Getting Started: MikroTik Firewall

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's up everybody the nedrockberg here hope you've been doing well in this video we'll be covering the microtech firewall so this should hopefully not be a too long section but the the video it does cover something very important so please take this to heart come in with a keen and interested eye because you're going to be learning a little bit about the firewall hopefully and again if you're not subscribed to the channel i'd like to remind you to do so like and share the video it does help grow this channel and i appreciate it immensely without further ado let's get into the [Music] video [Music] okay so let's log into winbox and see what this firewall business is all about so i'm just going to open up winbox and i'm going to connect onto ramon and from ramon i'm going to find router 8 which is the router on this topology that i'm going to connect to so from router 8 if you want to see the firewall you will just go to the ip firewall option now this should look familiar because if you've been following along with the series or if you've looked at any of the other videos where we just start setting up a connection to the internet you would have set up a net rule to not your traffic out and that is a part of the firewall so that whole system the rules the mangles all of it is is one big nice big box that all works together and for this box to work we need what you call connection tracking now before we start with any of this cool firewall stuff we're going to look at the connection tracking and to find that you'll go to this connections tab now what does connection tracking mean well it's basically a way for the firewall to keep track of all of your connections i know it sounds pretty straightforward and it is but it's basically your firewall builds up its own table and this table keeps track of all of the details of all of the connections so what the source ips are like you can see here destination ips protocols are using connection state is it established is it idle is it in a sin state how long before this connection times out um or there's the state sorry i was looking at something else there and how much bytes has actually gone across the connection so every connection that is being made from the router and across the network will be kept in this connection tracking table now by default your connection trap tracking is on but it's automatically being done so if you click on this tracking button by default this will be on auto i typically just put it on yes because i make use of the firewall quite frequently but the firewall is also pretty cpu intense so if you have a small router and you're not really using the firewall so you're not actually netting out traffic you're almost just routing traffic through it then disabling connection track tr uh tracking makes sense but if you're you if you're an isp or if you're using the router to maybe provide network to a enterprise or to a small business or a medium business even that actually needs some of the functionality like blocking certain things then you will probably just want to put it on so i would just put this on you don't really need to tune any of these other values you can leave that alone and then all your connections will start to get tracked so what i quickly want to do is to show you that connection tracking is working i'm just going to open up a party session to a machine that's on that network so if we look at router 8 there's this virtual computer that i have sitting behind it on this range and i'm just going to initiate a ping to google secondary dna server now the ping is running if i go back to my firewall i i'm actually seeing these connections now from 10 100 0.2 going to 8.8.4.4 i can see it is icmp because it's protocol 1 and it's basically just showing me it's been picking up those packets another thing that we can do to quickly test is from router 8 i might do something like a telnet to 8.8.4.4 on port let's say 53 which is for dns and let's see do we pick it up and i do see it was there but it basically closed the connection as quickly as it made it because it's not really made for that type of service but this is where all of your connections would be kept track without this table none of your rules will work so no netting no firewall or filter rules no mangles there are some exceptions but for the most part it's not going to work if you don't have connection tracking so it's very important to keep a track of this but i mainly just use the connection tracking or the connections tab to verify if connections are being made and if there's any type of errors that may be occurring so next thing we're going to do is look at our filter rules now from the filter rules it's pretty straightforward if you want to add one you just click on the plus and then it brings up this neat little box that asks you a bunch of questions and it's very important i'd say there's three things that you need for any basic firewall rule um you can add on it you can make it four five six whatever but for the most part you're gonna have to specify your chain so you get three different chains when it comes to the filter rules you're going to have to specify an action which is on this tab so what happens to the traffic once it is picked up and also you're going to have to specify some sort of trigger some sort of event so what i would say is like your source address so where's the traffic coming from or your destination address where is the traffic going to you could also do stuff like the protocol is it tcp is it udp and you can click on this little drop down box and it gives you a bunch of cool options that you can click on that you might want to allow or not allow you've also got the different ports that you can specify in and out interface so all of these options are here for you but the first thing that i want to mention is the chains again so you need to understand these chains what they mean and what they're doing so you've got the forward input and output