Nvsu FR Icd 05 00 Module 7 (Sam101) Student

Republic of the Philippines
NUEVA VIZCAYA STATE UNIVERSITY

Bayombong, Nueva Vizcaya
INSTRUCTIONAL MODULE
IM No.: SAM101-1st-SY2020-2021
College: COLLEGE OF INDUSTRIAL TECHNOLOGY

Campus: Bambang
DEGREE PROGRAM BSInTe COURSE NO. SAM101

SPECIALIZATION Networking COURSE TITLE System Administration and Maintenance
YEAR LEVEL IV TIME FRAME 5hrs. WK NO. 10 - 12 IM NO. 7
I. UNIT TITLE/CHAPTER TITLE

Firewalls and Bandwidth Management
II. LESSON TITLE / (OUTLINE)

VIII. Firewalls
1. Firewall Overview
2. Firewall Components
3. Connections
4. Chains
5. Address List
IX. Bandwidth Management

1. Simple Queues
2. Bursting
3. Mangles
4. Per Connection Queueing
III. LESSON OVERVIEW

This lesson discusses firewall configuration using Mikrotik routers. MikroTik Firewall functions as
a network security tool for preventing unauthorized access to networks as well as provides Network
Address Translation functionality. A network administrator who is using MikroTik Router in a network
cannot go a single day without MikroTik Firewall. The main duty of a MikroTik administrator is to maintain
Firewall properly along with Bandwidth management after completing MikroTik Router basic
configuration. So, a MikroTik administrator should have enough knowledge on MikroTik Firewall and so
this module is designed to discuss the basic concept on MikroTik Router Firewall.
Bandwidth Management Service is the most popular service in MikroTik Router. It is said that
MikroTik Router is mostly used because of its Bandwidth Management service. As most of the offices or
ISP companies are now using MikroTik router for their user bandwidth management, it will be so
beneficial for you to know the proper bandwidth management system with MikroTik router. So, this article
is designed to show you the proper and simple way to manage internet bandwidth of any office or ISP
company with MikroTik router.
IV. DESIRED LEARNING OUTCOMES

The students should be able to:
• Discuss firewall components;
• Configure firewall rules;
V. LESSON CONTENT
MikroTik Firewall
MikroTik Firewall mainly filters good traffic or bad traffic and according to the definition of firewall
it should allow good traffic and reject bad traffic. This good and bad traffic is doing one event among the
following three events in MikroTik Router.
• Either the traffic is entering to MikroTik Router,
• The traffic is leaving from MikroTik Router or
• The traffic is passing through MikroTik Router.
NVSU-FR-ICD-05-00 (081220) Page 1 of 9

“In accordance with section 185. Fair use of copyrighted works of Republic Act 8293, the copyrighted works included in this material may be reproduced for educational purposes
only and not for commercial distribution.”
IM No.: SAM101-1st-SY2020-2021
MikroTik administrators like you and me always expect to get good traffic entering to and passing
from our MikroTik Router. But the fact is not like so always. We have to always fight against bad traffics.
When a local network is connected to public networks, there is always a threat that someone from outside
of your local network will break into your local network. This security break may cause private data being
stolen and distributed, valuable data being altered or destroyed, or entire hard drives being erased.
MikroTik Firewall is used to prevent or minimize these types of security risk. MikroTik Firewall has a lot
of firewalling features as well as masquerading capabilities that help to hide your private network from
outside’s bad traffic.
The key features of MikroTik Firewall are able to inspect network packet, detect Layer-7 protocol
and peer to peer protocols filtering. MikroTik firewall is also capable to classify network traffic by source
MAC address, IP address, port or port range, IP protocols, interface the packet arrived from or left
through, packet content, packet size, packet arrive time and much more.
By default, MikroTik Firewall allows all traffics that are entering to your router, leaving from your
router or passing through your router. That means, initially MikroTik Router acts as an open firewall where
there is no barrier and all traffics are considered as good traffic. So, if you feel any traffic is bad and need
to block it, you have to apply MikroTik Firewall Rule.
What is MikroTik Firewall Rule?
MikroTik Firewall Rule is nothing but a meaningful statement that is used to allow good traffics or
block bad traffics. Actually, MikroTik Firewall functions based on firewall rule. Then, what is in a firewall
rule? There are two parts in a Firewall rule.
• The matcher or conditional part checks traffic flow against any given condition and
• The action part takes decision to do any activity with the matched condition.
Firewall Components
The RouterOS firewall uses three components to police traffic:
• Chains
• Rules
• Actions
Chains are mechanisms

