Webinar topic: Firewall mangle PBR: steering outbound path similar to inbound
Presenter: Achmad Mardiansyah
In this webinar, we explore how to use firewall mangle rules and policy-based routing to steer outbound traffic along a similar path to inbound traffic. This technique can help to balance outbound traffic across multiple links, ensure that outbound traffic exits the network through a particular gateway, and more. We provide a detailed overview of the configuration process and offer examples to illustrate the benefits of this approach. Whether you are a network administrator or just want to optimize your internet connectivity, this presentation has something for you!
Please share your feedback or webinar ideas here: http://bit.ly/glcfeedback
Check our schedule for future events: https://www.glcnetworks.com/en/schedule/
Follow our social media for updates: Facebook, Instagram, YouTube Channel, and telegram also discord
Recording is available on youtube:
https://youtu.be/BFT2tNasdqk
4. www.glcnetworks.com
What is GLC?
● Garda Lintas Cakrawala (www.glcnetworks.com)
● Based in Bandung, Indonesia
● Areas: Training, IT Consulting
● Certified partner for: Mikrotik, Ubiquity, Linux foundation
● Product: GLC radius manager
● Regular event
4
5. www.glcnetworks.com
Trainer Introduction
● Name: Achmad Mardiansyah
● Base: bandung, Indonesia
● Linux user since 1999, mikrotik user since 2007, UBNT
2011
● Mikrotik Certified Trainer
(MTCNA/RE/WE/UME/INE/TCE/IPv6)
● Mikrotik/Linux Certified Consultant
● Website contributor: achmadjournal.com, mikrotik.tips,
asysadmin.tips
● More info: http://au.linkedin.com/in/achmadmardiansyah
5
6. www.glcnetworks.com
Past experience
● 2020-2022 (Congo DRC, PNG, Malaysia): network support,
radius/billing integration
● 2019, Congo (DRC): build a wireless ISP from ground-up
● 2018, Malaysia: network revamp, develop billing solution and
integration, setup dynamic routing
● 2017, Libya (north africa): remote wireless migration for a new
Wireless ISP
● 2016, United Kingdom: workshop for wireless ISP, migrating a
bridged to routed network
● 2015, Kalimantan, wireless support
● See our website for more details
6
10. www.glcnetworks.com
7 OSI layer & protocol
● OSI layer Is a conceptual model from ISO (International
Standard Organization) for project OSI (Open System
Interconnection)
● When you send a message with a courier, you need to
add more info to get your message arrived at the
destination (This process is called encapsulation)
● What is protocol
○ Is a set of rules for communication
○ Available on each layer
● Communication consist of series encapsulation
○ SDU: service data unit (before PDU)
○ PDU: protocol data unit (after header is added)
10
13. www.glcnetworks.com
Router and Routing
13
● Router is a network device that is used to forward packets, based on layer 3
information (layer 3 header)
● Routing is the process of selecting a path for traffic in a network, or between
or across multiple networks
Physical
router
Router
icon
15. www.glcnetworks.com
Typical connection (logical) and routing table
15
Routing table:
● A table at router that is used to forward packet
● Available on every devices (router and host)
● Entry is executed sequentially
192.168.0.0/26
R1
192.168.0.1/26
192.168.0.3/26
192.168.0.2/26
R3
R2
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.3.3/24
192.168.3.9/24
192.168.2.9/24
192.168.2.2/24
192.168.1.1/24
192.168.1.9/24
destination gateway
192.168.0.0/26 direct
192.168.1.0/24 direct
192.168.2.0/24 192.168.0.2
192.168.3.0/24 192.168.0.3
192.168.16.3/32 192.168.0.2
0.0.0.0/0 (default gw) 192.168.0.3
16. www.glcnetworks.com
Forwarding packets using routing table
16
● It works like a firewall: match and action
● When a packet arrived, routing table is used to forward packets
● You should think in binary to understand how it works
destination gateway
192.168.16.3/32
11000000 10101000 00001000 00000011
192.168.0.2
192.168.0.0/26
11000000 10101000 00000000 00
direct
192.168.1.0/24
11000000 10101000 00000001
direct
192.168.2.0/24
11000000 10101000 00000010
192.168.0.2
192.168.3.0/24
11000000 10101000 00000011
192.168.0.3
0.0.0.0/0
(no match)
192.168.0.3
17. www.glcnetworks.com
A packet arrived at R1… (example)
17
Destination IP address of the packet is 192.168.2.6, which gateway do we use?
