Webinar - MikroTik RouterOS Statefull Firewall Howto
About Me Steve Discher MikroTik Certified Trainer and Consultant, teach MikroTik Certification classes, LearnMikroTik.com Author of RouterOS by Example, the MTCNA Textbook
RouterOS by Example 300+ pages and almost 100 examples Follows the MikroTik Certified Network Associate (MTCNA) Course Syllabus to teach all of the vital functions of RouterOS Available from LearnMikroTik.com/book
Intro to the MikroTik Product Line Two broad categories of products: Integrated Solutions RouterBoards
Integrated Solutions RouterBOARD, case, power supply and POE in the case of outdoor products RB750 Series SXT
RouterBOARD s Bare circuit board, optional integrate radio module RB411 RB711series
Features Features are controlled by the license level Feature set is standard across the entire product line with minor exceptions for concurrent number of tunnels and the ability to operate in multipoint AP mode In summary, a device designed to be a client device will not operate in wireless AP mode but will still perform all complex routing functions
Feature Set Wireless capability, 802.11a/b/g/n, station, AP, wds, mesh, bridging, routing Full suite of routing protocols including BGP, OSPF, MPLS, VPLS Stateful firewalls
Three Hottest New Products from MikroTik
RB1100AHx2 Best performance 1U rackmount Gigabit Ethernet router Dual core CPU, it can reach up to a million packets per second It has thirteen individual gigabit Ethernet ports, two 5-port switch groups, and includes Ethernet bypass capability 2 GB of SODIMM RAM are included, one microsd card slot The RB1100AH comes preinstalled in a 1U aluminum rackmount case, assembled and ready to deploy
RB751U-2HnD 5 Ethernet ports Integrated dual chain 802.11n wireless External MMCX antenna connector
RB750UP 5 port Ethernet router Includes USB 2.0 port Ports 2-5 are POE ports (500 ma each)!
Mini HowTo Stateful Firewalls
Stateful Firewalls Stateful Firewall - A firewall that is able to track the state and attributes of connections passing through it or to it. Stateless Firewall - Also known as a packet filter, makes go/no-go decisions about packets based on source/destination with no previous knowledge about preceding packets.
Stateless Firewalls 1. Vulnerable to spoofing attacks 2. Don t play well with certain protocols such as FTP 3. Brute force firewalls with little granularity and few advanced options
Stateful Firewalls 1. Invention generally credited to Checkpoint in the mid 1990 s 2. Can store a significant amount of information about packets passing through or to the firewall 3. High level of granularity and highly efficient.
Elements of the Foundation for Firewalls 1. Connections 2. Chains 3. Packet matchers 4. Create a simple stateful firewall in RouterOS
Connections Four elements of an IP packet: Source Address/Source Port/Destination Address/Destination Port
Connections Source Address The IP of the computer trying to access the internet Destination Address The IP of the host the computer is trying to access
Connections Source Port The IP of the computer trying to access the internet Destination Port The port from which the packet was sent, determined by the host sending the packet
Connections These four pieces of information define each unique connection seen by the stateful firewall
Connection States In addition to these four pieces of information, connections pass thru one of four states: 1. New 2. Established 3. Related 4. Invalid
Connection States 1. New - First time this connection combination of port, src address, dst address, dst port has been seen, 2. Established - Known connection combination 3. Related - Part of a know connection combination 4. Invalid - Not part of a known connection combination, not new
Connection States
Summarize Connections Connections Combination - four pieces of information in an IP packet, source address, source port, destination address and destination port Connection states - new, established, related and invalid
Chains In RouterOS, firewalls are constructed using chains Chains are the locations where packets are seen by the firewall Three default chains are Input, Forward and Output
Chains Input - Packets going TO the firewall (protects router) Forward - Packets going THROUGH the router (protects clients) Output - Packets generated by the router itself, or FROM the router (less often used)
Summarize Chains Three default chains: 1. Input - Protects the router 2. Forward - Protects the clients 3. Output - From the router, less commonly used in simple firewalls
Packet Matchers Firewall rules operate on an IF - THEN principal RouterOS uses packet matchers to identify packets (IF) Action tab to perform some action on the packets that match (THEN)
Firewall Rules - Where?
Packet Matchers Chain Optional, more or less restrictive{ Matches all traffic FROM 192.168.1.0/24 network
Action to perform{ Action Tab
Summarize Packet Matchers General Tab - Specify one or many criteria Action Tab - Perform some action if the packet matches
Create a Simple Stateful Firewall in RouterOS Input Chain 1. Drop invalid connections. 2. Allow the router to be managed from our LAN IP subnet only. 3. Allow connections back to our router IF we initiate the connection. 4. Drop all other packets to the router.
Input Chain - 1 Drop invalid connections to the router.
Input Chain - 2 Allow everything from our subnet.
Input Chain - 3 Special Rule - Allow any inbound traffic IF we initiated it (the established part of the connection.)
Input Chain - 4 Drop everything else from anywhere.
Create a Simple Stateful Firewall in RouterOS Forward Chain 1. Drop invalid connections. 2. Allow new connections if originated from our LAN subnet. 3. Allow related connections. 4. Allow established connections. 5. Drop everything else.
Forward Chain - 1
Forward Chain - 2
Forward Chain - 3
Forward Chain - 4
Forward Chain - 5
Summarize Firewall Rules Allow what is desired on the input chain. Drop everything else on input chain. Allow desired connection states on forward chain. Drop everything else on forward chain.
Common Errors 1. Rule order is important, accept must be before drop or you could lose connection. 2. Work in safe mode but don t forget to save occasionally by exiting safe mode and then re-enter. 3. Start of simple, then build on the foundation provided herein.
Common Errors 4. If you use this example verbatim, don t forget to use YOUR IP subnet in the rules. 5. Use comments in your rules. 6. Make your rules more extensible by using address lists. 7. Make your firewall more intelligent by using intelligent actions.
Questions Get the Book! LearnMikroTik.com/book Class Schedules LearnMikroTik.com, next MTCNA class January 10-12 Houston, Texas, then advanced training February 21-24 in Dallas
Thank You!