How to use L2 filtering in RouterOS

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
and I'm assuming overly I'm from Italy I'm here to talk about something about Roger s level to filtering the last year in Milan I do a talk to about ipv4 IP v4 ipv6 filtering also in Rotorua's today we do something lower at lower level in the ease of the stack so before - before the starting so I'm Horner of my company that is named projector kayvyun we are also operator in Italy as d cube it is only Brendan and I would like to show you some my private hobby photo this is mine and then we start ok today goal is to explain to know more about level 2 filtering router RS there is less knowledge about this feature that is sprig present in the router eyes devices and what is changed in the last year there is a lot of changes and I prefer to not make a presentation about menus a lot of examples that are quite simple but complex then just kidding some level 1 filtering I do that in my security course so I had this kind of present in the presentation this is the first one okay cut here to activate firewall there is okay this level one firewall but there is the version to do this more more complex that this is sorry okay this one inside there there is a firewall so you must find them and then put I don't know this is this is real this is my customer then from router arrests 641 there is a big change in the configuration of the internal switch there is no more master slave interface because this is a little confusing also during the training we have many problem with student because this master slave is not and the solution is to use everywhere and everything as bridge so you have bridge and there is inside bridge a new function that is hardware acceleration nothing changed for the device same speed same functions but change only the way we can do the configuration of the switch there is also new H label on bridgeport we we see that a letter and this mean that this kind of part is doing hardware acceleration we must use this careful because if there is hardware acceleration in a blade the traffic doesn't go to the bridge the traffic between parts of the bridge that are hardware accelerated is not bridgid is switching this is the new way then in al2 configuration we have what you see when you define interface you have Argo acceleration this standard configuration is yes with new device but you if you import all configuration from routers device off you do an upgrade hardware acceleration is desired by default you must check every time this switch because it's important for the performance of the device then new in level 2 configuration that is very important that is disease level 2 filtering related is the land management at Bridge level finally we have a simple interface to configure VLAN management in router ASDA vice is very simple is not the oldest one of the switch we have a new menu that is interface bridge villain we have the holder STP our SDP but we have also MSTP that is multiple spanning tree protocol for use with VLAN is very important because in more complex environment environment we have we need this kind of function then one one very important thing that you must think about configuration about this function Hardware salvation is that is configuration dragon so if you use some feature that need to disable the hardware acceleration the device also you have if you have enabled are deceleration stop to use them so you knew my check this is real-time if you change the configuration device can disable the hardware acceleration this is explained in the way this is a limit of the implementation today not all function of the bridge filtering villain are supported for all devices so if you have a device you must check if this function can be enabled and if this disable hardware acceleration this is important and this is not running time change this is configuration change if you enable something the hardware acceleration goes disabled so just to say if you want this is simple device we have four ports in the switch this is the H we have reports sorry for the question okay we have the switch that is the bridge that brings all all interfaces three ports so that two three four are in the bridge and our hardware accelerated so if there is traffic between 2 / 2 / 3 port for go to the switch not to the bridge it's why speed in every device but there is a new switch this is the most use it if you go to the new function belong okay you can see that there is a switch Valon filtering just click apply then go back to the port and magically some seconds ok HD tablet this is configuration change then disable hardware acceleration is very important after make modification to the router Ross device check if our reservation is enabled it's clear then the switch to enable or disable ad reservation is harder off load is and can be enabled disabled by each part so you can have some part enabled some / disable is not important one important thing is that if you upgrade from previous version then you have switched the classical master slave configuration the switch is converted in bridge a strainer during the course I tell to my student to do not do that is for me is best to convert the breed the switch in bridge before the update of the device because you choose what to do with the bridge or the switch but automatic configuration and the upgrade is working so is only for is only to be clear so the goal of the level 2 filtering what is why we need to do level 2 filtering there is a lot of complex complex things that we can do at level 2 and the more complex are related to the QoS but non the QoS not qsr of mikrotik the QoS of network level so the management of some kind of switch there are in the packets but I just report