.168.0.2 192.168.3.0/24 192.168.0.3 192.168.16.3/32 192.168.0.2 0.0.0.0/0 192.168.0.3
www.glcnetworks.com Dynamic routing 22 ● Router will talk to each other with routing protocol (RIP, OSPF, BGP) ● Entries on routing table is created automatically ● Admin must have a good knowledge about routing protocol 192.168.0.0/26 R1 192.168.0.1/26 192.168.0.3/26 192.168.0.2/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24 destination gateway 192.168.0.0/26 direct 192.168.1.0/24 direct 192.168.2.0/24 192.168.0.2 192.168.3.0/24 192.168.0.3 192.168.16.3/32 192.168.0.2 0.0.0.0/0 192.168.0.3
www.glcnetworks.com Routing metric ● is value used by a router to make routing decisions. It depends on routing protocols ● OSPF: accumulated cost ● RIP: hop count ● IS-IS: cost ● EIGRP: bandwidth, load, delay, reliability and MTU ● BGP: AS-Path, Next-hop, Origin, Local preference, Atomic aggregate, Multi Exit Discriminator (MED) 23
www.glcnetworks.com Asymmetric routing 24 ● Currently, routing is done one-way only ● Forwarding process on router is based on destination IP address ● There is no guarantee incoming path is similar to outgoing path ● We can only control outgoing forwarding R1 192.168.0.1/26 192.168.0.3/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24
www.glcnetworks.com Mikrotik Firewall 25
www.glcnetworks.com What is Mikrotik firewall? ● Is a feature to ○ Control network access (filter) ○ Modify network header (NAT) ○ Marking packet for further processing (mangle) ● Consist of 2 parts: matcher & action ● Executed sequentially ● Netadmin must understand the application’s characteristics in order to build a matcher (e.g. browsing -> traffic with TCP dst-port 80) 26
www.glcnetworks.com How firewall works? ● Setup matcher -> then action ○ Mikrotik has lots of options for matcher -> very flexible ● Matcher + Action = Firewall rule ● Rule is executed sequentially 27
www.glcnetworks.com Where the packet is processed? (packet flow) 28 Note: ipsec is removed in this diagram
www.glcnetworks.com FILTER, NAT, MANGLE 29 FILTER NAT MANGLE
www.glcnetworks.com Input vs. forward (routing decision) 30 FORWARD INPUT
www.glcnetworks.com Firewall connections ● What is connection? is a relationship between 2 hosts ● A connection can be identified by: ○ A pair of IP addresses: source & destination ○ A pair of IP addresses + a pair of ports (source & destination ports). ○ Note: some protocols do not use ports for communication ● Mikrotik firewall supports connection-tracking (conn-track) ○ Therefore, mikrotik is able to identify, tracking, and display connections ○ Connection tracking requires CPU usage ○ Some features relies on conn-track: NAT, conn-bytes 31
www.glcnetworks.com Firewall mangle 32
www.glcnetworks.com What happened on packets at mangle chain? ● Depends on action ● In most case, mangle is used for marking ● sequence is important 33
www.glcnetworks.com Mangle action: mark-packet ● Is used to identify packets ● Applied in one direction. example: ○ Packet to google DNS /ip firewall mangle add chain=forward dst-address=8.8.8.8 action=mark-packet new-packet-mark=packet-to-googledns passthrough=no ○ Packet from google DNS /ip firewall mangle add chain=forward src-address=8.8.8.8 action=mark-packet new-packet-mark=packet-from-googledns passthrough=no 34 ISP1 ISP2 8.8.8.8 192.168.1.10 Packets from 8.8.8.8 Packets to 8.8.8.8
www.glcnetworks.com Mangle action: mark-connection ● See previous explanation of conn-track feature ● Mark-connection is two-way (inbound and outbound) ○ One firewall rule for both inbound and outbound ● Example: a connection between google DNS and webserver /ip firewall mangle add chain=forward dst-address=8.8.8.8 src-address=192.168.1.10 action=mark-connection new-connection-mark=conn-googledns passthrough=no ● Check it on firewall-connections 35 ISP1 ISP2 8.8.8.8 192.168.1.10 Conn between 8.8.8.8 and 192.168.1.10
www.glcnetworks.com Policy Based Routing (PBR) 36
www.glcnetworks.com Multiple gateways scenario + LAN server ● You have default route via ISP1 → main outbound ● Main inbound → via ISP1 ● What we expect: ○ Inbound interface = outbound interface ● What we get: ○ Inbound interface = any ○ Outbound interface = default outbound ○ This is not optimal 37 ISP1 ISP2 LAN ether1 ether2 webserver ISP3 ether4 R1
www.glcnetworks.com Policy Based Routing (PBR) ● It is a techniques to route traffic based on your specific rule ● Useful if you have more than 1 gateways ● Applied on layer 3 (router) ● Applied on one direction only Benefits: ● We can steer traffic based on specific matcher 38 ISP1 ISP2 LAN ether1 ether2 webserver ISP3 ether4 R1
www.glcnetworks.com ● Do mark-conn on each inbound interface to identify where they come from: ○ @ether1, conn-mark = via-isp1 ○ @ether2, conn-mark = via-isp2 ● To mark-routing on outbound interface that is facing to user (ether4) ○ If mark-conn = via-isp1 → route via isp1 ○ If mark-conn = via-isp2 → route via isp2 Our strategy 39 ISP1 ISP2 LAN ether1 ether2 webserver ISP3 ether4 R1
www.glcnetworks.com ● /routing/table/add name=via-isp1 fib ● /routing/table/add name=via-isp2 fib ● /ip/route/add dst-address=0.0.0.0/0 gateway=10.1.1.1 check-gateway=ping routing-table=via-isp1 ● /ip/route/add dst-address=0.0.0.0/0 gateway=10.2.2.2 check-gateway=ping routing-table=via-isp2 Step1: create routing entry with new mark (table) 40 ISP1 ISP2 LAN ether1 ether2 webserver ISP3 ether4 R1
www.glcnetworks.com ● /ip/firewall/mangle/add action=mark-connection chain=prerouting in-interface=ether1 new-connection-mark=via-isp1 passthrough=no ● /ip/firewall/mangle/add action=mark-connection chain=prerouting in-interface=ether2 new-connection-mark=via-isp2 passthrough=no Step2: create mark-connection (inbound) 41 ISP1 ISP2 LAN ether1 ether2 webserver ISP3 ether4 R1
www.glcnetworks.com ● /ip/firewall/mangle/add action=mark-routing chain=prerouting connection-mark=via-isp1 in-interface=ether4 new-routing-mark=via-isp1 passthrough=no ● /ip/firewall/mangle/add action=mark-routing chain=prerouting connection-mark=via-isp2 in-interface=ether4 new-routing-mark=via-isp2 passthrough=no Step3: create mark-routing (steering outbound) 42 ISP1 ISP2 LAN ether1 ether2 webserver ISP3 ether4 R1
www.glcnetworks.com QnA Any questions? 43
www.glcnetworks.com Interested? Just come to our training... ● Topics are arranged in systematic and logical way ● You will learn from experienced teacher ● Not only learn the materials, but also sharing experiences, best-practices, and networking 44
www.glcnetworks.com End of slides ● Thank you for your attention ● Please submit your feedback: http://bit.ly/glcfeedback ● Find our further event on our website : https://www.glcnetworks.com ● Like our facebook page: https://www.facebook.com/glcnetworks ● Slide: https://www.slideshare.net/glcnetworks/ ● Discord (bahasa indonesia): (https://discord.gg/6MZ3KUHHBX ) ● Recording (youtube): https://www.youtube.com/c/GLCNetworks ● Stay tune with our schedule 45