A: 192.168.2.6 = (11000000 10101000 00000010 00000110)
destination gateway
192.168.16.3/32
11000000 10101000 00001000 00000011
192.168.0.2
192.168.0.0/26
11000000 10101000 00000000 00
direct
192.168.1.0/24
11000000 10101000 00000001
direct
192.168.2.0/24
11000000 10101000 00000010
192.168.0.2
192.168.3.0/24
11000000 10101000 00000011
192.168.0.3
0.0.0.0/0 192.168.0.3
19. www.glcnetworks.com
How routing works & Administrative distance (analogy)
19
19
CITY 1 100 km
CITY 2 120 km
CITY 2 90 km
CITY 3 500 km
CITY 4 250 km
10.10.10.0/24 192.168.0.1 10
10.10.20.0/24 192.168.0.2 12
10.10.20.0/24 192.168.0.3 9
10.10.30.0/24 192.168.0.3 50
10.10.40.0/24 192.168.0.4 25
20. www.glcnetworks.com
Administrative distance
20
● Distance is considered when prefix length is
same
● Lowest distance wins
● Administrative distance policy is depends on
vendor
● Table on the right shows an example of
administrative distance on cisco router
21. www.glcnetworks.com
Static routing
21
● Entries on routing table is created manually
● Admin must manage routing table in all
routers
● Admin have full control
192.168.0.0/26
R1
192.168.0.1/26
192.168.0.3/26
192.168.0.2/26
R3
R2
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.3.3/24
192.168.3.9/24
192.168.2.9/24
192.168.2.2/24
192.168.1.1/24
192.168.1.9/24
destination gateway
192.168.0.0/26 direct
192.168.1.0/24 direct
192.168.2.0/24 192.168.0.2
192.168.3.0/24 192.168.0.3
192.168.16.3/32 192.168.0.2
0.0.0.0/0 192.168.0.3
22. www.glcnetworks.com
Dynamic routing
22
● Router will talk to each other with routing protocol (RIP,
OSPF, BGP)
● Entries on routing table is created automatically
● Admin must have a good knowledge about routing
protocol
192.168.0.0/26
R1
192.168.0.1/26
192.168.0.3/26
192.168.0.2/26
R3
R2
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.3.3/24
192.168.3.9/24
192.168.2.9/24
192.168.2.2/24
192.168.1.1/24
192.168.1.9/24
destination gateway
192.168.0.0/26 direct
192.168.1.0/24 direct
192.168.2.0/24 192.168.0.2
192.168.3.0/24 192.168.0.3
192.168.16.3/32 192.168.0.2
0.0.0.0/0 192.168.0.3
23. www.glcnetworks.com
Routing metric
● is value used by a router to make
routing decisions. It depends on
routing protocols
● OSPF: accumulated cost
● RIP: hop count
● IS-IS: cost
● EIGRP: bandwidth, load, delay,
reliability and MTU
● BGP: AS-Path, Next-hop, Origin,
Local preference, Atomic aggregate,
Multi Exit Discriminator (MED)
23
24. www.glcnetworks.com
Asymmetric routing
24
● Currently, routing is done one-way only
● Forwarding process on router is based on destination IP address
● There is no guarantee incoming path is similar to outgoing path
● We can only control outgoing forwarding
R1
192.168.0.1/26
192.168.0.3/26 R3
R2
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.3.3/24
192.168.3.9/24
192.168.2.9/24
192.168.2.2/24
192.168.1.1/24
192.168.1.9/24
26. www.glcnetworks.com
What is Mikrotik firewall?
● Is a feature to
○ Control network access (filter)
○ Modify network header (NAT)
○ Marking packet for further processing (mangle)
● Consist of 2 parts: matcher & action
● Executed sequentially
● Netadmin must understand the application’s characteristics in order to build a
matcher (e.g. browsing -> traffic with TCP dst-port 80)
26
27. www.glcnetworks.com
How firewall works?
● Setup matcher -> then action
○ Mikrotik has lots of options for matcher -> very flexible
● Matcher + Action = Firewall rule
● Rule is executed sequentially
27
31. www.glcnetworks.com
Firewall connections
● What is connection? is a relationship between 2 hosts
● A connection can be identified by:
○ A pair of IP addresses: source & destination
○ A pair of IP addresses + a pair of ports (source & destination ports).