chains so to explain it i'm gonna use a very nifty tool called paint so in paint what i'm just gonna do is draw a little router let's make it a yellow router and this router it's going to get three different chains it has your input chain so input basically means besides the router maybe let's make a little laptop there there we go there's a laptop or a computer so besides the computer let's grab another color so let's say any traffic going in to the router itself so the destination of packets is the router's address that would be seen as an input packet so those packets would be going to the router it's not going to go through the router it's not going to leave the router to your own computer again let's basically just say from your computer to your router when your router gets that traffic it will be input packets the next that we want to discuss is so that is a very ugly in in so the next we want is out so out is essentially let's draw a little cloud so out would basically be defined as any traffic take a guess going out from your router so any packets that's marked with the source address of your routers ram interface or whatnot that address will be seen as output packets so packets leaving from your router going out somewhere else your router is the initiator of the traffic so that would be out and then lastly we have what you call the forward chain so this is also a pretty good one because this is one that you'll be dealing with a lot and this is dealing with let's say traffic that is being sent through the router so the router isn't creating the packet it's not receiving the packet it's forwarding the packet so in this event let's just take a nice green color so basically your laptop would be initiating a connection because he wants to get to this other laptop and the router would just forward that traffic so it will try and push the traffic out from a different source so not something that's not from itself or to itself so this we would just call forward so those are the three different chains that you have options which is your in out and forward so let's get these chains in action quickly let's configure a few now the first one that i might want to configure is the input chain and if i look at my topology what i want us to try and do is all these routers can currently communicate with each other so this router 7 let me open this up as a cli quickly admin blank and i'm going to ping the ip address of router 8's one address which is 10.3.1.2 and i can ping it so from router 7 i'm able to ping to router 8's address so the first thing that i want to do is maybe stop that let's stop icmp from working so if i have my new rule open i can say input so it's coming in and what we could do is we could define a source or i could just use protocol and i can put in icmp there and i can go to my action and i could say drop or reject so these actions they all have different uses and we will get through them but for now let's just say we want to drop icmp packets coming into my router so let's apply this and let's see what happens let's go back into our router 7 and let's run that ping again i also want you to just take note of this rule that we created you'll see there's zero byte zero packets so if any rule is being hit it will show that it's actually dropping those packets so let's do that ping and there we go i'm getting timeouts now i can see the packets are being sent and how many bytes have been dropped awesome so we are now basically blocking icmp from coming into the router we could also tweak the rule by just double clicking it and you could add different protocols so we could maybe make a tcp and then make it a very specific port so we could maybe deny like port 21 for ftp so that they couldn't fdp to my immigration router as i said you could also just limit this to specific sources so let's make this icmp again but let's only limit it from a certain source so i'm going to allow router 7 but let's look at router 6. so router 6 has an ip address of 10.1.1.2 so only traffic from router 6 i will now reject so let's apply this and let's say okay so i'm quickly going to go on to router 7 again and run the same thing and my ping works obviously because i didn't block router 7's address i blocked rather six is addressed so let's open up router 6. okay we're in router six so admin blank and let's run a ping to 10.3.1.2 which is router eight and now i'm getting a net unreachable error message and my packets aren't going through either so let's quickly go back on to router 8's winbox and here we can see the packets they've been counted they've been bytes and we can see the reason being we got that reject messages because of this reject action now if we open this up and we go to the actions i can quickly explain to you a few of the actions that you'll typically see or use and those be the reject which we just added and what reject does is it allows the let's say the router to reply with a specific message so it can tell the opposite end i'm not allowing this i don't like it or a few of the other things so you're basically responding with an error message if you use the drop action then you're silently dropping the packets so this is where the user would just maybe see time out and not an error message they'll just see timeout it doesn't work or unreachable let's go to accept so this is one that you'll typically see a lot as well because you're going to accept a lot of packets from specific destinations to make sure it's being allowed to or from or out of the router if we see there's a few more like the add destination to address list or add source to address list so basically what you could do is if it if the firewall rule gets triggered and there's a source of destination then you could effectively add those sources or destinations to an address list which you could use for something else maybe a a black hole rule to stop all traffic those are really the type of things that you'll deal with for the most part there is fast track connection as well and i'll jump into fast track a little bit later