Recommended

Tuning OSPF: Prefix Aggregate
Tuning OSPF: Prefix AggregateTuning OSPF: Prefix Aggregate
Tuning OSPF: Prefix AggregateGLC Networks
 
Tuning OSPF: Bidirectional Forwarding Detection (BFD)
Tuning OSPF: Bidirectional Forwarding Detection (BFD)Tuning OSPF: Bidirectional Forwarding Detection (BFD)
Tuning OSPF: Bidirectional Forwarding Detection (BFD)GLC Networks
 
Tuning OSPF: area hierarchy, LSA, and area type
Tuning OSPF: area hierarchy, LSA, and area typeTuning OSPF: area hierarchy, LSA, and area type
Tuning OSPF: area hierarchy, LSA, and area typeGLC Networks
 
Steering traffic in OSPF: Interface cost
Steering traffic in OSPF: Interface costSteering traffic in OSPF: Interface cost
Steering traffic in OSPF: Interface costGLC Networks
 
Stable OSPF: choosing network type.pdf
Stable OSPF: choosing network type.pdfStable OSPF: choosing network type.pdf
Stable OSPF: choosing network type.pdfGLC Networks
 
Controlling Access Between Devices in the same Layer 2 Segment
Controlling Access Between Devices in the same Layer 2 SegmentControlling Access Between Devices in the same Layer 2 Segment
Controlling Access Between Devices in the same Layer 2 SegmentGLC Networks
 
Mikrotik IP Settings For Performance and Security
Mikrotik IP Settings For Performance and SecurityMikrotik IP Settings For Performance and Security
Mikrotik IP Settings For Performance and SecurityGLC Networks
 
Best Current Practice (BCP) 38 Ingress Filtering for Security
Best Current Practice (BCP) 38 Ingress Filtering for SecurityBest Current Practice (BCP) 38 Ingress Filtering for Security
Best Current Practice (BCP) 38 Ingress Filtering for SecurityGLC Networks
 

Recommended

Tuning OSPF: Prefix Aggregate
Tuning OSPF: Prefix AggregateTuning OSPF: Prefix Aggregate
Tuning OSPF: Prefix AggregateGLC Networks
 
