MTCTCE English PDF

MIKROTIK ADVANCED TRAINING
TRAFFIC CONTROL
PRESENTED BY Oky Tria Saputra
ID-Networkers & trainingmikrotik.com

2
TRAFFIC CONTROL OUTLINE

DNS Web Proxy Firewall filter/nat/mangle
o DNS Cache / Server o Proxy rule lists o Connection tracking
o Static DNS FIltering o Access list o Firewall Filter
o Direct Access list o Firewall NAT
DHCP o Cache list o Firewall Mangle
o DHCP Server o Regular expression
o DHCP Client
o DHCP Relay Quality of Service
o HTB
o Queue simple and tree
ID-NETWORKERS | www.training-mikrotik.com
3
DOMAIN NAME SYSTEM
4
Domain Name System

• DNS (Domain Name System) is used to translate
domain names into IP addresses.
• We more easily remember domain name
google.com compared with IP addresses of
google.com.
• Domain is like a phone book, where we easier to
type name of website (domain) rather than IP
address
www.trainingmikrotik.com
Host Subdomain Top-Level Domain
5
Domain Name System
• DNS client is used only by router in web-

proxy, DHCP server and hotspot
configuration
• Enable “Allow Remote Requests” option to
transform DNS client into DNS cache
• DNS cache allows to use your router
instead of remote DNS server, as all
caches - it will minimizes resolving time
6
LAB - DNS Configuration
7
Static DNS
• DNS Cache can also serve as a simple DNS
server.
• For each static DNS settings, the router will add
the parameter "A" and "PTR" is automatically.
 "A" - Address Mapping Domain to IP Address
 "PTR" - To map the Reverse DNS
• Static DNS will override dynamic entries in the
DNS cache
8
Transparent Static DNS

• For example we want to manipulate domain
trainingmikrotik.com to the IP address that does not
really belong to trainingmikrotik.com, we resolve to
another IP of the web server
• Or we want to make own domain for our local address
• The trick is as follows:
• Set MikroTik as DNS cache/server by check allow
remoter request in IP dns menu
• Set at least one primary DNS
• Set static DNS for the domain that we want to
manipulate
• Create a dst-nat rule that any DNS traffic coming from
LAN trough router have to redirect to the router itself
9
LAB- Static DNS

• Every client that request DNS to outside network (for example to
goggle public dns 8.8.8.8) will force to using our router dns server
• Then we manipulate dns response by make static DNS in our router
Mikrotik_wifi
Dns request
Redirect to the router
10
LAB - DNS Static
IP of your web server
11
LAB - DNS Static

In IP firewall NAT, make rule to make transparent DNS
12
LAB - DNS Static

Check DNS cache in IP>DNS>cache
13
DHCP
Dynamic Host Configuration Protocol
14
DHCP
• The Dynamic Host Configuration Protocol is
used for dynamic distribution of network setting
such as:
• IP address and netmask
• Default gateway address
• DNS and NTP server addresses
• More than 100 other custom option
(supported only by specific DHCP clients)
• DHCP is basically insecure system and should
only be used in own trusted networks
15
DHCP Communication Step

• DHCP Discovery
src-mac=<client>, dst-mac=<broadcast>, protocol=udp,
src-ip=0.0.0.0:68, dst-ip=255.255.255.255:67
• DHCP Offer
src-mac=<DHCP-server>, dst-mac=<broadcast>, protocol=udp,
src-ip=<DHCP-Server>:67, dst-ip=255.255.255.255:67
• DHCP Request
src-mac=<client>, dst-mac=<broadcast>, protocol=udp,
src-ip=0.0.0.0:68, dst-ip=255.255.255.255:67
• DHCP Acknowledgement
src-mac=<DHCP-server>, dst-mac=<broadcast>, protocol=udp,
src-ip=<DHCP-Server>:67, dst-ip=255.255.255.255:67
16
DHCP Server
• DHCP server can be run on each interface on the router, even
on some virtual interface.
• One interface only can run 1 DHCP server.
• To easily DHCP server settings, add the IP address first for
the interface will run DHCP server.
• DHCP server settings on the menu IP> DHCP Server> DHCP
Setup, just follow the step easily
17
LAB DHCP Server Client
• One participant become client another participant become DHCP station