security performance both level two filtering can go also inside the packets but there is a limit because the packet must be normal normal is classic packet not MPLS IPSec so this kind of filter can can do something complex that reading the header of the packet it's very important also taking man that with switch and with a level 2 filtering if you use hardware acceleration there is a limit in number of rule that Q you can use in hardware acceleration if you put too much rule Hardware cellulation is haven't disabled even if supported because the hardest support of rule in the hardware is resource limited we have 16 8 4 rules depending on some device or no limit but the smallest one have more limit then this is very important talking at level tool layer we deal with make a dress we have no IP we have the second level of the stack so we have holy make a dress physical address then make a dress I choose to write this this this Center because it's clear security based on Mecca this is what this is not sense to put security and make address in the same statement is wrong because I can show that this is bridge okay this is ba-ba-ba-ba-ba-ba-ba this is the MAC address of the bridge of the device is changed by hand and I am NOT a monster every everyone can do that so using mac address for filtering is possible but not secure okay then another problem is that when you are connected physically to a network we we talk about physical connection not wireless the security is less secure and also there is a problem that in radar s there is not support for the 802 one it's protocol for authentication on wired connection there is a Wi-Fi connection not on wired connection not supported at level two we can do some editing but about filtering protocols because we can choose what kind of packet to go through the filter and I do this example then we have some more practical section about pppoe dhp something about filtering kind of protocol that the customer of the network can use I can pass the firewall so aim and we can do some check without be too complex on the villain on the priority on the service villain and Q&Q that are everything every every everything is related to the header of the packet is the first part of the packet one good thing about router RS is that there is a complex but complete schema of the true of the packet flow inside the device so level 2 filtering is limited because we have MPLS right on decision this is everything but bridging is doing here and this is added because we can have MPLS traffic so we can choose to have a packet that can go to them MPLS and or VPN and so is the capsulated and go to the interface so is normal but must pass two times in the bridge the first time with in couple encapsulation the second time with know a couple encapsulation this is important because this is plain wine at hardware level we have low CPU cost because the switch is doing filtering at Bridge level we had medium with CPU cost but the same filtering level the same check on protocol or MAC address can be can be done at row or ipv4 ipv6 firewall and this is more CPU consuming so doing that in Hardware is right you mean that in bridge is right we can avoid to do that in the normal firewall in headless which I love to show that every time because in the router is in the magnetic side there is for some device not all devices but most device have the schema of the hardwood and the switch is outside the the CPU and a router hardware so if you do something about filtering about inside the switch the CPU is totally offloaded of this it's very important check about your device and control if you have switch if you have this which is capable to do level 2 filtering in our one universe which we can do more complex things it depends on the button on the device some device is simple some device is complex so you must check on the wiki about your device and check what is possible to do in in in in this small device we can do less things but one of the things that I say every time is that remember that hardware is limited resources so you can do that I say before 16 hate for rules no more because this is in Hardware ok check weekly for limits is all documented I can show you that we have 90 62 device here hph team there is a switch menu we can see that the chipset is kuchi a 83 3 7 there is port configuration as configuration VLAN configuration and also fuels and if you go to add some rule you can see that we have possibility to check if the switch port mac address Mac protocol villain and also do some modification is limited but very powerful this is wire speed so very very very powerful powerful I had this lighted to this morning because there is also a switch wise devices most simple but there is also in switch devices some filtering function just to remember that the hardware is the same so some limitation are equal and also check wiki for details for the device that are able to run router eyes and a switch OS and this is most important thing about hardware switch you must use only one of them in the configuration must is possible to use all but it's confusing and maybe is not working because if you do some configuration at address which level and you do also some filtering in the bridge logic with with today configuration 6041 and later router s devices you can do something that is not working so the idea is to or you configure add configure our the switch or you put the configuration in the villain and Bridge configuration not all to this is not abuse then this is the first example to show you some interesting thing about filtering this is in simple we do this in the chain forward so stepping back mm-hmm formally here this is a packet that is is not local and this go to the forward chain inside the flow