Tuning OSPF: Bidirectional Forwarding Detection (BFD)
Tuning OSPF: Bidirectional Forwarding Detection (BFD)Tuning OSPF: Bidirectional Forwarding Detection (BFD)
Tuning OSPF: Bidirectional Forwarding Detection (BFD)GLC Networks
 
Tuning OSPF: area hierarchy, LSA, and area type
Tuning OSPF: area hierarchy, LSA, and area typeTuning OSPF: area hierarchy, LSA, and area type
Tuning OSPF: area hierarchy, LSA, and area typeGLC Networks
 
Steering traffic in OSPF: Interface cost
Steering traffic in OSPF: Interface costSteering traffic in OSPF: Interface cost
Steering traffic in OSPF: Interface costGLC Networks
 
Stable OSPF: choosing network type.pdf
Stable OSPF: choosing network type.pdfStable OSPF: choosing network type.pdf
Stable OSPF: choosing network type.pdfGLC Networks
 
Controlling Access Between Devices in the same Layer 2 Segment
Controlling Access Between Devices in the same Layer 2 SegmentControlling Access Between Devices in the same Layer 2 Segment
Controlling Access Between Devices in the same Layer 2 SegmentGLC Networks
 
Mikrotik IP Settings For Performance and Security
Mikrotik IP Settings For Performance and SecurityMikrotik IP Settings For Performance and Security
Mikrotik IP Settings For Performance and SecurityGLC Networks
 
Best Current Practice (BCP) 38 Ingress Filtering for Security
Best Current Practice (BCP) 38 Ingress Filtering for SecurityBest Current Practice (BCP) 38 Ingress Filtering for Security
Best Current Practice (BCP) 38 Ingress Filtering for SecurityGLC Networks
 
RouterOS Migration From v6 to v7
RouterOS Migration From v6 to v7RouterOS Migration From v6 to v7
RouterOS Migration From v6 to v7GLC Networks
 
Mikrotik User Meeting Manila: bgp vs ospf
Mikrotik User Meeting Manila: bgp vs ospfMikrotik User Meeting Manila: bgp vs ospf
Mikrotik User Meeting Manila: bgp vs ospfAchmad Mardiansyah
 
MTCNA Intro to routerOS
MTCNA Intro to routerOSMTCNA Intro to routerOS
MTCNA Intro to routerOSGLC Networks
 
MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1GLC Networks
 
BGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP PeeringBGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP PeeringGLC Networks
 
BGP security tuning: pull-up route
BGP security tuning: pull-up routeBGP security tuning: pull-up route
BGP security tuning: pull-up routeGLC Networks
 
Zabbix for Monitoring
Zabbix for MonitoringZabbix for Monitoring
Zabbix for MonitoringGLC Networks
 
BGP troubleshooting: route origin
BGP troubleshooting: route originBGP troubleshooting: route origin
BGP troubleshooting: route originGLC Networks
 
Internal BGP tuning: Mesh peering to avoid loop
Internal BGP tuning: Mesh peering to avoid loopInternal BGP tuning: Mesh peering to avoid loop
Internal BGP tuning: Mesh peering to avoid loopGLC Networks
 
CCNA : Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1CCNA : Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1GLC Networks
 
BGP tuning: Peer with loopback
BGP tuning: Peer with loopbackBGP tuning: Peer with loopback
BGP tuning: Peer with loopbackGLC Networks
 
Mikrotik Hotspot
Mikrotik HotspotMikrotik Hotspot
Mikrotik HotspotGLC Networks
 
Mikrotik firewall raw table
Mikrotik firewall raw tableMikrotik firewall raw table
Mikrotik firewall raw tableAchmad Mardiansyah
 
Layer 7 Firewall on Mikrotik
Layer 7 Firewall on MikrotikLayer 7 Firewall on Mikrotik
Layer 7 Firewall on MikrotikGLC Networks
 
Internet Protocol Deep-Dive
Internet Protocol Deep-DiveInternet Protocol Deep-Dive
Internet Protocol Deep-DiveGLC Networks
 
MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1GLC Networks
 
BGP vs OSPF on Mikrotik
BGP vs OSPF on MikrotikBGP vs OSPF on Mikrotik
BGP vs OSPF on MikrotikGLC Networks
 
Network LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with MikrotikNetwork LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with MikrotikGLC Networks
 
Mikrotik Bridge Deep Dive
Mikrotik Bridge Deep DiveMikrotik Bridge Deep Dive
Mikrotik Bridge Deep DiveGLC Networks
 
Queue Type on Mikrotik
Queue Type on MikrotikQueue Type on Mikrotik
Queue Type on MikrotikGLC Networks
 
GIT as Mikrotik Configuration Management
GIT as Mikrotik Configuration ManagementGIT as Mikrotik Configuration Management
GIT as Mikrotik Configuration ManagementGLC Networks
 
Building a Web Server with NGINX
Building a Web Server with NGINXBuilding a Web Server with NGINX
Building a Web Server with NGINXGLC Networks
 

