Versions Compared

Old Version 31

changes.mady.by.user Artūrs C.

Saved on

compared with

New Version 32

changes.mady.by.user Artūrs C.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Introduction

The firewall implements stateful (by utilizing connection tracking) and stateless packet filtering and thereby provides security functions that are used to manage data flow to, from and through the router. Along with the Network Address Translation (NAT), it serves as a tool for preventing unauthorized access to directly attached networks and the router itself as well as a filter for outgoing traffic.

...

  • stateful packet inspection
  • Layer-7 protocol detection
  • peer-to-peer protocols filtering
  • traffic classification by:
    • source MAC address
    • IP addresses (network or list) and address types (broadcast, local, multicast, unicast)
    • port or port range
    • IP protocols
    • protocol options (ICMP type and code fields, TCP flags, IP options, and MSS)
    • interface the packet arrived from or left through
    • internal flow and connection marks
    • DSCP byte
    • packet content
    • rate at which packets arrive and sequence numbers
    • packet size
    • packet arrival time
  • and much more!

How It works

The firewall operates by means of firewall rules. Each rule consists of two parts - the matcher which matches traffic flow against given conditions and the action which defines what to do with the matched packet.

...

  • Connection tracking
  • Filters
  • NAT
  • Mangle
  • RAW

Connection Tracking

Connection tracking allows the kernel to keep track of all logical network connections or sessions, and thereby relate all of the packets which may make up that connection. NAT relies on this information to translate all related packets in the same way. Because of connection tracking, you can use stateful firewall functionality even with stateless protocols such as UDP.

...

Note

Such a rule set must not be applied on routers with asymmetric routing, because asymmetrically routed packets may be considered invalid and dropped.

Filters

Firewall filters are used to allow or block specific packets forwarded to your local network, originated from your router or destined to the router.

...

RouterOS also allows to filter packets before connection tracking and selectively send only specific traffic to connection tracking. This allows us to significantly reduce the load on CPU and mitigate DOS/DDoS attacks. Configuration of such rules is done in the RAW filtering table.

Network Address Translation (NAT)

Network Address Translation is an Internet standard that allows hosts on local area networks to use one set of IP addresses for internal communications and another set of IP addresses for external communications. A LAN that uses NAT is ascribed as a natted network. For NAT to function, there should be a NAT gateway in each natted network. The NAT gateway (NAT router) performs IP address rewriting on the way a packet travel from/to LAN.

...

Warning

Whenever NAT rules are changed or added, the connection tracking table should be cleared otherwise NAT rules may seem to be not functioning correctly until connection entry expires.

Types of NAT:

  • source NAT or srcnat. This type of NAT is performed on packets that are originated from a natted network. A NAT router replaces the private source address of an IP packet with a new public IP address as it travels through the router. A reverse operation is applied to the reply packets travelling in the other direction.
  • destination NAT or dstnat. This type of NAT is performed on packets that are destined for the natted network. It is most commonly used to make hosts on a private network to be accessible from the Internet. A NAT router performing dstnat replaces the destination IP address of an IP packet as it travels through the router towards a private network.

Source NAT

For example, basic rule to hide local networks behind one public IP:

...

As you can see from the example, we are using the srcnat chain because we want to manipulate the source information. By specifying out interface we ensure that the source will be modified only for those packets that leave a specific interface, in our case it is interface named "Public", and the last action is to src-nat - change source address of the packet to global address configured on "Public" interface.

Masquerade

/ip firewall nat add chain=srcnat action=masquerade out-interface=Public

...

To overcome these limitations RouterOS includes a number of so-called NAT helpers, that enable NAT traversal for various protocols.

Destination NAT

Lets see an opposite example where we want to change destination address or perform port mapping:

...

What this rule does is, when an incoming connection requests TCP port 1234, it uses the dst-nat action and redirect it to local address 192.168.88.2 and the port 12340. In this example, we chose to specify ports to illustrate how traffic can be mapped from one port to another. If you do not specify a to-port parameter, then the destination port inside the packet is not changed.

Mangle

Mangle is a kind of 'marker' that marks packets for future processing with special marks. Many other facilities in RouterOS make use of these marks, e.g. queue trees, NAT, routing. They identify a packet based on its mark and process it accordingly. The mangle marks exist only within the router, they are not transmitted across the network.

Additionally, the mangle facility is used to modify some fields in the IP header, like TOS (DSCP) and TTL fields.

Change MSS

It is a known fact that VPN links have a smaller packet size due to encapsulation overhead. A large packet with MSS that exceeds the MSS of the VPN link should be fragmented prior to sending it via that kind of connection. However, if the packet has a Don't Fragment flag set, it cannot be fragmented and should be discarded. On links that have broken path MTU discovery (PMTUD) it may lead to a number of problems, including problems with FTP and HTTP data transfer and e-mail services.

...

/ip firewall mangle  add out-interface=pppoe-out protocol=tcp tcp-flags=syn action=change-mss new-mss=1300 chain=forward tcp-mss=1301-65535

Address List

Firewall address lists allow a user to create lists of IP addresses grouped together under a common name. Firewall filter, Mangle and NAT facilities can then use those address lists to match packets against them. The address list records can also be updated dynamically via the action=add-src-to-address-list or action=add-dst-to-address-list items found in NAT, Mangle, and Filter facilities.
Firewall rules with action add-src-to-address-list or add-dst-to-address-list works in passthrough mode, which means that the matched packets will be passed to the next firewall rules.

...