then just to show you this is packet that have destination MAC address F some someone you know what is this this is the HP request this is someone can tell me what okay this is the destination part 67 this is example with the interface header file and this is also selection on the protocol I need a check to blog the direct question this is protocol IP and this is selection about interface that must not be at a 5 this is a simple configuration that I put to to implement this kind of schema we have a good DHCP server we have a client we have this interfaces that is either 5 then the router rosbridge firewall and here we have a bad DHCP server this is common scenario we have a network someone without the brain connected put a second DHCP server on the network and this server can be contacted also by the client if you know don't use this device to filter the DHCP request in this way the client only see the good HD HP server this is the configuration ok only one rule and we do that quite simple quite fast and the only thing that you must remember is on all ports that involved in this configuration you must disable hardware flawed because this is done at bridge level and can be can't be actually adverse rated this is the second example is quite simple - is configuration to put an ethernet device in this schema we have we choose to have only pppoe connection on 84 84 83 and so we don't accept any harder protocol on the airport only discover and session protocol all of pppoe this is the configuration we we talk about chain input because the pppoe server is the router loss device then when we go to us at the Mac protocol pppoe discovery and also pppoe and we put also a specific rule to drop in the forward chain all the other protocols in this configuration I use user input in the interface list feature of the router awesome router s that is last year new feature and this is quite useful because you can do in the interfaces menu interface list you can define a list of Ethernet port and use this configuration also in bridge filtering so if you go to the filters and you go to this okay interfaces in interface list and you can choose and choose the interface list that you don't this is quite faster and is also useful to export and import configuration from device to device because it's not Hardware related the configuration but only the interface list is artwork related if you want if you want there is a my talk about this kind of argument the last year Milan then the third example is about villain as more complex on the common line that quite simple in the new interface because this new feature actually if you define a bridge and you define interface you can do this kind of definition about private TV and you can do also filtering on villain that is more more simple that before because you choose what interfaces target what is on target it what is the villain ID that you can you must use it is very very very very very very simple because this is quite complex doing the switch configuration and also quite complex to do in the filter configuration this is the schema we have a one-track interface with one and targeting villain one target two hundred three hundred four hundred and three ports that have untagged on each four three two Iran this is quite countries to do with the whole configuration now the only thing that you must do is what I do in the start of the presentation so enable VLAN filtering in the bridge this in some device not all device disable hardware acceleration okay and if you do that villa management is done by the bridge and following the rule that you put in the configuration I can show you that this is new configuration so this is dynamically added by the configuration manager of the authorize then we can see this is quite simple I choose the bridge the VLAN ID I tell to router as this is target this is on target simple I can tell you that before that is very very very complex so is very stupid so if you want to access we run which into 200 packets on the bridge from router s you must add also bridge itself on the filtering so this is new this the holy contesting that if you want to have the routers device access the VLAN packet inside you must add also the bridge interface to the filtering this is the only complex thing that I need to do if needed then more complex example this is also level 2 filtering wmm packets and villain target packet that have some kind of classification disease only example and take priority and all other traffic take no priority this is done with interface list and then we whose use mango that is IP level configuration not level to level configuration but it's quite simple we define a list we see before where is interface lists so we define a bridge filter that classify the priority if priority is zero set priority in new priorities 7 then we had a mangle configuration that is more complex but is not so difficult we mark packet in the chain forward with priority 7 new packet map priority 7 that's true and then we do we do QoS mikrotik router ask us changing and doing regulation about speed and this is the simple queue that take priority and limit max limit and check packet mark priority 7 this is quite simple but without without the configuration in the bridge we can do we can not check the ingress priority that is very important this is only to show you some feature about filtering then some question it's okay for me it's not so difficult no problem thank you all [Applause] and you [Music] hey what
Info
Channel: MikroTik
Views: 2,161
Rating: undefined out of 5
Keywords: mikrotik, routerboard, routeros, latvia
Id: q933G_Tq5ds
Channel Id: undefined
Length: 34min 48sec (2088 seconds)
Published: Tue Apr 10 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.