• Activating DHCP logging in menu
System>logging>add topic=dhcp action=memory
18
DHCP Client Communication Step
19
DHCP Server Communication Step
20
DHCP Client Identification

• There can be only one DHCP server/relay per
interface on the router
• To create DHCP server you must have
1. IP address on desired DHCP server interface
2. Address pool for clients
3. Information about planned DHCP network
• All 3 options must correspond
• “Store Lease on Disk” is How frequently lease
changes should be stored on disk
21
DHCP Options
• Implemented DHCP options
̶ Subnet-Mask (option 1) - netmask
̶ Router (option 3) - gateway
̶ Domain-Server (option 6) - dns-server
̶ Domain-Name (option 15) - domain
̶ NTP-Servers (option 42) - ntp-server
̶ NETBIOS-Name-Server (option 44) - wins-server
• Custom DHCP options (Example:)
Classless Static Route (C) - “0x100A270A260101” =
“network=10.39.0.0/16 gateway=10.38.1.1”
• For completed DHCP code, see:
http://www.iana.org/assignments/bootp-dhcp-parameters
22
DHCP Options
Raw Format of 10.39.0.0/16 and 10.38.1.1:
• 0x | 10 | 0A27 | 0A260101 | all
• 0x – Hex Number
• 10 – Subnet/Prefix = 16
• 0A27 – Network = 10.39.0.0
• 0A260101 – Gateway = 10.38.1.1
To convert decimal to hex you can using calculator or online converter

like http://www.binaryhexconverter.com/decimal-to-hex-converter
23
LAB DHCP Server Option
Static route
• With DHCP option, give the client static route to

network=10.39.0.0/16 gateway=10.38.1.1
• Make DHCP option in menu
IP>DHCP option>add name=additional-route code=121 value= 0x100A270A260101
• Asign dhcp option in IP DHCP Server Network
24
LAB - DHCP Options
Create DHCP option, and assign to DHCP

network
25
DHCP Options
• IP address pools are used to define range of IP
addresses for dynamic distribution (DHCP, PPP,
Hotspot)
• Address pool must exclude already address that
already used as static device (such as server)
• It is possible to assign more that one range in IP pool
• It is possible to chain several pools together by using
“Next Pool” option
• By default the IP address will start give IP from the
bigger one from the pool.
26
IP Pool
27
DHCP Server Settings
28
DHCP Server Settings

• Relay – if we want to using DHCP relay
• Src.address – specifies DHCP servers address if more
than one IP on DHCP server's interface
• Leases Time - The time that a client may use the
assigned address.
• Add ARP For Leases – allow to add ARP entries for
leases if interface ARP=reply-only
• Always Broadcast – allow communication with non-
standard clients like pseudo-bridges
• Use- Radius - Whether to use RADIUS server for
dynamic leases
29
DHCP Relay
• DHCP Relay is just like a proxy that receive
DHCP discovery and request and resend them
to the DHCP server
• There can be only one DHCP relay between
DHCP server and DHCP client
• DHCP communication with relay does not
require IP address on the relay,
• But DHCP Relay's “local address” option must
be same with DHCP Server's “relay address”
option
30
LAB - DHCP Relay

Make one of router become DHCP server, another become DHCP Relay
Ether1 Ether1
192.168.1.1/24 192.168.1.2/24
Ether2
192.168.22.1/24
31
LAB - DHCP Relay

Configures DHCP Server, and DHCP Server Network
Network and Relay’s local address
32
LAB - DHCP Relay

Configures DHCP Relay
Interface LAN
IP address of interface LAN
Configure client as DHCP client at the laptop and it should get IP from DHCP
server
33
PROXY
MikroTik HTTP Proxy
34
Web Proxy
• Web-proxy have 3 mayor features
– HTTP and FTP traffic caching
– DNS name filtering
– DNS redirection
• Web-proxy have two operation modes
– Regular – browser must be configured to use this
proxy
– Transparent – this proxy is not visible for
customers NAT rules must be applied
35
Web Proxy
• Without Proxy
• With Proxy
36
Web Proxy Feature