separately but for now we're just looking at our input output and four chains and these are the type of things that you'll typically be using on it okay cool so next thing that we want to discuss is our output chains so again output means traffic that's originating or leaving from my router so let's set an output and this time let's leave the source blank but let's say the destination so our destination let's look at our topology i might make the destination 10.1.1.2 which is rather six as well an address i'll leave it on icmp and then i'll still drop that so let's apply it and let's open up a wooden box or a command line from winbox and let's just do a ping to 10.1.1.2 and now i'm getting packet rejected so the router knows that it's got an output chain and it's basically not allowing the packet to be forwarded so that is what output means again it's traffic that's leaving from my router now let's jump into our last chain the forward chain so this is one that you'll be dealing with a lot so this is traffic flowing through the router so if we look at this base network i'm going to use the client six incline four lan addresses for this and what we'll do is we'll say the forward chain and since we're on router 8 we're going to say anything coming from the source of 10.100.0.0.24 going to 172.16.8.0.24 and we'll set the action as accept i'm not even going to specify protocols so this is going to be all protocols it's just going to be between these two addresses so let's quickly see if i'm on this virtual pc virtual pc 14 which is down here and if i ping 172 16 8.1 i'm getting a response awesome amazing but if i try amping 192.168.100.1 will it work maybe if i typed it correctly so let's type 192 168 100.1 it still works why does it still work okay so let's go back onto the firewall and the thing that i want to explain to you is the firewall of the router allows all connections by default if this is blank here it doesn't mean it's going to drop anything there's no implicit deny rule it's still just going to forward the traffic so you need to basically be the one in charge of telling the router what is blocked so this also means be careful with what you do on the router because you could maybe put in a firewall rule that blocks you from connecting to your own router so that would be pretty silly so always think about what you're doing when you're trying to set up a firewall rule okay so what i want to do now is i'm already allowing traffic to that address between those two networks but i want nothing else to work so let's say the source address again is 10 100 0.0 24 and the destination i'll leave blank this time so i'm going to go to the action and this time i will drop i'm going to apply that so now i've got two four chains one that's allowing the traffic to this network and one that's going to be blocking all the traffic so let's go back onto our virtual pc see if i can still ping 170 16 8.1 yes i can can i ping 192.168.100.1 no i cannot and this is because the firewall is now blocking that traffic from being forwarded so let's just maximize that so you can also see the packets so it's being blocked now one thing that you need to take note of with the firewall is all these rules are in sequence as well so the firewall will read stuff from top to bottom but it will typically read all of your allowed stuff first then all of your dropped stuff etc so you don't really need to worry too much about the sequencing but be aware of that it will read stuff from top to bottom so that covers the three chains as well as how to set them up and connection tracking so let's see if we've got some time for mangle rules and fast track all right so mangles this is probably the coolest thing that i love about mikrotik is the mangle rule on the firewall this thing has saved me so much trouble so basically what the mangle does is it allows you to change details in the packet so it it it makes you feel like mr robot you're basically changing some details in the packet so it will change how the packet flows through the network or what the the packet is actually doing so a lot of times this is what people will use for the more advanced things for like qos or load balancing or even route leaking to get between different routes in different vrfs it's really the coolest stuff that you can see from mikrotik and it's this mangle rule and i really love it so much so here you've also got your different change you've got forwards input output post routing and pre-routing so typically i would be working with the pre-routing when it comes to the mangles but you can mangle anything and it sounds a bit harsh it's mangling you're mangling something and i i suppose it's true you are changing a lot about the packet so what you could effectively do is we could say something like pre-routing and we could say anything from the 10 100 0 0 24 we want to mangle it and when you mangle things here's all your different actions that you get with mangle so as you can see there's so many different options typically what you'll see is people will do stuff like mark packet for the kios stuff or you can mark the routing to put it in a different vrf or you could even route the stuff so you could change which router this is going to next what is going to be the next hop so this is really some of the the best stuff that you'll see is mangle rules and i'm not going to lie to you it can get confusing if you're new to what's happening here but man this really pays off and i think i want to make a separate video with the more advanced stuff when i get to the more advanced routing things so that i can show you the cool things you can do with mangle all right so lastly i would just want to quickly touch on the fast track all right so fast track i want you to think of as a way for the router to open up a little wormhole so that the packets can just flow through the wormhole and basically quickly get through the router so ideally what happens is a fast track would bypass your firewall completely so the router will not do any type of firewall when it comes to