More Related Content

Similar to Firewall mangle PBR: steering outbound path similar to inbound

RouterOS Migration From v6 to v7
RouterOS Migration From v6 to v7RouterOS Migration From v6 to v7
RouterOS Migration From v6 to v7GLC Networks
 
Mikrotik User Meeting Manila: bgp vs ospf
Mikrotik User Meeting Manila: bgp vs ospfMikrotik User Meeting Manila: bgp vs ospf
Mikrotik User Meeting Manila: bgp vs ospfAchmad Mardiansyah
 
MTCNA Intro to routerOS
MTCNA Intro to routerOSMTCNA Intro to routerOS
MTCNA Intro to routerOSGLC Networks
 
MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1GLC Networks
 
BGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP PeeringBGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP PeeringGLC Networks
 
BGP security tuning: pull-up route
BGP security tuning: pull-up routeBGP security tuning: pull-up route
BGP security tuning: pull-up routeGLC Networks
 
Zabbix for Monitoring
Zabbix for MonitoringZabbix for Monitoring
Zabbix for MonitoringGLC Networks
 
BGP troubleshooting: route origin
BGP troubleshooting: route originBGP troubleshooting: route origin
BGP troubleshooting: route originGLC Networks
 
Internal BGP tuning: Mesh peering to avoid loop
Internal BGP tuning: Mesh peering to avoid loopInternal BGP tuning: Mesh peering to avoid loop
Internal BGP tuning: Mesh peering to avoid loopGLC Networks
 
CCNA : Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1CCNA : Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1GLC Networks
 
BGP tuning: Peer with loopback
BGP tuning: Peer with loopbackBGP tuning: Peer with loopback
BGP tuning: Peer with loopbackGLC Networks
 
Layer 7 Firewall on Mikrotik
Layer 7 Firewall on MikrotikLayer 7 Firewall on Mikrotik
Layer 7 Firewall on MikrotikGLC Networks
 
Internet Protocol Deep-Dive
Internet Protocol Deep-DiveInternet Protocol Deep-Dive
Internet Protocol Deep-DiveGLC Networks
 
MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1GLC Networks
 
BGP vs OSPF on Mikrotik
BGP vs OSPF on MikrotikBGP vs OSPF on Mikrotik
BGP vs OSPF on MikrotikGLC Networks
 
Network LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with MikrotikNetwork LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with MikrotikGLC Networks
 
Mikrotik Bridge Deep Dive
Mikrotik Bridge Deep DiveMikrotik Bridge Deep Dive
Mikrotik Bridge Deep DiveGLC Networks
 
Queue Type on Mikrotik
Queue Type on MikrotikQueue Type on Mikrotik
Queue Type on MikrotikGLC Networks
 

Similar to Firewall mangle PBR: steering outbound path similar to inbound (20)

RouterOS Migration From v6 to v7
RouterOS Migration From v6 to v7RouterOS Migration From v6 to v7
RouterOS Migration From v6 to v7
 
Mikrotik User Meeting Manila: bgp vs ospf
Mikrotik User Meeting Manila: bgp vs ospfMikrotik User Meeting Manila: bgp vs ospf
Mikrotik User Meeting Manila: bgp vs ospf
 
MTCNA Intro to routerOS
MTCNA Intro to routerOSMTCNA Intro to routerOS
MTCNA Intro to routerOS
 
MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1
 
BGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP PeeringBGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP Peering
 
BGP security tuning: pull-up route
BGP security tuning: pull-up routeBGP security tuning: pull-up route
BGP security tuning: pull-up route
 
Zabbix for Monitoring
Zabbix for MonitoringZabbix for Monitoring
Zabbix for Monitoring
 
BGP troubleshooting: route origin
BGP troubleshooting: route originBGP troubleshooting: route origin
BGP troubleshooting: route origin
 
Internal BGP tuning: Mesh peering to avoid loop
Internal BGP tuning: Mesh peering to avoid loopInternal BGP tuning: Mesh peering to avoid loop
Internal BGP tuning: Mesh peering to avoid loop
 
CCNA : Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1CCNA : Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1
 
BGP tuning: Peer with loopback
BGP tuning: Peer with loopbackBGP tuning: Peer with loopback
BGP tuning: Peer with loopback
 
Mikrotik Hotspot
Mikrotik HotspotMikrotik Hotspot
Mikrotik Hotspot
 
Mikrotik firewall raw table
Mikrotik firewall raw tableMikrotik firewall raw table
Mikrotik firewall raw table
 
Layer 7 Firewall on Mikrotik
Layer 7 Firewall on MikrotikLayer 7 Firewall on Mikrotik
Layer 7 Firewall on Mikrotik
 
Internet Protocol Deep-Dive
Internet Protocol Deep-DiveInternet Protocol Deep-Dive
Internet Protocol Deep-Dive
 
MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1
 
BGP vs OSPF on Mikrotik
BGP vs OSPF on MikrotikBGP vs OSPF on Mikrotik
BGP vs OSPF on Mikrotik
 