that process network traffic at
different stages during routing
and bridging. Each chain has
groups of rules that filter traffic
based on source, destination,
protocol, and other matching
criteria. All rules have actions
assigned that affect traffic
matching the rule. These
actions include drop, log, accept, reject, and more.
Condition in MikroTik Firewall Rule
The conditional part of a firewall rule takes various property values that will be matched to apply
any firewall rule. If you visit MikroTik Firewall with winbox software following IP > Firewall > Filter Rules
instruction and click on PLUS SIGN (+) to create a new firewall rule, you will find General, Advanced and
Extra tabs that combinedly make firewall conditions. A lot of property options or parameters are available
in MikroTik Firewall’s conditional part. Most of the property options are self-defined but among these,
chain parameter makes much complexity to a new MikroTik administrator. But it is not so complex if you
try to understand deeply.

IM No.: SAM101-1st-SY2020-2021
The Chain Property
There are three predefined chains in MikroTik Firewall rule.
• Input processes those packets which are entering to your MikroTik Router. These packets may
come through any interface of your router. So, any packet that is coming to your MikroTik Router
and containing MikroTik interface IP address as destination IP address is processed by input
chain. In short, when MikroTik Router is destination then it is considered as input chain activity.
For example, if you or anyone wants to connect to MikroTik Router with SSH or Winbox or wants
to browse HTTP contents, the destination IP address will be MikroTik IP addresses. So, this is an
input chain activity and if you want to block SSH or HTTP protocol, you have to select input chain
in firewall rule.
• Output processes those packets which are originated from your MikroTik Router and leaving it
through one of the MikroTik interfaces. So, the packet that is leaving from your router containing
any interface IP address as source IP address is processed by output chain. In short, when
MikroTik Router address is the packet source address then it is considered as output chain
activity. For example, if you ping any remote server from your MikroTik console, the source IP
address is your MikroTik IP address. So, this is an output chain activity.
• Forward processes those packets which are passing through your MikroTik Router. In this case,
MikroTik Router is neither source nor destination. In short, when packet passes through MikroTik
Router then it is considered as forward chain activity. For example, when your LAN user browses
any website, they pass through your MikroTik router. Here, the destination is web server and the
source is your LAN user. So, this is a forward chain activity. If you want to block any user who will
not get access to any web server, you have to select forward chain property in firewall rule.
The following diagram will show how packets are processed in your MikroTik Router including
input, output and forward chain.
MikroTik Packet Flow Diagram
Action in MikroTik Firewall Rule

The action part of MikroTik Firewall Rule defines what to do with the matched condition. The
action property is located in Action tab having a lot of self-defined action property values. For example,
to drop any packet you can choose drop or to allow packets you can choose accept when condition is
matched in conditional part.

IM No.: SAM101-1st-SY2020-2021
A. Accept
The accept action allows a packet through the firewall. The packet will not be processed by any further
rules, and continues on to its destination. When accepting firewall traffic be sure to only accept traffic that
is necessary - everything else should be dropped.
B. Add to Address List

