Download as pdf or txt
Download as pdf or txt
You are on page 1of 49

Webinar - MikroTik RouterOS

Statefull Firewall Howto

About Me

Steve Discher

Author of RouterOS by
Example, the MTCNA Textbook

MikroTik Certified Trainer and

Consultant, teach MikroTik
Certification classes,

RouterOS by Example
300+ pages and almost 100 examples
Follows the MikroTik Certified Network

Associate (MTCNA) Course Syllabus to

teach all of the vital functions of RouterOS

Available from

Intro to the MikroTik

Product Line
Two broad categories of products:
Integrated Solutions

Integrated Solutions
RouterBOARD, case, power supply and
POE in the case of outdoor products

RB750 Series


Bare circuit board, optional integrate radio




Features are controlled by the license level

In summary, a device designed to be a client

device will not operate in wireless AP mode
but will still perform all complex routing

Feature set is standard across the entire

product line with minor exceptions for
concurrent number of tunnels and the ability to
operate in multipoint AP mode

Feature Set
Wireless capability, 802.11a/b/g/n, station,
AP, wds, mesh, bridging, routing

Full suite of routing protocols including


Stateful firewalls

Three Hottest New

Products from MikroTik


Best performance 1U rackmount Gigabit Ethernet router

Dual core CPU, it can reach up to a million packets per

It has thirteen individual gigabit Ethernet ports, two 5-port
switch groups, and includes Ethernet bypass capability
2 GB of SODIMM RAM are included, one microSD card slot
The RB1100AH comes preinstalled in a 1U aluminum
rackmount case, assembled and ready to deploy


5 Ethernet ports
Integrated dual chain 802.11n wireless
External MMCX antenna connector


5 port Ethernet router

Includes USB 2.0 port
Ports 2-5 are POE ports (500 ma each)!

Mini HowTo
Stateful Firewalls

Stateful Firewalls
Stateful Firewall - A firewall that is able to
track the state and attributes of
connections passing through it or to it.

Stateless Firewall - Also known as a packet

filter, makes go/no-go decisions about
packets based on source/destination with
no previous knowledge about preceding

Stateless Firewalls
1. Vulnerable to spoofing attacks
2. Dont play well with certain protocols such
as FTP
3. Brute force firewalls with little granularity
and few advanced options

Stateful Firewalls
1. Invention generally credited to Checkpoint
in the mid 1990s
2. Can store a significant amount of
information about packets passing through
or to the firewall
3. High level of granularity and highly efficient.

Elements of the
Foundation for Firewalls
1. Connections
2. Chains
3. Packet matchers
4. Create a simple stateful firewall in

Four elements of an IP packet:
Source Address/Source Port/Destination Address/Destination Port

Source Address
The IP of the computer trying to access
the internet

Destination Address
The IP of the host the computer is
trying to access

Source Port
The IP of the computer trying to access
the internet

Destination Port
The port from which the packet

was sent, determined by the host

sending the packet

These four pieces of information define

each unique connection seen by the stateful


Connection States
In addition to these four pieces of

information, connections pass thru one of

four states:

1. New
2. Established
3. Related
4. Invalid

Connection States
1. New - First time this connection
combination of port, src address, dst
address, dst port has been seen,
2. Established - Known connection combination
3. Related - Part of a know connection
4. Invalid - Not part of a known connection
combination, not new

Connection States

Connections Combination - four pieces of

information in an IP packet, source address,

source port, destination address and
destination port

Connection states - new, established,

related and invalid

In RouterOS, firewalls are constructed
using chains

Chains are the locations where packets are

seen by the firewall

Three default chains are Input, Forward and


Input - Packets going TO the firewall
(protects router)

Forward - Packets going THROUGH the

router (protects clients)

Output - Packets generated by the router

itself, or FROM the router (less often

Summarize Chains
Three default chains:
1. Input - Protects the router
2. Forward - Protects the clients
3. Output - From the router, less
commonly used in simple firewalls

Packet Matchers
Firewall rules operate on an IF - THEN

RouterOS uses packet matchers to

identify packets (IF)

Action tab to perform some action on the

packets that match (THEN)

Firewall Rules - Where?

Packet Matchers
Matches all traffic FROM network

more or

Action Tab
Action to

Summarize Packet
General Tab - Specify one or many criteria
Action Tab - Perform some action if the
packet matches

Create a Simple Stateful

Firewall in RouterOS
Input Chain
1. Drop invalid connections.
2. Allow the router to be managed from our
LAN IP subnet only.
3. Allow connections back to our router IF we
initiate the connection.
4. Drop all other packets to the router.

Input Chain - 1

Drop invalid connections to the router.

Input Chain - 2

Allow everything from our subnet.

Input Chain - 3

Special Rule - Allow any inbound traffic IF we

initiated it (the established part of the

Input Chain - 4

Drop everything else from anywhere.

Create a Simple Stateful

Firewall in RouterOS
Forward Chain
1. Drop invalid connections.
2. Allow new connections if originated from our
LAN subnet.
3. Allow related connections.
4. Allow established connections.
5. Drop everything else.

Forward Chain - 1

Forward Chain - 2

Forward Chain - 3

Forward Chain - 4

Forward Chain - 5

Summarize Firewall
Allow what is desired on the input chain.
Drop everything else on input chain.
Allow desired connection states on
forward chain.

Drop everything else on forward chain.

Common Errors
1. Rule order is important, accept must be
before drop or you could lose connection.
2. Work in safe mode but dont forget to save
occasionally by exiting safe mode and then
3. Start of simple, then build on the
foundation provided herein.

Common Errors
4. If you use this example verbatim, dont
forget to use YOUR IP subnet in the rules.
5. Use comments in your rules.
6. Make your rules more extensible by using
address lists.
7. Make your firewall more intelligent by using
intelligent actions.

Get the Book!
Class Schedules,
next MTCNA class January 10-12
Houston, Texas, then advanced training
February 21-24 in Dallas

Thank You!

You might also like