Network LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with MikrotikNetwork LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with Mikrotik
 
Mikrotik Bridge Deep Dive
Mikrotik Bridge Deep DiveMikrotik Bridge Deep Dive
Mikrotik Bridge Deep Dive
 
Queue Type on Mikrotik
Queue Type on MikrotikQueue Type on Mikrotik
Queue Type on Mikrotik
 

More from GLC Networks

GIT as Mikrotik Configuration Management
GIT as Mikrotik Configuration ManagementGIT as Mikrotik Configuration Management
GIT as Mikrotik Configuration ManagementGLC Networks
 
Building a Web Server with NGINX
Building a Web Server with NGINXBuilding a Web Server with NGINX
Building a Web Server with NGINXGLC Networks
 
Policy Based Routing with Indirect BGP - Part 2
Policy Based Routing with Indirect BGP - Part 2Policy Based Routing with Indirect BGP - Part 2
Policy Based Routing with Indirect BGP - Part 2GLC Networks
 
Policy Based Routing with Indirect BGP - Part 1
Policy Based Routing with Indirect BGP - Part 1Policy Based Routing with Indirect BGP - Part 1
Policy Based Routing with Indirect BGP - Part 1GLC Networks
 
Network Monitoring with The Dude and Whatsapp
Network Monitoring with The Dude and WhatsappNetwork Monitoring with The Dude and Whatsapp
Network Monitoring with The Dude and WhatsappGLC Networks
 
Automatic Backup via FTP - Part 2
Automatic Backup via FTP - Part 2Automatic Backup via FTP - Part 2
Automatic Backup via FTP - Part 2GLC Networks
 
Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1GLC Networks
 
Voice Services, From Circuit Switch to VoIP
Voice Services, From Circuit Switch to VoIPVoice Services, From Circuit Switch to VoIP
Voice Services, From Circuit Switch to VoIPGLC Networks
 
MPLS on Router OS V7 - Part 2
MPLS on Router OS V7 - Part 2MPLS on Router OS V7 - Part 2
MPLS on Router OS V7 - Part 2GLC Networks
 
BGP on RouterOS7 - Part 2
BGP on RouterOS7 - Part 2BGP on RouterOS7 - Part 2
BGP on RouterOS7 - Part 2GLC Networks
 
BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1GLC Networks
 
OSPF On Router OS7 - Part 2
OSPF On Router OS7 - Part 2OSPF On Router OS7 - Part 2
OSPF On Router OS7 - Part 2GLC Networks
 
Using Zettabyte Filesystem (ZFS)
Using Zettabyte Filesystem (ZFS)Using Zettabyte Filesystem (ZFS)
Using Zettabyte Filesystem (ZFS)GLC Networks
 
OSPF On Router OS7
OSPF On Router OS7OSPF On Router OS7
OSPF On Router OS7GLC Networks
 

More from GLC Networks (15)

GIT as Mikrotik Configuration Management
GIT as Mikrotik Configuration ManagementGIT as Mikrotik Configuration Management
GIT as Mikrotik Configuration Management
 
Building a Web Server with NGINX
Building a Web Server with NGINXBuilding a Web Server with NGINX
Building a Web Server with NGINX
 
EOIP Deep Dive
EOIP Deep DiveEOIP Deep Dive
EOIP Deep Dive
 
Policy Based Routing with Indirect BGP - Part 2
Policy Based Routing with Indirect BGP - Part 2Policy Based Routing with Indirect BGP - Part 2
Policy Based Routing with Indirect BGP - Part 2
 
Policy Based Routing with Indirect BGP - Part 1
Policy Based Routing with Indirect BGP - Part 1Policy Based Routing with Indirect BGP - Part 1
Policy Based Routing with Indirect BGP - Part 1
 
Network Monitoring with The Dude and Whatsapp
Network Monitoring with The Dude and WhatsappNetwork Monitoring with The Dude and Whatsapp
Network Monitoring with The Dude and Whatsapp
 
Automatic Backup via FTP - Part 2
Automatic Backup via FTP - Part 2Automatic Backup via FTP - Part 2
Automatic Backup via FTP - Part 2
 
Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1
 
Voice Services, From Circuit Switch to VoIP
Voice Services, From Circuit Switch to VoIPVoice Services, From Circuit Switch to VoIP
Voice Services, From Circuit Switch to VoIP
 
MPLS on Router OS V7 - Part 2
MPLS on Router OS V7 - Part 2MPLS on Router OS V7 - Part 2
MPLS on Router OS V7 - Part 2
 
BGP on RouterOS7 - Part 2
BGP on RouterOS7 - Part 2BGP on RouterOS7 - Part 2
BGP on RouterOS7 - Part 2
 
BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1
 
OSPF On Router OS7 - Part 2
OSPF On Router OS7 - Part 2OSPF On Router OS7 - Part 2
OSPF On Router OS7 - Part 2
 