This is actually two separate actions, but they both add an IP address to an address list. The two
individual actions are as follows:
• add-src-to-address-list
• add-dst-to-address-list
One adds the SRC IP to a list, the other adds the DST IP.
C. Drop
The drop action forces the router to stop processing a packet. No further action is taken, and the
traffic matching the rule is silently dropped. This is the preferred method for discarding unwanted traffic.
It is considered a best practice to accept necessary traffic and drop everything else with a final rule at the
end of each chain.
D. FastTrack Connection
The FastTrack firewall action is special and using it can have a tangible impact on your routers.
Once a connection is Fast-tracked all future packets in the connection won’t be checked against the
firewall. If the first packet in a connection matches an allow rule there isn’t any value in checking the
packets that follow. For high-throughput devices or firewalls with a lot of rules not checking every single
packet can save significant processing resources. The default configuration for RouterOS firewalls is to
FastTrack all connections that have a state of established or related.
E. Jump
The jump action takes a packet being evaluated and moves it over to a different chain. Often this
is used when custom chains have been built with special firewall rules.
F. Log
The log action adds source and destination information for matching packets to the router’s log.
Traffic is passed on to the next firewall rule in the chain. As with the passthrough rules, it’s recommended
you disable or delete log rules when you’re finished with them. Be aware that the log action could create
a significant amount of log entries that fill up a device’s storage and cause instability
G. Passthrough
The passthrough action adds byte and packet counts to the rule’s statistics then allows the traffic
to continue being processed. This is helpful when determining if a certain kind of traffic is hitting your
firewall. Disable or remove passthrough rules when you’re done with them so as not to add processing
overhead.
H. Reject
The reject action forces the router to discard matching packets but doesn’t do it silently like the
drop action does. Instead an ICMP message is sent to notify the sender that traffic was dropped. This
could allow an attacker running port scans to fingerprint your device and continue reconnaissance efforts.
For this reason the reject action is not the preferred method for discarding unwanted traffic.
I. Return
The return action sends traffic back to the chain that it was originally jumped from. If you have a
special chain set up for traffic analysis or troubleshooting, you can return traffic to the original chain so it
gets processed by the rest of its rules.
J. Tarpit
The tarpit action keeps TCP connections open and deliberately slows responses to traffic sources
that match a firewall rule. These traffic sources could be port scanners, spammers, or other unsavory
types. Some DDoS mitigation providers and large enterprises who deal with DDoS attacks use tarpitting
to slow them down. However with botnets numbering in the thousands or tens-of thousands this can have
a limited effectiveness. Be aware that using tarpit keeps connections open so applying this action on a
lot of traffic places significant load on a device.
IM No.: SAM101-1st-SY2020-2021
Introduction to MikroTik Firewall GUI

Now we will introduce with MikroTik Firewall GUI in winbox software. If you open IP > Firewall
menu, you will find seven tabs in winbox Firewall window. Among these tabs, the following tabs are used
to create various firewall rules.
• Filter Rules tab contains Firewall rules that block or allow MikroTik traffics. Filter Rules are
checked one by one and if any rule is matched with any condition then below rules are not applied
for that condition. For example, if you block YouTube for all users but want to allow for a special
user, the allowed rule must be placed before the blocked rule. Otherwise the allowed user will go
under blocked rule.
• NAT (Network Address Translation) tab contains rules that are related to translate source
address or destination address as well as port forwarding. For example, say you have a web
server in your LAN and want to access this server from outside of your LAN. Then, you have to
create a destination NAT rule to access your web server from outside of your LAN. NAT tab is
also familiar to you while creating masquerade rule in MikroTik Router basic configuration.
• Mangle tab contains those rules which are used to mark any packet for further use such as taking
different routing decision, blocking any special packet and much more.
• Address Lists tab contains a group of address lists that are used at the time of creating firewall
rules such as in a filter rule or in a NAT rule.
• Layer7 Protocols tab contains list of different Layer7 Regular Expressions that are used to block
or allow any Layer7 service with Firewall rule.
MikroTik Firewall window in winbox software has briefly been discussed in the above section.
In my next few articles, I will explain how to create different filter rules with practical example. Hope you
will keep with me.
Source: https://systemzone.net/mikrotik-firewall-basic-concept/
Best Practices
To keep your networks secure and firewall rules from becoming too complicated there are some
guidelines to follow. Consider your network operations in the context of these best practices:
1. Allow traffic you need, block everything else
2. Consolidate rules if possible for simplicity
3. Sort rules for efficiency
4. Block all traffic at the end of each chains with final ”catch-all” rules
5. Periodically audit firewall configurations for consistency and security
Bandwidth Management using Queues

QUEUES
Bandwidth Management Service is the most popular service in MikroTik Router. It is said that
MikroTik Router is mostly used because of its Bandwidth Management service. The module or service
which is used to manage bandwidth in MikroTik Router is Queues. Maximum bandwidth can be controlled
with Queues, but it is not always possible to provide fixed bandwidth to the users because bandwidth is
always shared.
RouterOS queues can make for a complex topic. Using queues allows you to shape, balance,
and limit network traffic based on your needs and policies. To do this correctly requires a good
understanding of how your network is built, what traffic profiles you’re dealing with, and how to best
distribute network resources. Two kinds of queues exist in RouterOS:
• Simple Queue
• Queue Tree
Simple queues are designed to put boilerplate network policies in place quickly with limited
management overhead. There is a limit to what can be done with these but for many organizations this
is all that’s needed. The following Simple queue example limits the total download bandwidth for the
192.168.10.0/24 network to 5 Megabit per Second (Mbit/s). When ”0” is specified for an upload or
download value that means ”unlimited”.
/queue simple
add name="192.168.10.0 Download" target=192.168.10.0/24 max-limit=0M/5M
comment="192.168.10.0/24 Download Limit"

