Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Achmad Mardiansyah
achmad@glcnetworks.com
GLC Networks, Indonesia
www.glcnetworks.com 1
Agenda
● Introduction
● Firewall
● Firewall mangle
● Demo
● Q&A
www.glcnetworks.com 2
What is GLC?
www.glcnetworks.com 3
About GLC webinar?
www.glcnetworks.com 4
Trainer Introduction
www.glcnetworks.com 5
Please introduce yourself
● Your name
● Your company/university?
● Your networking experience?
● Your mikrotik experience?
● Your expectation from this course?
www.glcnetworks.com 6
Firewall
www.glcnetworks.com 7
What is Mikrotik firewall?
● Is a feature to
○ Control network access (filter)
○ Modify network header (NAT)
○ Marking packet for further processing (mangle)
● Developed from linux
● Consist of 2 parts: matcher & action
● Executed sequentially
● Netadmin must understand the application’s characteristics in order to build a
matcher (e.g. browsing -> using TCP port 80)
www.glcnetworks.com 8
How firewall works?
● Setup matcher -> then action
● Mikrotik has lots of options for matcher
-> very flexible
● Matcher + Action = Firewall rule
● Rule is executed sequentially
www.glcnetworks.com 9
Where the packet
is processed?
A: see packet flow
Note: ipsec is removed in this
diagram
www.glcnetworks.com 10
FORWARD
INPUT
What's the
difference between
forward and input?
www.glcnetworks.com 11
11
On which chain
can you apply
filter?
www.glcnetworks.com 12
On which chain
can you apply
NAT?
www.glcnetworks.com 13
On which chain
can you apply
mangle?
www.glcnetworks.com 14
Firewall mangle
www.glcnetworks.com 15
What happen on packets after mangle?
● Depends on action
● In most case, mangle is used for marking -> sequence is important
●
www.glcnetworks.com 16
Mangle action: mark-packet
Packets to
Packets 8.8.8.8
from
8.8.8.8
192.168.1.10
www.glcnetworks.com 17
Mangle action: mark-connection
Conn between
8.8.8.8 and
192.168.1.10
192.168.1.10
www.glcnetworks.com 18
Mangle action: mark-routing
● Is used to mark packet for routing purpose. Router is forwarding packets, not
connection :-p
● Should be done before reading the routing table -> prerouting
● Need support from routing table. example:
○ /ip firewall mangle add chain=forward dst-address=8.8.8.8 src-address=192.168.1.10
action=mark-routing new-routing-mark=via-isp1 passthrough=no
○ /ip route add dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-mark=via-isp1
Packet from
192.168.1.10 will be
forwarded via isp1 by
routing table, because it
192.168.1.10
has “via-isp1” mark
www.glcnetworks.com 19
Interested?
Just come to our
training...
Special price for webinar
attendees…
http://www.glcnetworks.c
om/main/schedule
www.glcnetworks.com 20
End of slides
www.glcnetworks.com 21