Using Zettabyte Filesystem (ZFS)
Using Zettabyte Filesystem (ZFS)Using Zettabyte Filesystem (ZFS)
Using Zettabyte Filesystem (ZFS)
 
OSPF On Router OS7
OSPF On Router OS7OSPF On Router OS7
OSPF On Router OS7
 

Recently uploaded

How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?Linksys Velop Login
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxGal Baras
 
The Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyThe Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyDamar Juniarto
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxabhinandnam9997
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shoplaozhuseo02
 
The AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfThe AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfSiskaFitrianingrum
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxlaozhuseo02
 
Pvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdfPvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdfPvtaan
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理aagad
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEHimani415946
 

Recently uploaded (12)

How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
The Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyThe Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case Study
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
The AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfThe AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdf
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
Pvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdfPvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdf
 
The Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI StudioThe Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI Studio
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
 

Firewall mangle PBR: steering outbound path similar to inbound

  • 1. www.glcnetworks.com Firewall mangle PBR: steering outbound path similar to inbound GLC WEBINAR, 5 Jan 2022, 19:30 GMT+7 Achmad Mardiansyah achmad@glcnetworks.com GLC Networks, Indonesia Firewall Mangle
  • 2. www.glcnetworks.com Agenda ● Introduction ● Review prerequisite knowledge ● Firewall mangle ● Policy Based Routing ● Steering outbound traffic ● Live practice ● Q & A 2
  • 4. www.glcnetworks.com What is GLC? ● Garda Lintas Cakrawala (www.glcnetworks.com) ● Based in Bandung, Indonesia ● Areas: Training, IT Consulting ● Certified partner for: Mikrotik, Ubiquity, Linux foundation ● Product: GLC radius manager ● Regular event 4
  • 5. www.glcnetworks.com Trainer Introduction ● Name: Achmad Mardiansyah ● Base: bandung, Indonesia ● Linux user since 1999, mikrotik user since 2007, UBNT 2011 ● Mikrotik Certified Trainer (MTCNA/RE/WE/UME/INE/TCE/IPv6) ● Mikrotik/Linux Certified Consultant ● Website contributor: achmadjournal.com, mikrotik.tips, asysadmin.tips ● More info: http://au.linkedin.com/in/achmadmardiansyah 5
  • 6. www.glcnetworks.com Past experience ● 2020-2022 (Congo DRC, PNG, Malaysia): network support, radius/billing integration ● 2019, Congo (DRC): build a wireless ISP from ground-up ● 2018, Malaysia: network revamp, develop billing solution and integration, setup dynamic routing ● 2017, Libya (north africa): remote wireless migration for a new Wireless ISP ● 2016, United Kingdom: workshop for wireless ISP, migrating a bridged to routed network ● 2015, Kalimantan, wireless support ● See our website for more details 6
  • 7. www.glcnetworks.com Please introduce yourself ● Your name ● Your company/university? ● Your networking experience? ● Your mikrotik experience? ● Your expectation from this course? 7
  • 8. www.glcnetworks.com Prerequisite This presentation some prerequisite knowledge ● We assume you already know: ○ TCP/IP ○ Mikrotik ○ Routing protocol ○ BGP 8
  • 10. www.glcnetworks.com 7 OSI layer & protocol ● OSI layer Is a conceptual model from ISO (International Standard Organization) for project OSI (Open System Interconnection) ● When you send a message with a courier, you need to add more info to get your message arrived at the destination (This process is called encapsulation) ● What is protocol ○ Is a set of rules for communication ○ Available on each layer ● Communication consist of series encapsulation ○ SDU: service data unit (before PDU) ○ PDU: protocol data unit (after header is added) 10
  • 11. www.glcnetworks.com Layered model (TCP/IP vs ISO) and encapsulation 11 / datagram
  • 12. www.glcnetworks.com Did you notice? ● There is a big overhead on encapsulation process ● More encapsulation means less payload? 12
  • 13. www.glcnetworks.com Router and Routing 13 ● Router is a network device that is used to forward packets, based on layer 3 information (layer 3 header) ● Routing is the process of selecting a path for traffic in a network, or between or across multiple networks Physical router Router icon