IM No.: SAM101-1st-SY2020-2021
Bursting
The Bursting feature allows network users to exceed the maximum allotted bandwidth in a queue for
short periods of time. This allows short downloads and bursts of media-heavy content to download
quicker while still policing longer bandwidth-heavy sessions. The average traffic rate allowed is calculated
every one-sixteenth of the Burst Time duration. Each time the traffic rate is calculated an adjustment is
made if necessary. The Burst Limit, Burst Threshold, and Burst Time fields all work together to determine
how fast and for how long traffic can run at burst speed. The longest burst duration possible is calculated
with the following formula.
Longest Burst Time = BurstThreshold ∗ BurstTime / BurstLimit
Bursting should be tuned over time to provide a good network performance experience based on
your organization’s available bandwidth, usage patterns, and needs.
Mangle
Mangling is a facility that allows us to identify packets and mark them for later use. With this mark
we can do wonderful things like force packets with certain marks to take certain routes or go through
certain queues. One concern of packet mangling is that it can be very CPU intensive if we have to look
at every single packet, make a decision whether or not to mark it, and then perform the marking action.
PCQ – Per Connection Queuing

Per Connection Queuing is the queuing discipline that can be used to dynamically divide streams
of traffic into upload and download on a per host basis. In addition, once identified and divided, the traffic
can be queued. One method allocates a predetermined amount of bandwidth per user with the caveat
that once the total available bandwidth is met and exceeded, the bandwidth will then be shared equally.
Another method is to create an allocation of bandwidth for all users to be shared equally.
Here it is possible to see what happens if PCQ-rate is, or isn't specified. I must noted that if both
limits (pcq-rate and max-limit) are unspecified, queue behavior can be imprecise. So it is strongly
suggested to have at least one of these options set.

IM No.: SAM101-1st-SY2020-2021
VI. LEARNING ACTIVITIES

A. Bandwidth Management with MikroTik Simple Queue
There are various queue services in MikroTik router for managing user bandwidth. Among these,
simple queue service is mostly used for managing an office internet bandwidth and PCQ service is used
for managing ISP client bandwidth.
1. Login to your MikroTik router using winbox and then click on Queues menu from left menu panel.
Queue List window will appear but there will be no list because we have not added any list yet.
So, click on add new button (PLUS Sign) to add a new list. New Simple Queue window will appear
now. If you face any confusion to find the add new button, please watch my below video carefully
which will show you proper guide to open New Simple Queue window successfully.
2. In general tab of New Simple Queue window, type user name in Name input field and user IP
address in Target Address input field. Now choose Target Upload and Target Download from Max
limit drop-down list or type your desired upload and download speed. This is the maximum upload
and download speed for your desired user.
3. Now from Advanced tab, choose Limit At value for Target Upload and Target Download speed. If
you set this value, MikroTik will try to provide at least this upload and download speed to the user
when bandwidth will be congested. You can also choose Priority for any user. Normally, MikroTik
bandwidth is assigned sequentially if they are in same priority. That means, the user who is top
position of Queue list will get first priority to assign bandwidth and then the second positioned
user and then the next positioned user. Priority can be selected 1 to 8. 1 is high priority and 8 is
less priority. High priority user will get bandwidth first and then less priority user. Choose your
desired priority for this user and click Apply and then OK to save this configuration.
4. You have now assigned bandwidth on a user IP successfully. Do the above steps repeatedly for
all your network users for assigning their bandwidth. Now check your assigned bandwidth to any
user with free internet speed test tool. I hope, you will get your desired result from bandwidth test.
You can visit the website below for more details
Source: https://systemzone.net/mikrotik-router-bandwidth-management/
Video: https://www.youtube.com/watch?v=BWfoG5-Us9w&feature=youtu.be
B. Mangle Rules
Packet Mangling Using Optimal Mangle
1. To perform the mangle, we create two rules in the IP Firewall list under the Mangle tab.