• Regular HTTP proxy
• Transparent proxy
Can serve also as transparent and normal at the same time
• Access list
Based on the source, destination, URL and requested method
• Cache Access list
Determine which objects are stored in the cache
• Direct Access List
Set the connection which is accessed directly and the other through
a proxy server
• Logging facility
Logging url access / connection from the client
37
LAB - Web Proxy

• Topology
38
LAB - Web Proxy

• Enable Web Proxy in menu IP>Web Proxy
39
LAB – Transparent Web Proxy

• To use proxy we need to set proxy manually on client browser
• Or you can make transparent proxy by force all http traffic from local
to go to port 8080 on the router its self
• Configuration in menu IP>Firewall>NAT
/ip firewall nat
add chain=dstnat protocol=tcp
dst-port=80 in-interface=etherLAN action=redirect to-ports=8080
40
LAB - Web Proxy

Check your proxy setting by access web that can detect the proxy connection, open url
www.indonesiacyber.net
Check on your router at IP>Web Proxy> Connections menu
41
LAB - Web Proxy Access Rule

Block http to go to url that has contain word “playboy”
42
Web-Proxy Access Rule

Block http to go to URL that has contain word “playboy” and redirect to
trainingmikrotik.com
43
Web Proxy URL Filtering

http://www.domain.com/path1/path2/file1.jpg
Destination host Destination path
• Special Characters
* = any character/characters
? = one character
• Example
www.do?ai?.com
www.domain.*
*domain*
• Also support regular expression format
44
Web Proxy URL Filtering

• We can also filtering clients to download files type like .mp3, .exe,
.dat, .avi,…etc, by define in the url path
• For example:
/ip proxy access
add path=*.exe action=deny
add path=*.mp3 action=deny
add path=*.zip action=deny
add path=*.rar action=deny
45
Web-Proxy Options
• Maximal-client-
connections - number of
connections accepted from
clients
• Maximal-server-
connections - number of
connections made by
server
46
Web-Proxy Caching
• No caching
• Max-cache-size = none
• Cache to RAM
• Max-cache-size ≠ none
• Cache-on-disk = no
• Cache to HDD
• Max-cache-size ≠ none
• Cache-on-disk = yes
• Cache drive
• Choose partition
47
Web-Proxy Rule List

• Web-proxy supports 3 sets of rules for HTTP
request filtering
• Access List – dictates policy whether to allow
specific HTTP request or not
• Direct Access List – list works only if parent-
proxy is specified – dictates policy whether to
bypass parent proxy for specific HTTP
request or not.
• Cache List – dictates policy whether to allow
specific HTTP request be cached or not
48
FIREWALL
Basic & Advanced
49
Connection Tracking
• Connection Tracking is the heart of firewall, it
gathers and manages information about all
active connections.
• By disabling the connection tracking system you
will lose functionality of the NAT and most of the
filter and mangle conditions.
• Each connection tracking table entry represents
bidirectional data exchange
• Connection tracking takes a lot of CPU
resources (disable it, if you don't use firewall)
50
Connection State
• Connection state is a status assigned to each packet by
connection tracking system:
– New – packet is opening a new connection
– Established – packet belongs to already known
connection
– Invalid – packet does not belong to any of the known
connections
– Related – packet is also opening a new connection,
but it is in some kind relation to already known
connection
• Connection state not same with TCP state in connection
tracking
51
Firewall Basic
• Each firewall filter rules are organized in a chain and read
sequentially.
• Each chain will be read by the router from top to bottom.
• In Firewall Filter Rule there 3 default chain
• input – processes packets sent to the router
• output – processes packets sent by the router
• forward – processes packets sent through the router
• In addition to the 3 default chain, We can make chain by our self as
needed.
• Every user-defined chain should subordinate to at least one of the
default chains
• To implemented the right chain we need to know about packet flow
in the router
52
Packet Flow
• Simple Diagram
53
Packet Flow
• Diagram showing the process flow of data packets
54
Packet Flow
• Traffic going in to the router (input)
55
Packet Flow
• Traffic going out from the router itself (output)
56
Packet Flow
• Traffic pass-through the router (forward)
57
Firewall on Bridge
If we want to use IP Firewall in bridge devices, we need to activate
58
Firewall Strategy
• Rule IF….THEN….
• IF packet match with our define criteria.
• THEN what will we do for that packet?
• In IP firewall IF condition define in tab General,
Advanced and Extra, and THEN condition define
in Action tab
59
Firewall Strategy
• Drop all unneeded, accept everything else
If there is no firewall, by default mikrotik accept all connection