  • 14. www.glcnetworks.com Typical connection (physical) 14 R2 R1 R3 ● Router connects layer 2 segments ● Router works on layer 3, connecting L2 segments ● Meaning, each layer 2 segment has network ID
  • 15. www.glcnetworks.com Typical connection (logical) and routing table 15 Routing table: ● A table at router that is used to forward packet ● Available on every devices (router and host) ● Entry is executed sequentially 192.168.0.0/26 R1 192.168.0.1/26 192.168.0.3/26 192.168.0.2/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24 destination gateway 192.168.0.0/26 direct 192.168.1.0/24 direct 192.168.2.0/24 192.168.0.2 192.168.3.0/24 192.168.0.3 192.168.16.3/32 192.168.0.2 0.0.0.0/0 (default gw) 192.168.0.3
  • 16. www.glcnetworks.com Forwarding packets using routing table 16 ● It works like a firewall: match and action ● When a packet arrived, routing table is used to forward packets ● You should think in binary to understand how it works destination gateway 192.168.16.3/32 11000000 10101000 00001000 00000011 192.168.0.2 192.168.0.0/26 11000000 10101000 00000000 00 direct 192.168.1.0/24 11000000 10101000 00000001 direct 192.168.2.0/24 11000000 10101000 00000010 192.168.0.2 192.168.3.0/24 11000000 10101000 00000011 192.168.0.3 0.0.0.0/0 (no match) 192.168.0.3
  • 17. www.glcnetworks.com A packet arrived at R1… (example) 17 Destination IP address of the packet is 192.168.2.6, which gateway do we use? A: 192.168.2.6 = (11000000 10101000 00000010 00000110) destination gateway 192.168.16.3/32 11000000 10101000 00001000 00000011 192.168.0.2 192.168.0.0/26 11000000 10101000 00000000 00 direct 192.168.1.0/24 11000000 10101000 00000001 direct 192.168.2.0/24 11000000 10101000 00000010 192.168.0.2 192.168.3.0/24 11000000 10101000 00000011 192.168.0.3 0.0.0.0/0 192.168.0.3
  • 19. www.glcnetworks.com How routing works & Administrative distance (analogy) 19 19 CITY 1 100 km CITY 2 120 km CITY 2 90 km CITY 3 500 km CITY 4 250 km 10.10.10.0/24 192.168.0.1 10 10.10.20.0/24 192.168.0.2 12 10.10.20.0/24 192.168.0.3 9 10.10.30.0/24 192.168.0.3 50 10.10.40.0/24 192.168.0.4 25
  • 20. www.glcnetworks.com Administrative distance 20 ● Distance is considered when prefix length is same ● Lowest distance wins ● Administrative distance policy is depends on vendor ● Table on the right shows an example of administrative distance on cisco router
  • 21. www.glcnetworks.com Static routing 21 ● Entries on routing table is created manually ● Admin must manage routing table in all routers ● Admin have full control 192.168.0.0/26 R1 192.168.0.1/26 192.168.0.3/26 192.168.0.2/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24 destination gateway 192.168.0.0/26 direct 192.168.1.0/24 direct 192.168.2.0/24 192.168.0.2 192.168.3.0/24 192.168.0.3 192.168.16.3/32 192.168.0.2 0.0.0.0/0 192.168.0.3
  • 22. www.glcnetworks.com Dynamic routing 22 ● Router will talk to each other with routing protocol (RIP, OSPF, BGP) ● Entries on routing table is created automatically ● Admin must have a good knowledge about routing protocol 192.168.0.0/26 R1 192.168.0.1/26 192.168.0.3/26 192.168.0.2/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24 destination gateway 192.168.0.0/26 direct 192.168.1.0/24 direct 192.168.2.0/24 192.168.0.2 192.168.3.0/24 192.168.0.3 192.168.16.3/32 192.168.0.2 0.0.0.0/0 192.168.0.3
  • 23. www.glcnetworks.com Routing metric ● is value used by a router to make routing decisions. It depends on routing protocols ● OSPF: accumulated cost ● RIP: hop count ● IS-IS: cost ● EIGRP: bandwidth, load, delay, reliability and MTU ● BGP: AS-Path, Next-hop, Origin, Local preference, Atomic aggregate, Multi Exit Discriminator (MED) 23
  • 24. www.glcnetworks.com Asymmetric routing 24 ● Currently, routing is done one-way only ● Forwarding process on router is based on destination IP address ● There is no guarantee incoming path is similar to outgoing path ● We can only control outgoing forwarding R1 192.168.0.1/26 192.168.0.3/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24
  • 26. www.glcnetworks.com What is Mikrotik firewall? ● Is a feature to ○ Control network access (filter) ○ Modify network header (NAT) ○ Marking packet for further processing (mangle) ● Consist of 2 parts: matcher & action ● Executed sequentially ● Netadmin must understand the application’s characteristics in order to build a matcher (e.g. browsing -> traffic with TCP dst-port 80) 26
  • 27. www.glcnetworks.com How firewall works? ● Setup matcher -> then action ○ Mikrotik has lots of options for matcher -> very flexible ● Matcher + Action = Firewall rule ● Rule is executed sequentially 27
  • 28. www.glcnetworks.com Where the packet is processed? (packet flow) 28 Note: ipsec is removed in this diagram
