Professional Documents
Culture Documents
Nvsu FR Icd 05 00 Module 7 (Sam101) Student
Nvsu FR Icd 05 00 Module 7 (Sam101) Student
Bandwidth Management Service is the most popular service in MikroTik Router. It is said that
MikroTik Router is mostly used because of its Bandwidth Management service. As most of the offices or
ISP companies are now using MikroTik router for their user bandwidth management, it will be so
beneficial for you to know the proper bandwidth management system with MikroTik router. So, this article
is designed to show you the proper and simple way to manage internet bandwidth of any office or ISP
company with MikroTik router.
V. LESSON CONTENT
MikroTik Firewall
MikroTik Firewall mainly filters good traffic or bad traffic and according to the definition of firewall
it should allow good traffic and reject bad traffic. This good and bad traffic is doing one event among the
following three events in MikroTik Router.
• Either the traffic is entering to MikroTik Router,
• The traffic is leaving from MikroTik Router or
• The traffic is passing through MikroTik Router.
MikroTik administrators like you and me always expect to get good traffic entering to and passing
from our MikroTik Router. But the fact is not like so always. We have to always fight against bad traffics.
When a local network is connected to public networks, there is always a threat that someone from outside
of your local network will break into your local network. This security break may cause private data being
stolen and distributed, valuable data being altered or destroyed, or entire hard drives being erased.
MikroTik Firewall is used to prevent or minimize these types of security risk. MikroTik Firewall has a lot
of firewalling features as well as masquerading capabilities that help to hide your private network from
outside’s bad traffic.
The key features of MikroTik Firewall are able to inspect network packet, detect Layer-7 protocol
and peer to peer protocols filtering. MikroTik firewall is also capable to classify network traffic by source
MAC address, IP address, port or port range, IP protocols, interface the packet arrived from or left
through, packet content, packet size, packet arrive time and much more.
By default, MikroTik Firewall allows all traffics that are entering to your router, leaving from your
router or passing through your router. That means, initially MikroTik Router acts as an open firewall where
there is no barrier and all traffics are considered as good traffic. So, if you feel any traffic is bad and need
to block it, you have to apply MikroTik Firewall Rule.
MikroTik Firewall Rule is nothing but a meaningful statement that is used to allow good traffics or
block bad traffics. Actually, MikroTik Firewall functions based on firewall rule. Then, what is in a firewall
rule? There are two parts in a Firewall rule.
• The matcher or conditional part checks traffic flow against any given condition and
• The action part takes decision to do any activity with the matched condition.
Firewall Components
The RouterOS firewall uses three components to police traffic:
• Chains
• Rules
• Actions
The conditional part of a firewall rule takes various property values that will be matched to apply
any firewall rule. If you visit MikroTik Firewall with winbox software following IP > Firewall > Filter Rules
instruction and click on PLUS SIGN (+) to create a new firewall rule, you will find General, Advanced and
Extra tabs that combinedly make firewall conditions. A lot of property options or parameters are available
in MikroTik Firewall’s conditional part. Most of the property options are self-defined but among these,
chain parameter makes much complexity to a new MikroTik administrator. But it is not so complex if you
try to understand deeply.
• Input processes those packets which are entering to your MikroTik Router. These packets may
come through any interface of your router. So, any packet that is coming to your MikroTik Router
and containing MikroTik interface IP address as destination IP address is processed by input
chain. In short, when MikroTik Router is destination then it is considered as input chain activity.
For example, if you or anyone wants to connect to MikroTik Router with SSH or Winbox or wants
to browse HTTP contents, the destination IP address will be MikroTik IP addresses. So, this is an
input chain activity and if you want to block SSH or HTTP protocol, you have to select input chain
in firewall rule.
• Output processes those packets which are originated from your MikroTik Router and leaving it
through one of the MikroTik interfaces. So, the packet that is leaving from your router containing
any interface IP address as source IP address is processed by output chain. In short, when
MikroTik Router address is the packet source address then it is considered as output chain
activity. For example, if you ping any remote server from your MikroTik console, the source IP
address is your MikroTik IP address. So, this is an output chain activity.
• Forward processes those packets which are passing through your MikroTik Router. In this case,
MikroTik Router is neither source nor destination. In short, when packet passes through MikroTik
Router then it is considered as forward chain activity. For example, when your LAN user browses
any website, they pass through your MikroTik router. Here, the destination is web server and the
source is your LAN user. So, this is a forward chain activity. If you want to block any user who will
not get access to any web server, you have to select forward chain property in firewall rule.
The following diagram will show how packets are processed in your MikroTik Router including
input, output and forward chain.
C. Drop
The drop action forces the router to stop processing a packet. No further action is taken, and the
traffic matching the rule is silently dropped. This is the preferred method for discarding unwanted traffic.
