Webinar - MikroTik RouterOS

Statefull Firewall Howto

About Me

Steve Discher

Author of RouterOS by
Example, the MTCNA Textbook

MikroTik Certified Trainer and

Consultant, teach MikroTik
Certification classes,
LearnMikroTik.com

RouterOS by Example
300+ pages and almost 100 examples
Follows the MikroTik Certified Network

Associate (MTCNA) Course Syllabus to

teach all of the vital functions of RouterOS

Available from LearnMikroTik.com/book

Intro to the MikroTik

Product Line
Two broad categories of products:
Integrated Solutions
RouterBoards

Integrated Solutions
RouterBOARD, case, power supply and
POE in the case of outdoor products

RB750 Series

SXT

RouterBOARDs
Bare circuit board, optional integrate radio
module

RB411

RB711series

Features

Features are controlled by the license level

In summary, a device designed to be a client

device will not operate in wireless AP mode
but will still perform all complex routing
functions

Feature set is standard across the entire

product line with minor exceptions for
concurrent number of tunnels and the ability to
operate in multipoint AP mode

Feature Set
Wireless capability, 802.11a/b/g/n, station,
AP, wds, mesh, bridging, routing

Full suite of routing protocols including

BGP, OSPF, MPLS,VPLS

Stateful firewalls

Three Hottest New

Products from MikroTik

RB1100AHx2

Best performance 1U rackmount Gigabit Ethernet router

Dual core CPU, it can reach up to a million packets per

second
It has thirteen individual gigabit Ethernet ports, two 5-port
switch groups, and includes Ethernet bypass capability
2 GB of SODIMM RAM are included, one microSD card slot
The RB1100AH comes preinstalled in a 1U aluminum
rackmount case, assembled and ready to deploy

RB751U-2HnD

5 Ethernet ports
Integrated dual chain 802.11n wireless
External MMCX antenna connector

RB750UP

5 port Ethernet router

Includes USB 2.0 port
Ports 2-5 are POE ports (500 ma each)!

Mini HowTo
Stateful Firewalls

Stateful Firewalls
Stateful Firewall - A firewall that is able to
track the state and attributes of
connections passing through it or to it.

Stateless Firewall - Also known as a packet

filter, makes go/no-go decisions about
packets based on source/destination with
no previous knowledge about preceding
packets.

Stateless Firewalls
1. Vulnerable to spoofing attacks
2. Dont play well with certain protocols such
as FTP
3. Brute force firewalls with little granularity
and few advanced options

Stateful Firewalls
1. Invention generally credited to Checkpoint
in the mid 1990s
2. Can store a significant amount of
information about packets passing through
or to the firewall
3. High level of granularity and highly efficient.

Elements of the
Foundation for Firewalls
1. Connections
2. Chains
3. Packet matchers
4. Create a simple stateful firewall in
RouterOS

Connections
Four elements of an IP packet:
Source Address/Source Port/Destination Address/Destination Port

Connections
Source Address
The IP of the computer trying to access
the internet

Destination Address
The IP of the host the computer is
trying to access

Connections
Source Port
The IP of the computer trying to access
the internet

Destination Port
The port from which the packet

was sent, determined by the host

sending the packet

Connections
These four pieces of information define

each unique connection seen by the stateful

firewall

Connection States
In addition to these four pieces of

information, connections pass thru one of

four states:

1. New
2. Established
3. Related
4. Invalid

Connection States
1. New - First time this connection
combination of port, src address, dst
address, dst port has been seen,
2. Established - Known connection combination
3. Related - Part of a know connection
combination
4. Invalid - Not part of a known connection
combination, not new

Connection States

Summarize
Connections
Connections Combination - four pieces of

information in an IP packet, source address,

source port, destination address and
destination port

Connection states - new, established,

related and invalid

Chains
In RouterOS, firewalls are constructed
using chains

Chains are the locations where packets are

seen by the firewall

Three default chains are Input, Forward and

Output

Chains
Input - Packets going TO the firewall
(protects router)

Forward - Packets going THROUGH the

router (protects clients)

Output - Packets generated by the router

itself, or FROM the router (less often
used)

Summarize Chains
Three default chains:
1. Input - Protects the router
2. Forward - Protects the clients
3. Output - From the router, less
commonly used in simple firewalls

Packet Matchers
Firewall rules operate on an IF - THEN
principal

RouterOS uses packet matchers to

identify packets (IF)

Action tab to perform some action on the

packets that match (THEN)

Firewall Rules - Where?

Packet Matchers
Matches all traffic FROM
192.168.1.0/24 network

Chain
Optional,
more or
less
restrictive

Action Tab
Action to
perform

Summarize Packet
Matchers
General Tab - Specify one or many criteria
Action Tab - Perform some action if the
packet matches

Create a Simple Stateful

Firewall in RouterOS
Input Chain
1. Drop invalid connections.
2. Allow the router to be managed from our
LAN IP subnet only.
3. Allow connections back to our router IF we
initiate the connection.
4. Drop all other packets to the router.

Input Chain - 1

Drop invalid connections to the router.

Input Chain - 2

Allow everything from our subnet.

Input Chain - 3

Special Rule - Allow any inbound traffic IF we

initiated it (the established part of the
connection.)

Input Chain - 4

Drop everything else from anywhere.

Create a Simple Stateful

Firewall in RouterOS
Forward Chain
1. Drop invalid connections.
2. Allow new connections if originated from our
LAN subnet.
3. Allow related connections.
4. Allow established connections.
5. Drop everything else.

Forward Chain - 1

Forward Chain - 2

Forward Chain - 3

Forward Chain - 4

Forward Chain - 5

Summarize Firewall
Rules
Allow what is desired on the input chain.
Drop everything else on input chain.
Allow desired connection states on
forward chain.

Drop everything else on forward chain.

Common Errors
1. Rule order is important, accept must be
before drop or you could lose connection.
2. Work in safe mode but dont forget to save
occasionally by exiting safe mode and then
re-enter.
3. Start of simple, then build on the
foundation provided herein.

Common Errors
4. If you use this example verbatim, dont
forget to use YOUR IP subnet in the rules.
5. Use comments in your rules.
6. Make your rules more extensible by using
address lists.
7. Make your firewall more intelligent by using
intelligent actions.

Questions
Get the Book! LearnMikroTik.com/book
Class Schedules LearnMikroTik.com,
next MTCNA class January 10-12
Houston, Texas, then advanced training
February 21-24 in Dallas

Thank You!