60
Firewall Strategy
• Accept only needed, drop everything else
61
RouterOS Local Services
• We can filter it with chain input
62
IP Firewall Filter Rule (Extra)
63

dst-limit
• To limit number of packet in one second to one IP or and
protocol and port
classifier :
• addresses and dst-port
• dst-address
• dst-address and dst-port
• src-address and dst-address
expire :
specifies interval after which recored ip address /port will be
deleted (optional)
64

dst-limit
• count - maximum average packet rate measured in packets per time interval
• time - specifies the time interval in which the packet rate is measured
(optional)
• burst - number of packets which are not counted by packet rate
• mode - the classifier for packet rate limiting
65

connection-limit
to limit connection per IP address or per block IP address
Example:
limit 200 connection in every /26
mean rule will be match if connection under 200 for /26

IPs.
66

limit
to limit data packet, usually for packet that not have real
Connection
Example: icmp data
limit 5 pps (packets per second) with 5 packet burst, and

drop for the next icmp packet
67

src/dst-address-type:
unicast – IP Address as usually use
local – IP Address that installed on the router
broadcast – IP Address broadcast
multicast – IP address that use to multicast
68
IP Firewall Filter Rule (Extra) - PSD
PSD (Port Scan Detection)

Filter or and identify port scanning (TCP)
low port : 0 – 1023
high port : 1024 - 65535
69
IP Firewall Filter Rule (Extra) – Connection Limit
• Download nmap from nmap.org and install your laptop

• Make firewall rule to detect and put src ip address of the
PSD attacker on the address-list
/ip firewall filter

add action=add-src-to-address-list address-list=attacker
address-list-timeout=2m chain=input psd=21,3s,3,1
• Scan your router using nmap software

cmd>Nmap 192.168.88.1
70
User Define/Custom Chain

• Every user-defined chain should subordinate to at least one of the default
chains using action=jump to define chain
• We no need to make more than one action in different “if” condition.
71
User Define/Custom Chain
72
IP Firewall Mangle
73
IP Firewall Mangle
• Use to IP packet marking and IP header fields
adjustment
• The mangle facility allows to mark IP packets with
special marks.
• These marks are used by other router facilities like
routing and bandwidth management to identify the
packets.
• Additionally, the mangle facility is used to modify some
fields in the IP header, like TOS (DSCP) and TTL fields.
• Mangle will be used by router its self, mean mangle can’t
transfer to another router
74
IP Firewall Mangle
• Like IP firewall filter, mangle rules are organized in chains
• There are five built-in chains:
• Prerouting- making a mark before Global-In queue
• Postrouting - making a mark before Global-Out queue
• Input - making a mark before Input filter
• Output - making a mark before Output filter
• Forward - making a mark before Forward filter
• New user-defined chains can be added, as necessary
75
IP Firewall Mangle Diagram
76
Traffic Flow version 6

• Diagram showing the process flow of data packets RouterOS Versi 6.x
77
IP Firewall Mangle Action

• There are 7 more actions in the mangle:
• mark-connection – mark connection (mark only
first packet)
• mark-packet – mark a flow (all packets)
• mark-routing - mark packets for policy routing
• change MSS - change maximum segment size of
the packet
• change TOS - change type of service
• change TTL - change time to live
• strip IPv4 options
78
Mark Connection
• Use mark connection to identify one or group
of connections with the specific connection
mark
• Connection marks are stored in the
connection tracking table
• There can be only one connection mark for
one connection.
• Connection tracking helps to associate each
packet to a specific connection (connection
mark)
79
Mark Connection Rule
80
Mark Packet Rule
81
Mark Connection and Mark Packet Rule
82
Mark Packet
Packets can be marked
• Indirectly. Using the connection tracking
facility, based on previously created
connection marks (faster)
• Directly. Without the connection tracking
- no connection marks necessary, router
will compare each packet to a given
conditions (this process imitates some of
the connection tracking features)
83
Mangle Passtrough
84
Mangle Passtrough
85
IP Firewall Mangle NTH