IM No.: SAM101-1st-SY2020-2021
2. Mangles are
performed in a
certain place
within the routing
process, the
prerouting chain is
the place to
mangle. In this
example, we want
to identify all web
browsing traffic so
we select a
minimum of filters
on the packet
matcher tab. After
creating a new
rule with the plus
sign, set it as follows:
This rule
will match all web
browsing traffic
identified by the
fact that it is
destined for port
80. The Action tab
for this rule is to
mark these
connections with a
mark “Web
Browsing
Connections”. This
mark can be anything, but I like to make it descriptive.
3. Click Ok to save this rule. Now we

have narrowed the scope of packets
we want to examine greatly by
restricting this rule to port 80
connections and then marking that
connection with our mangle rule.
4. Next we want to mark the actual

packets. We don’t want to look at
every packet, just those that are a part
of connections we have previously
identified, so the next rule we create
under IP Firewall Mangle looks like
this:
This packet matcher only matches the

previously marked connections. The
action tab is where we mark the actual
packets with our mark “Web Browsing
Packets”.

IM No.: SAM101-1st-SY2020-2021
Notice I have unchecked the box for “Passthrough”. This is important because packets can be marked
more than once. It is important to understand that multiple marks do not add. For example if the first rule
matches a packet and marks it “AAA” and Passthrough is checked, the packet continues down the
mangle chain. If the next rule matches, the packet gets remarked “BBB”, not “AAABBB”. The marks do
not add, they re-mark so the packet will then be marked “BBB’. If Passthrough is unchecked, once a rule
matches, the packet leaves the mangle chain.
In summary, packets are identified by connections, the connections marked, and then the packets
in those connections are individually marked. It is important to note that if you have connection tracking
off for whatever reason, the optimal mangle will not work. In that case, simple use one rule to identify the
packets and mark them all in the same mangle rule. It will be CPU intensive but it is your only option.
Supplemental Video: https://www.youtube.com/watch?v=3zJrNOUDNrc
VII. EVALUATION (Note: Not to be included in the student’s copy of the IM)
VIII. ASSIGNMENT
For Further Study: QOS
There is a type of traffic prioritization that is carried by the packet throughout the network, but that
is a topic for advanced study. If you want to learn more about this type of QOS, I suggest you research
setting the “DSCP bit” or Differentiated Services Code Point bit of an IP packet. This bit can be set by
many VoIP devices or by a mangle rule in RouterOS and is carried throughout the network. Queues can
then be created with priority for packets identified by the DSCP bit and thereby provide a much more
advanced QoS system.
IX. REFERENCES
Discher, S. R. W. (2011). RouterOS by example: understanding MikroTik RouterOS through real life
applications. MicroTik.
Sayeed, A. (2020, January 4). MikroTik Router Bandwidth Management. System Zone.
https://systemzone.net/mikrotik-router-bandwidth-management/.


Nvsu FR Icd 05 00 Module 7 (Sam101) Student

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Nvsu FR Icd 05 00 Module 7 (Sam101) Student

Uploaded by

Copyright:

Available Formats

Republic of the Philippines

NUEVA VIZCAYA STATE UNIVERSITY

College: COLLEGE OF INDUSTRIAL TECHNOLOGY

DEGREE PROGRAM BSInTe COURSE NO. SAM101

I. UNIT TITLE/CHAPTER TITLE

II. LESSON TITLE / (OUTLINE)

IX. Bandwidth Management

III. LESSON OVERVIEW

IV. DESIRED LEARNING OUTCOMES

NVSU-FR-ICD-05-00 (081220) Page 1 of 9

What is MikroTik Firewall Rule?

Chains are mechanisms

Condition in MikroTik Firewall Rule

NVSU-FR-ICD-05-00 (081220) Page 2 of 9

MikroTik Packet Flow Diagram

Action in MikroTik Firewall Rule

NVSU-FR-ICD-05-00 (081220) Page 3 of 9

B. Add to Address List

Introduction to MikroTik Firewall GUI

Bandwidth Management using Queues

NVSU-FR-ICD-05-00 (081220) Page 5 of 9

Longest Burst Time = BurstThreshold ∗ BurstTime / BurstLimit

PCQ – Per Connection Queuing

NVSU-FR-ICD-05-00 (081220) Page 6 of 9

VI. LEARNING ACTIVITIES

You can visit the website below for more details

NVSU-FR-ICD-05-00 (081220) Page 7 of 9

3. Click Ok to save this rule. Now we

4. Next we want to mark the actual

This packet matcher only matches the

NVSU-FR-ICD-05-00 (081220) Page 8 of 9

Supplemental Video: https://www.youtube.com/watch?v=3zJrNOUDNrc

NVSU-FR-ICD-05-00 (081220) Page 9 of 9

You might also like