Firewall Mangle

GLC webinar, 5 october 2017

Achmad Mardiansyah
achmad@glcnetworks.com
GLC Networks, Indonesia
www.glcnetworks.com 1
Agenda

● Introduction
● Firewall
● Firewall mangle
● Demo
● Q&A

www.glcnetworks.com 2
What is GLC?

● Garda Lintas Cakrawala (www.glcnetworks.com)

● An Indonesian company
● Located in Bandung
● Areas: Training, IT Consulting
● Mikrotik Certified Training Partner/Consultant/Distributor
● Ubiquiti Certified Trainer/Consultant
● RedHat Certified Trainer

www.glcnetworks.com 3
About GLC webinar?

● First webinar: january 1, 2010 (title:

tahun baru bersama solaris - new
year with solaris OS)
● As a sharing event with various
topics: linux, networking, wireless,
database, programming, etc
● Regular schedule: every 2 weeks
● Irregular schedule: as needed
● Checking schedule:
http://www.glcnetworks.com/main/sc
hedule
● You are invited to be a presenter
○ No need to be an expert
○ This is a forum for sharing: knowledge,
experiences, information

www.glcnetworks.com 4
Trainer Introduction

● Name: Achmad Mardiansyah

● Base: bandung, Indonesia
● Linux user (since 1999), Mikrotik user (since 2007),
ubnt user (since 2011)
● Certified Trainer (Mikrotik, Ubiquiti, Redhat)
● Certified Consultant
● Work: Telco engineer, Sysadmin, PHP programmer,
and Lecturer
● Personal website: http://achmadjournal.com
● More info:
http://au.linkedin.com/in/achmadmardiansyah

www.glcnetworks.com 5
Please introduce yourself

● Your name
● Your company/university?
● Your networking experience?
● Your mikrotik experience?
● Your expectation from this course?

www.glcnetworks.com 6
 Firewall

www.glcnetworks.com 7
What is Mikrotik firewall?

● Is a feature to
○ Control network access (filter)
○ Modify network header (NAT)
○ Marking packet for further processing (mangle)
● Developed from linux
● Consist of 2 parts: matcher & action
● Executed sequentially
● Netadmin must understand the application’s characteristics in order to build a
matcher (e.g. browsing -> using TCP port 80)

www.glcnetworks.com 8
 How firewall works?
● Setup matcher -> then action
● Mikrotik has lots of options for matcher
-> very flexible
● Matcher + Action = Firewall rule
● Rule is executed sequentially

www.glcnetworks.com 9
Where the packet
is processed?
A: see packet flow
Note: ipsec is removed in this
diagram

www.glcnetworks.com 10
FORWARD

INPUT

What's the
difference between
forward and input?

www.glcnetworks.com 11
11
On which chain
can you apply
filter?

www.glcnetworks.com 12
On which chain
can you apply
NAT?

www.glcnetworks.com 13
On which chain
can you apply
mangle?

www.glcnetworks.com 14
Firewall mangle

www.glcnetworks.com 15
What happen on packets after mangle?

● Depends on action
● In most case, mangle is used for marking -> sequence is important
●

www.glcnetworks.com 16
Mangle action: mark-packet

● Is used to identify packets

● Only one direction. example:
○ Packet to google DNS
/ip firewall mangle add chain=forward dst-address=8.8.8.8 action=mark-packet
new-packet-mark=packet-to-googledns passthrough=no
○ Packet from google DNS
/ip firewall mangle add chain=forward src-address=8.8.8.8 action=mark-packet
new-packet-mark=packet-from-googledns passthrough=no

8.8.8.8 ISP1 ISP2

Packets to
Packets 8.8.8.8
from
8.8.8.8
192.168.1.10

www.glcnetworks.com 17
Mangle action: mark-connection

● Connection: is a relationship between 2 hosts, identified by:

○ A pair of IP addresses: source & destination
○ A pair of ports: source & destination (if used). Some protocols donot use ports
● Mark-connection is two-way
○ Example: a connection between google DNS and webserver
/ip firewall mangle add chain=forward dst-address=8.8.8.8 src-address=192.168.1.10
action=mark-connection new-connection-mark=conn-googledns passthrough=no
● Check it on firewall-connection

8.8.8.8 ISP1 ISP2

Conn between
8.8.8.8 and
192.168.1.10
192.168.1.10

www.glcnetworks.com 18
Mangle action: mark-routing

● Is used to mark packet for routing purpose. Router is forwarding packets, not
connection :-p
● Should be done before reading the routing table -> prerouting
● Need support from routing table. example:
○ /ip firewall mangle add chain=forward dst-address=8.8.8.8 src-address=192.168.1.10
action=mark-routing new-routing-mark=via-isp1 passthrough=no
○ /ip route add dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-mark=via-isp1

8.8.8.8 ISP1 ISP2

1.1.1.1 2.2.2.2

Packet from
192.168.1.10 will be
forwarded via isp1 by
routing table, because it
192.168.1.10
has “via-isp1” mark

www.glcnetworks.com 19
Interested?
Just come to our
training...
Special price for webinar
attendees…

http://www.glcnetworks.c
om/main/schedule

www.glcnetworks.com 20
End of slides

● Thank you for your attention

● Please submit your feedback: http://bit.ly/glcfeedback
● Like our facebook page: “GLC networks”
● Slide: http://www.slideshare.net/r41nbuw
● Recording: https://www.youtube.com/channel/UCI611_IIkQC0rsLWIFIx_yg
● Stay tune with our schedule

www.glcnetworks.com 21