• NTH is one of mangle feature that can be used for load balancing
or load sharing by counting packet that has “new” connection state
• We can call NTH with Peer Packet Load Balancing
• “Every” is sum of packet in one group, “Packet” is squence number

to start counting
• If we use NTH as load balancing with masquarade, sometime we
will loosing session, for example, we need to re-login to website
that remember the session
86
IP Firewall Mangle NTH

3,1
LOCAL
3,2 INTERNET
3,3
/ip firewall mangle

add action=mark-routing chain=prerouting new-routing-mark=first nth=3,1
add action=mark-routing chain=prerouting new-routing-mark=second nth=3,2
add action=mark-routing chain=prerouting new-routing-mark=third nth=3,3
/ip route add gateway=ISP1 routing-mark=first

/ip route add gateway=ISP2 routing-mark=second
87
IP Firewall Mangle PCC

• PCC (Peer Connection Classified) is load balancing based on
connection
• Same with NTH, PCC dividing the packets by counting it, but PCC
will identify packets in one connection base on : dst-address, src-
address, both-addresses, dst-port, src-port, both-ports, dst-
address-and-port,src-address-and-port,both-addresses-and-ports
• Mean packet will be counted every 2 packets, and will start with
packet number 0 (first packet)
• NTH counting packet start from 1 but PCC counting packet start
from 0
88
IP Firewall Mangle PCC

3,0
LOCAL
3,1 INTERNET
3,2
/ip firewall mangle

add action=mark-routing chain=prerouting new-routing-mark=first per-connection-classifier=both-
addresses 3/0
add action=mark-routing chain=prerouting new-routing-mark=second per-connection-classifier=both-
addresses 3/1
add action=mark-routing chain=prerouting new-routing-mark=third per-connection-classifier=both-
addresses 3/2
/ip route add gateway=ISP1 routing-mark=first

/ip route add gateway=ISP3 routing-mark=third
89
HTB
Hierarchical Token Bucket
90
HTB
• All Quality of Service implementation in
RouterOS is based on Hierarchical Token Bucket
• HTB allows to create hierarchical queue structure
and determine relations between parent and
child queues and relation between child queues
• RouterOS V5 support 3 virtual HTBs (global-in,
global-total, global-out) and one more just before
every interface
91
Mangle and HTB
92
Mange and HTB
• When packet travels through the router, it passes all 4 HTB trees
• When packet travels to the router, it passes only global-in and global-total HTB.
• When packet travels from the router, it passes global-out, global-total and interface
HTB.
93
HTB
• As soon as queue have at least one child it
become parent queue
• All child queues (don't matter how many levels of
parents they have) are on the same bottom level
of HTB
• Child queues make actual traffic consumption,
parent queues are responsible only for traffic
distribution
• Child queues will get limit-at first and then rest of
the traffic will distributed by parents
94
HTB Structure
95
HTB Limitation
• HTB has two rate limits:
• CIR (Committed Information Rate) – (limit-at in
RouterOS) worst case scenario, flow will get this

amount of traffic no matter what (assuming we can
actually send so much data)
• MIR (Maximal Information Rate) – (max-limit in
RouterOS) best case scenario, rate that flow can get