  • 30. www.glcnetworks.com Input vs. forward (routing decision) 30 FORWARD INPUT
  • 31. www.glcnetworks.com Firewall connections ● What is connection? is a relationship between 2 hosts ● A connection can be identified by: ○ A pair of IP addresses: source & destination ○ A pair of IP addresses + a pair of ports (source & destination ports). ○ Note: some protocols do not use ports for communication ● Mikrotik firewall supports connection-tracking (conn-track) ○ Therefore, mikrotik is able to identify, tracking, and display connections ○ Connection tracking requires CPU usage ○ Some features relies on conn-track: NAT, conn-bytes 31
  • 33. www.glcnetworks.com What happened on packets at mangle chain? ● Depends on action ● In most case, mangle is used for marking ● sequence is important 33
  • 34. www.glcnetworks.com Mangle action: mark-packet ● Is used to identify packets ● Applied in one direction. example: ○ Packet to google DNS /ip firewall mangle add chain=forward dst-address=8.8.8.8 action=mark-packet new-packet-mark=packet-to-googledns passthrough=no ○ Packet from google DNS /ip firewall mangle add chain=forward src-address=8.8.8.8 action=mark-packet new-packet-mark=packet-from-googledns passthrough=no 34 ISP1 ISP2 8.8.8.8 192.168.1.10 Packets from 8.8.8.8 Packets to 8.8.8.8
  • 35. www.glcnetworks.com Mangle action: mark-connection ● See previous explanation of conn-track feature ● Mark-connection is two-way (inbound and outbound) ○ One firewall rule for both inbound and outbound ● Example: a connection between google DNS and webserver /ip firewall mangle add chain=forward dst-address=8.8.8.8 src-address=192.168.1.10 action=mark-connection new-connection-mark=conn-googledns passthrough=no ● Check it on firewall-connections 35 ISP1 ISP2 8.8.8.8 192.168.1.10 Conn between 8.8.8.8 and 192.168.1.10
  • 37. www.glcnetworks.com Multiple gateways scenario + LAN server ● You have default route via ISP1 → main outbound ● Main inbound → via ISP1 ● What we expect: ○ Inbound interface = outbound interface ● What we get: ○ Inbound interface = any ○ Outbound interface = default outbound ○ This is not optimal 37 ISP1 ISP2 LAN ether1 ether2 webserver ISP3 ether4 R1
  • 38. www.glcnetworks.com Policy Based Routing (PBR) ● It is a techniques to route traffic based on your specific rule ● Useful if you have more than 1 gateways ● Applied on layer 3 (router) ● Applied on one direction only Benefits: ● We can steer traffic based on specific matcher 38 ISP1 ISP2 LAN ether1 ether2 webserver ISP3 ether4 R1
  • 39. www.glcnetworks.com ● Do mark-conn on each inbound interface to identify where they come from: ○ @ether1, conn-mark = via-isp1 ○ @ether2, conn-mark = via-isp2 ● To mark-routing on outbound interface that is facing to user (ether4) ○ If mark-conn = via-isp1 → route via isp1 ○ If mark-conn = via-isp2 → route via isp2 Our strategy 39 ISP1 ISP2 LAN ether1 ether2 webserver ISP3 ether4 R1
  • 40. www.glcnetworks.com ● /routing/table/add name=via-isp1 fib ● /routing/table/add name=via-isp2 fib ● /ip/route/add dst-address=0.0.0.0/0 gateway=10.1.1.1 check-gateway=ping routing-table=via-isp1 ● /ip/route/add dst-address=0.0.0.0/0 gateway=10.2.2.2 check-gateway=ping routing-table=via-isp2 Step1: create routing entry with new mark (table) 40 ISP1 ISP2 LAN ether1 ether2 webserver ISP3 ether4 R1
  • 41. www.glcnetworks.com ● /ip/firewall/mangle/add action=mark-connection chain=prerouting in-interface=ether1 new-connection-mark=via-isp1 passthrough=no ● /ip/firewall/mangle/add action=mark-connection chain=prerouting in-interface=ether2 new-connection-mark=via-isp2 passthrough=no Step2: create mark-connection (inbound) 41 ISP1 ISP2 LAN ether1 ether2 webserver ISP3 ether4 R1
  • 42. www.glcnetworks.com ● /ip/firewall/mangle/add action=mark-routing chain=prerouting connection-mark=via-isp1 in-interface=ether4 new-routing-mark=via-isp1 passthrough=no ● /ip/firewall/mangle/add action=mark-routing chain=prerouting connection-mark=via-isp2 in-interface=ether4 new-routing-mark=via-isp2 passthrough=no Step3: create mark-routing (steering outbound) 42 ISP1 ISP2 LAN ether1 ether2 webserver ISP3 ether4 R1
  • 44. www.glcnetworks.com Interested? Just come to our training... ● Topics are arranged in systematic and logical way ● You will learn from experienced teacher ● Not only learn the materials, but also sharing experiences, best-practices, and networking 44
  • 45. www.glcnetworks.com End of slides ● Thank you for your attention ● Please submit your feedback: http://bit.ly/glcfeedback ● Find our further event on our website : https://www.glcnetworks.com ● Like our facebook page: https://www.facebook.com/glcnetworks ● Slide: https://www.slideshare.net/glcnetworks/ ● Discord (bahasa indonesia): (https://discord.gg/6MZ3KUHHBX ) ● Recording (youtube): https://www.youtube.com/c/GLCNetworks ● Stay tune with our schedule 45