fast track it won't look at any of the markings or any of the the filter rules that you've specified it will just look at that connection that's currently in the table and it will just grab it and tell it i'm gonna forward it where it's supposed to go so that is the reason why some people like fast tracking because it allows them to push the packets out quicker and it will give you a small throughput increase if you think about it but to me it's it's not really worth um losing that ability of keeping everything on the firewall but i'll quickly show you how to set up fast track so fast track it is essentially um just going to this little plus and then what we could do is we could do a forward and we could fast track the connection and let's set up a similar rule but let's say 10 100 0 0 24 going to the lan address of client five so let's use 192.168.100.0 24. and let's just apply that so you'll even see we got this we got two rules here so it creates this other rule automatically once you do the fast track connection and then you've got this little like fast forward icon that appeared with the fast track and then we can look at the packets so what i want us to do now is go back onto router or the virtual pc and let's see what happens if we ping 192.168.100.1 and it's still timing out but the reason being is we're dropping packets before the fast track so let's just disable that policy and it's ping and there we go we can see the pings are happening and we're actually seeing the traffic is hitting the fast track rule it's very important to note that fast track only works on established connections as well as let's go into a connection and look so we got established actually let's just open up a new firewall rule then i can show you the states as well so if we go to the connection state you'll see this invalid established related new and untracked so fast track only works on established and related connections invalid new and untracked will not work basically whenever your firewall creates any type of connection or the connection is being established it will go into a specific state like we can see when we click on this connections tab this state is established so here you've got an established state that means there's two-way communication both hosts can communicate or speak to each other um the tcp three-way handshake has occurred already so there was a sin there was a synac and there was an act being sent back just to make sure the connection is working related is kind of like established it's just like picking up a similar connection and it's related so think of related and establish as a very similar thing new i think that that's also pretty self-explanatory basically a new connection is being formed and it will first go into a new state to start that process to say hey are you can i make a connection and yes i can and everything's working and then it will go to an established state anyways untracked and invalid you rarely see these connection states but they can occur as well and that's when there's typically some type of a connection error that happens so those are your different connection states and again fast track will only work on your established and your new or not new related states anyways that is going to wrap up everything for the mikrotik firewall i hope i didn't confuse you with the firewall itself what i do want you to take away from this specific video is the input output and forward chains because they play a vital role in setting things up on the mecritic firewall and remember with every trigger there's an action so again as in the beginning of the video you're basically going to need three very important things when you're working with the firewall you're going to need a chain you're going to need an action and you're going to need something so a source or a destination or a port um one more thing that i forgot to show you guys and this is also pretty nifty let's go back into the firewall and if we do a plus here and you see at the source there is a little box here if you click on this little box that's basically inversing the policy or the the address that you're trying to specify there so you could basically say 10.100.0.0.24. so this rule is basically reading any source that isn't 10 100 000 24 then it would do whatever your your firewall policy is so that's also pretty freaking cool is these inverse rules that you could set up anyways i'm going to cut the video here it is starting to become pretty long um i'd like to thank you guys for watching again and i'll catch you in the next video hopefully it will be the continuation of the qos part two thanks again for watching see ya
Info
Channel: The Network Berg
Views: 19,703
Rating: 5 out of 5
Keywords: #Routers, #CCNA, #CCNP, #MTCNA, #MTCRE, #MTCINE, #Networking, #Computers, #Ethernet, #DHCP, #Configuration, #MikroTik Firewall, #Firewall, #ConnTrack, #Fasttrack, #Firewall Filter Rules, #Filter Rules, #Firewall Mangle
Id: 6boYA7xdjZY
Channel Id: undefined
Length: 27min 59sec (1679 seconds)
Published: Wed Nov 11 2020
Related Videos
Mikrotik VLANs - CRS3XX Step by Step - Mikrotik Tutorial
The Network Trip
15K
TOP 10 RouterOS Configuration Mistakes
MikroTik
115K
How to get protected from common threats with MikroTik RouterOS
MikroTik
17K
MikroTips: managing many access points with CAPsMAN
MikroTik
14K
MikroTik Tutorial 36 - Load balancing and failover with multiple gateways (2 WAN Links)
TKSJa
170K
MikroTik CRS305-1G-4S+IN 10G Switch Setup Review With VLANS
Lawrence Systems
110K
Talking about MikroTik Certifications & Building more BGP labs (The Network Berg Stream Ep.07)
The Network Berg
840
This is Why I Hate MikroTik
MikroTik
40K
New 2x 10GbE + 8x 1GbE $99 Silent Switch MikroTik CSS610-8G-2S+IN
ServeTheHome
59K
Common MikroTik WiFi mistakes and how to avoid them
MikroTik
74K
Getting Started: MikroTik VLAN Configuration
The Network Berg
33K
Prioritize Whatsapp, Facebook and Instagram traffics using MikroTik RouterOS
MAICT Consult
63K
MikroTik lifehacking
MikroTik
10K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.