It is considered a best practice to accept necessary traffic and drop everything else with a final rule at the
end of each chain.
D. FastTrack Connection
The FastTrack firewall action is special and using it can have a tangible impact on your routers.
Once a connection is Fast-tracked all future packets in the connection won’t be checked against the
firewall. If the first packet in a connection matches an allow rule there isn’t any value in checking the
packets that follow. For high-throughput devices or firewalls with a lot of rules not checking every single
packet can save significant processing resources. The default configuration for RouterOS firewalls is to
FastTrack all connections that have a state of established or related.
E. Jump
The jump action takes a packet being evaluated and moves it over to a different chain. Often this
is used when custom chains have been built with special firewall rules.
F. Log
The log action adds source and destination information for matching packets to the router’s log.
Traffic is passed on to the next firewall rule in the chain. As with the passthrough rules, it’s recommended
you disable or delete log rules when you’re finished with them. Be aware that the log action could create
a significant amount of log entries that fill up a device’s storage and cause instability
G. Passthrough
The passthrough action adds byte and packet counts to the rule’s statistics then allows the traffic
to continue being processed. This is helpful when determining if a certain kind of traffic is hitting your
firewall. Disable or remove passthrough rules when you’re done with them so as not to add processing
overhead.
H. Reject
The reject action forces the router to discard matching packets but doesn’t do it silently like the
drop action does. Instead an ICMP message is sent to notify the sender that traffic was dropped. This
could allow an attacker running port scans to fingerprint your device and continue reconnaissance efforts.
For this reason the reject action is not the preferred method for discarding unwanted traffic.
I. Return
The return action sends traffic back to the chain that it was originally jumped from. If you have a
special chain set up for traffic analysis or troubleshooting, you can return traffic to the original chain so it
gets processed by the rest of its rules.
J. Tarpit
The tarpit action keeps TCP connections open and deliberately slows responses to traffic sources
that match a firewall rule. These traffic sources could be port scanners, spammers, or other unsavory
types. Some DDoS mitigation providers and large enterprises who deal with DDoS attacks use tarpitting
to slow them down. However with botnets numbering in the thousands or tens-of thousands this can have
a limited effectiveness. Be aware that using tarpit keeps connections open so applying this action on a
lot of traffic places significant load on a device.
NVSU-FR-ICD-05-00 (081220) Page 4 of 9
“In accordance with section 185. Fair use of copyrighted works of Republic Act 8293, the copyrighted works included in this material may be reproduced for educational purposes
only and not for commercial distribution.”
Republic of the Philippines
NUEVA VIZCAYA STATE UNIVERSITY
Bayombong, Nueva Vizcaya
INSTRUCTIONAL MODULE
IM No.: SAM101-1st-SY2020-2021
MikroTik Firewall window in winbox software has briefly been discussed in the above section.
In my next few articles, I will explain how to create different filter rules with practical example. Hope you
will keep with me.
Source: https://systemzone.net/mikrotik-firewall-basic-concept/
Best Practices
To keep your networks secure and firewall rules from becoming too complicated there are some
guidelines to follow. Consider your network operations in the context of these best practices:
1. Allow traffic you need, block everything else
2. Consolidate rules if possible for simplicity
3. Sort rules for efficiency
4. Block all traffic at the end of each chains with final ”catch-all” rules
5. Periodically audit firewall configurations for consistency and security
RouterOS queues can make for a complex topic. Using queues allows you to shape, balance,
and limit network traffic based on your needs and policies. To do this correctly requires a good
understanding of how your network is built, what traffic profiles you’re dealing with, and how to best
distribute network resources. Two kinds of queues exist in RouterOS:
• Simple Queue
• Queue Tree
Simple queues are designed to put boilerplate network policies in place quickly with limited
management overhead. There is a limit to what can be done with these but for many organizations this
is all that’s needed. The following Simple queue example limits the total download bandwidth for the
192.168.10.0/24 network to 5 Megabit per Second (Mbit/s). When ”0” is specified for an upload or
download value that means ”unlimited”.
/queue simple
add name="192.168.10.0 Download" target=192.168.10.0/24 max-limit=0M/5M
comment="192.168.10.0/24 Download Limit"
Bursting
The Bursting feature allows network users to exceed the maximum allotted bandwidth in a queue for
short periods of time. This allows short downloads and bursts of media-heavy content to download
quicker while still policing longer bandwidth-heavy sessions. The average traffic rate allowed is calculated
every one-sixteenth of the Burst Time duration. Each time the traffic rate is calculated an adjustment is
made if necessary. The Burst Limit, Burst Threshold, and Burst Time fields all work together to determine
how fast and for how long traffic can run at burst speed. The longest burst duration possible is calculated
with the following formula.