up to, if there queue's parent has spare bandwidth
• At first HTB will try to satisfy/meet every child queue's
limit-at – only then it will try to reach max-limit
96
HTB Limitation
• Maximal rate of the parent should be equal or
bigger than sum of committed rates of the
children
• MIR (parent) ≥ CIR(child1) +...+ CIR(childN)
• Maximal rate of any child should be less or
equal to maximal rate of the parent
• MIR (parent) ≥ MIR(child1)
• MIR (parent) ≥ MIR(child2)
• MIR (parent) ≥ MIR(childN)
97
HTB Limitation
Max-limit parent should be equal or bigger than
summary of limit-at of the clients
• max-limit(parent) >= limit-at(child1) + .... + limit-
at(child*)
example:
• queue1 – limit-at=512k – parent=parent1
max-limit parent1 at least (512k*3) or 1,5M, if less
than 1,5M max-limit will not work properly
98
HTB Limitation
Max-limit parent should be equal or bigger than
summary of limit-at of the clients
• max-limit(parent) >= limit-at(child1) + .... + limit-
at(child*)
example:
max-limit parent1 at least (512k*3) or 1,5M, if less
than 1,5M max-limit will not work properly
99
Tips
• Top of the parent no need limit-at and priority
parameter
• Priority only work in the last child, comparing all
of end child
• Priority will be calculate after all limit-at (CIR)
was delivered. And the rest bandwidth will be
distribute by looking the priority of the childs
100
Tips
• Top of the parent no need limit-at and priority
parameter
• Priority only work in the last child, comparing all
of end child
• Priority will be calculate after all limit-at (CIR)
was delivered. And the rest bandwidth will be
distribute by looking the priority of the childs
101
HTB Distribution (1)
• B and C will get 2M

• If C not using internet, then B can get 4M
102
• Even max-limit of the parent is 2M, child B and C still can get 2M, that way
max-limit parent >= total limit-at of all clients
• If B not using internet C still cant up until 4M, but still on 2M
103
• B will get bandwidth more than limit-at because priority is 1, higher than C
that has priority 8
104
• Client B, C1 and C2, will get 2mbps, as their limit-at
105
• C1 and C2 can up until max-limit, because their parent(C) hasl imit-at up to

4mbps
106
• If all of limit-at has been fulfilled, the rest of bandwidth will be devided by
priority
107
• Priority of parent (rule that has level 0) is not affected.
108
• All child will get traffic 2mpps
109
• C1, C2, C3 will get 2mbps because priority higher B1 and B2
110
• Queue-B will get 4mbps because limit-at its limit-at.

• C1 > C2 and C1 > C3 because theri priority

MTCTCE English PDF

Uploaded by

Copyright:

Available Formats

MTCTCE English PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MTCTCE English PDF

Uploaded by

Copyright:

Available Formats

MIKROTIK ADVANCED TRAINING

PRESENTED BY Oky Tria Saputra

ID-Networkers & trainingmikrotik.com

TRAFFIC CONTROL OUTLINE

DOMAIN NAME SYSTEM

Domain Name System

Domain Name System

• DNS client is used only by router in web-

LAB - DNS Configuration

Transparent Static DNS

LAB- Static DNS

Redirect to the router

LAB - DNS Static

IP of your web server

LAB - DNS Static

LAB - DNS Static

DHCP Communication Step

LAB DHCP Server Client

• One participant become client another participant become DHCP station

DHCP Client Communication Step

DHCP Server Communication Step

DHCP Client Identification

To convert decimal to hex you can using calculator or online converter

LAB DHCP Server Option

• With DHCP option, give the client static route to

LAB - DHCP Options

Create DHCP option, and assign to DHCP

DHCP Server Settings

DHCP Server Settings

LAB - DHCP Relay

LAB - DHCP Relay

Network and Relay’s local address

LAB - DHCP Relay

IP address of interface LAN

Web Proxy Feature

LAB - Web Proxy

LAB - Web Proxy

LAB – Transparent Web Proxy

LAB - Web Proxy

Check on your router at IP>Web Proxy> Connections menu

LAB - Web Proxy Access Rule

Web-Proxy Access Rule

Web Proxy URL Filtering

Destination host Destination path

Web Proxy URL Filtering

Web-Proxy Rule List

If there is no firewall, by default mikrotik accept all connection

RouterOS Local Services

• We can filter it with chain input

IP Firewall Filter Rule (Extra)

IP Firewall Filter Rule (Extra)

IP Firewall Filter Rule (Extra)

IP Firewall Filter Rule (Extra)

mean rule will be match if connection under 200 for /26

IP Firewall Filter Rule (Extra)

limit 5 pps (packets per second) with 5 packet burst, and

IP Firewall Filter Rule (Extra)

IP Firewall Filter Rule (Extra) - PSD

PSD (Port Scan Detection)