○ Note: some protocols do not use ports for communication
● Mikrotik firewall supports connection-tracking (conn-track)
○ Therefore, mikrotik is able to identify, tracking, and display connections
○ Connection tracking requires CPU usage
○ Some features relies on conn-track: NAT, conn-bytes
31
33. www.glcnetworks.com
What happened on packets at mangle chain?
● Depends on action
● In most case, mangle is used for marking
● sequence is important
33
34. www.glcnetworks.com
Mangle action: mark-packet
● Is used to identify packets
● Applied in one direction. example:
○ Packet to google DNS
/ip firewall mangle add chain=forward dst-address=8.8.8.8
action=mark-packet new-packet-mark=packet-to-googledns
passthrough=no
○ Packet from google DNS
/ip firewall mangle add chain=forward src-address=8.8.8.8
action=mark-packet new-packet-mark=packet-from-googledns
passthrough=no
34
ISP1 ISP2
8.8.8.8
192.168.1.10
Packets
from
8.8.8.8
Packets to
8.8.8.8
35. www.glcnetworks.com
Mangle action: mark-connection
● See previous explanation of conn-track feature
● Mark-connection is two-way (inbound and outbound)
○ One firewall rule for both inbound and outbound
● Example: a connection between google DNS and
webserver
/ip firewall mangle add chain=forward
dst-address=8.8.8.8 src-address=192.168.1.10
action=mark-connection
new-connection-mark=conn-googledns
passthrough=no
● Check it on firewall-connections
35
ISP1 ISP2
8.8.8.8
192.168.1.10
Conn between
8.8.8.8 and
192.168.1.10
37. www.glcnetworks.com
Multiple gateways scenario + LAN server
● You have default route via ISP1 → main outbound
● Main inbound → via ISP1
● What we expect:
○ Inbound interface = outbound interface
● What we get:
○ Inbound interface = any
○ Outbound interface = default outbound
○ This is not optimal
37
ISP1 ISP2
LAN
ether1 ether2
webserver
ISP3
ether4
R1
38. www.glcnetworks.com
Policy Based Routing (PBR)
● It is a techniques to route traffic based on your
specific rule
● Useful if you have more than 1 gateways
● Applied on layer 3 (router)
● Applied on one direction only
Benefits:
● We can steer traffic based on specific matcher
38
ISP1 ISP2
LAN
ether1 ether2
webserver
ISP3
ether4
R1
39. www.glcnetworks.com
● Do mark-conn on each inbound interface to
identify where they come from:
○ @ether1, conn-mark = via-isp1
○ @ether2, conn-mark = via-isp2
● To mark-routing on outbound interface that is
facing to user (ether4)
○ If mark-conn = via-isp1 → route via isp1
○ If mark-conn = via-isp2 → route via isp2
Our strategy
39
ISP1 ISP2
LAN
ether1 ether2
webserver
ISP3
ether4
R1
40. www.glcnetworks.com
● /routing/table/add name=via-isp1 fib
● /routing/table/add name=via-isp2 fib
● /ip/route/add dst-address=0.0.0.0/0 gateway=10.1.1.1
check-gateway=ping routing-table=via-isp1
● /ip/route/add dst-address=0.0.0.0/0 gateway=10.2.2.2
check-gateway=ping routing-table=via-isp2
Step1: create routing entry with new mark (table)
40
ISP1 ISP2
LAN
ether1 ether2
webserver
ISP3
ether4
R1
44. www.glcnetworks.com
Interested? Just come to our training...
● Topics are arranged in systematic and
logical way
● You will learn from experienced teacher
● Not only learn the materials, but also
sharing experiences, best-practices, and
networking
44
45. www.glcnetworks.com
End of slides
● Thank you for your attention
● Please submit your feedback: http://bit.ly/glcfeedback
● Find our further event on our website :
https://www.glcnetworks.com
● Like our facebook page:
https://www.facebook.com/glcnetworks
● Slide: https://www.slideshare.net/glcnetworks/
● Discord (bahasa indonesia):
(https://discord.gg/6MZ3KUHHBX )
● Recording (youtube):
https://www.youtube.com/c/GLCNetworks
● Stay tune with our schedule
45