Bursting should be tuned over time to provide a good network performance experience based on
your organization’s available bandwidth, usage patterns, and needs.
Mangle
Mangling is a facility that allows us to identify packets and mark them for later use. With this mark
we can do wonderful things like force packets with certain marks to take certain routes or go through
certain queues. One concern of packet mangling is that it can be very CPU intensive if we have to look
at every single packet, make a decision whether or not to mark it, and then perform the marking action.
Here it is possible to see what happens if PCQ-rate is, or isn't specified. I must noted that if both
limits (pcq-rate and max-limit) are unspecified, queue behavior can be imprecise. So it is strongly
suggested to have at least one of these options set.
1. Login to your MikroTik router using winbox and then click on Queues menu from left menu panel.
Queue List window will appear but there will be no list because we have not added any list yet.
So, click on add new button (PLUS Sign) to add a new list. New Simple Queue window will appear
now. If you face any confusion to find the add new button, please watch my below video carefully
which will show you proper guide to open New Simple Queue window successfully.
2. In general tab of New Simple Queue window, type user name in Name input field and user IP
address in Target Address input field. Now choose Target Upload and Target Download from Max
limit drop-down list or type your desired upload and download speed. This is the maximum upload
and download speed for your desired user.
3. Now from Advanced tab, choose Limit At value for Target Upload and Target Download speed. If
you set this value, MikroTik will try to provide at least this upload and download speed to the user
when bandwidth will be congested. You can also choose Priority for any user. Normally, MikroTik
bandwidth is assigned sequentially if they are in same priority. That means, the user who is top
position of Queue list will get first priority to assign bandwidth and then the second positioned
user and then the next positioned user. Priority can be selected 1 to 8. 1 is high priority and 8 is
less priority. High priority user will get bandwidth first and then less priority user. Choose your
desired priority for this user and click Apply and then OK to save this configuration.
4. You have now assigned bandwidth on a user IP successfully. Do the above steps repeatedly for
all your network users for assigning their bandwidth. Now check your assigned bandwidth to any
user with free internet speed test tool. I hope, you will get your desired result from bandwidth test.
Source: https://systemzone.net/mikrotik-router-bandwidth-management/
Video: https://www.youtube.com/watch?v=BWfoG5-Us9w&feature=youtu.be
B. Mangle Rules
Packet Mangling Using Optimal Mangle
1. To perform the mangle, we create two rules in the IP Firewall list under the Mangle tab.
2. Mangles are
performed in a
certain place
within the routing
process, the
prerouting chain is
the place to
mangle. In this
example, we want
to identify all web
browsing traffic so
we select a
minimum of filters
on the packet
matcher tab. After
creating a new
rule with the plus
sign, set it as follows:
This rule
will match all web
browsing traffic
identified by the
fact that it is
destined for port
80. The Action tab
for this rule is to
mark these
connections with a
mark “Web
Browsing
Connections”. This
mark can be anything, but I like to make it descriptive.
Notice I have unchecked the box for “Passthrough”. This is important because packets can be marked
more than once. It is important to understand that multiple marks do not add. For example if the first rule
matches a packet and marks it “AAA” and Passthrough is checked, the packet continues down the
mangle chain. If the next rule matches, the packet gets remarked “BBB”, not “AAABBB”. The marks do
not add, they re-mark so the packet will then be marked “BBB’. If Passthrough is unchecked, once a rule
matches, the packet leaves the mangle chain.
In summary, packets are identified by connections, the connections marked, and then the packets
in those connections are individually marked. It is important to note that if you have connection tracking
off for whatever reason, the optimal mangle will not work. In that case, simple use one rule to identify the
packets and mark them all in the same mangle rule. It will be CPU intensive but it is your only option.
VII. EVALUATION (Note: Not to be included in the student’s copy of the IM)
VIII. ASSIGNMENT
For Further Study: QOS
There is a type of traffic prioritization that is carried by the packet throughout the network, but that
is a topic for advanced study. If you want to learn more about this type of QOS, I suggest you research
setting the “DSCP bit” or Differentiated Services Code Point bit of an IP packet. This bit can be set by
many VoIP devices or by a mangle rule in RouterOS and is carried throughout the network. Queues can
then be created with priority for packets identified by the DSCP bit and thereby provide a much more
advanced QoS system.
IX. REFERENCES
Discher, S. R. W. (2011). RouterOS by example: understanding MikroTik RouterOS through real life
applications. MicroTik.
Sayeed, A. (2020, January 4). MikroTik Router Bandwidth Management. System Zone.
https://systemzone.net/mikrotik-router-bandwidth-management/.