Scribd
Upload
250 views32 pages

IP Firewall Raw Protect Connection-Tracking

Valens Riyadi is a Mikrotik Certified Trainer and the first in Asia Pacific. He discusses various router optimization techniques in Mikrotik RouterOS including Fast Path, FastTrack, and RAW. Fast Path forwards all traffic without processing to reduce CPU load. FastTrack selectively fast tracks established connections. RAW allows dropping packets before connection tracking to mitigate DDoS, reducing CPU load compared to filters. Each technique has different capabilities and tradeoffs for processing traffic with or without connection data.

Uploaded by

PeruInalambrico Redes Inalambricas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
250 views32 pages

IP Firewall Raw Protect Connection-Tracking

Valens Riyadi is a Mikrotik Certified Trainer and the first in Asia Pacific. He discusses various router optimization techniques in Mikrotik RouterOS including Fast Path, FastTrack, and RAW. Fast Path forwards all traffic without processing to reduce CPU load. FastTrack selectively fast tracks established connections. RAW allows dropping packets before connection tracking to mitigate DDoS, reducing CPU load compared to filters. Each technique has different capabilities and tradeoffs for processing traffic with or without connection data.

Uploaded by

PeruInalambrico Redes Inalambricas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32

Router

Optimation
with Firewall/Raw
Valens Riyadi
PT Citraweb Solusi Teknologi
www.mikrotik.id
@valensriyadi
@valensriyadi
Valens Riyadi
Mikrotik Certified Trainer pertama di Asia Pacific
PHP, mySQL, IT on Disaster, Cyber Crime
Head of NIR - IDNIC (APJII) 2009-2015
• PT Citraweb Solusi Teknologi
• MikroTik Distributor & Training Center
• PT Jembatan Citra Nusantara
• Internet Service Provider (citra.net)
• PT Citraweb Digital Multisolusi
• Web developer
Live Streaming
http://mikrotik.id

Follow Citraweb on:

@mikrotik.id

@mikrotik.indonesia
Packet Flow in MikroTik RouterOS
NAT
Mangle BGP
Bridging Firewall filter

Switching
QoS
VLAN
Routing
VPN
OSPF MPLS
”I don´t need all of them”
“I only need the forwaaing engine”
Fast Path
• Since RouterOS v6
• Fast Path is an interfce driver extension, that allos you to
receive/process/send traffic without unnecesary processing
faster, lower CPU
Routing
Decision

LOCAL
INPUT OUTPUT
PROCESS

PRE Routing POST INTERFACE


FORWARD
ROUTING Decision ROUTING HTB

IPv4 FP

INPUT OUTPUT
INTERFACE INTERFACE
Without
FastPath
With
FastPath
Hardware Compability with FastPath
• RB6xx series ether1,2
• Most of the RB7xx series all ports
• RB800 ether1,2
• RB9xx series all ports
• RB1000 all ports
• RB1100 series ether1-11
• RB2011 series all ports
• RB3011 series all ports
• CRS series routers all ports
• CCR series routers all ports
Virtual Interface
• bridge interfaces (since 6.29)
• vlan, vrrp interfaces (since 6.30)
• bonding interfaces - rx only (since 6.30)
• eoip, gre, ipip interfaces (since 6.33).
Eoip, gre, ipip interfaces have per interface setting "allow-fast-path".

Allowing fast path on eoip, gre, ipip interfaces have side effect of bypassing firewall, connection tracking,
simple queues, queue tree with parent=global, ip accounting, ipsec, hotspot universal client, vrf assignment for
encapsulated packets that go trough fastpath. Note that allowing fast path for tunnel does not guarantee that
all packets will go fastpath, so for slowpath packets regular processing happens as before
FastPath Requirement
• firewal rules are not configured; • ip accounting is disabled (/ip
• firewall address lists are not accounting enabled=no);
configured; • VRFs are not set (/ip route vrf is
empty);
• Simple and queue trees with
parent=global are not configured; • Hotspot is not used (/ip hostspot
has no interfaces);
• no mesh, metarouter interface • IpSec policies are not configured
configuration;
(ROS v6.8);
• sniffer, torch and traffic generator is • /tool mac-scan is not actively used;
not running; • /tool ip-scan is not actively used;
• connection tracking is not active; • route cache must be enabled
FastPath Limitation
• Can not be implemented on all hardware/interface
Check: https://wiki.mikotik.com/wiki/Manual:Fast_Path
• On-off works for whole traffic in the router, we can not choose
which traffic should go fastpath and which go on slowpath
• Severeal importan features can not be use: firewall, magle, torch,
etc.
FastTrack
FastTrack
Features on Firewall
(mangles and filters) where
we can select a particular
connection to be "fast-
track", so that the
established and related
packages are no longer
checked in mangles, filters,
QoS, etc.
Filter/Mangle Accept FastTrack
• (established, related - accept) • Paket yang masuk FastTrack
• Paket data tidak diproses oleh rule tidak akan diproses fungsi
berikutnya di chain tersebut, berikutnya, langsung ke interface
tetapi tetap akan diproses oleh keluar.
fungsi lain berikutnya. • Misalnya, firewall/filter
• Misalnya, firewall/filter chain=forward
chain=forward action=accept, action=fasttracked-connection,
maka paket tetap akan diproses maka paket tidak akan diproses
oleh chain postrouting dan QoS. oleh chain postrouting dan QoS.
Routing

FastTrack Flow
Decision

LOCAL
INPUT OUTPUT
PROCESS

PRE Routing POST INTERFACE


FORWARD
ROUTING Decision ROUTING HTB

IPv4 FT

INPUT OUTPUT
INTERFACE INTERFACE
FastTrack Restrictions
• no mesh, metarouter interface configuration;
• sniffer, torch and traffic generator is not running;
• /tool mac-scan is not actively used;
• /tool ip-scan is not actively used;
FastPath atau FastTrack ?
Tanpa connection-tracking Berdasarkan connection-tracking
Berlaku untuk seluruh sistem Untuk paket established dan related
Untuk traffic apapun Hanya untuk TCP dan UDP
Bisa memilih koneksi yg fast-track
Tidak berjalan untuk paket tanpa koneksi
RAW
Firewall-RAW
• Mulai ROS 6.36rc21
• Firewall RAW memungkinkan kita memilih untuk melewatkan atau
mendrop paket SEBELUM connection tracking, sehingga menghemat
load CPU.
• Sangat berguna untuk DDOS mitigation.
• Hanya bisa dilakukan pada chain prerouting dan output, posisinya
tepat sebelum connection tracking.
FORWARD
ROUTING MANGLE FILTER
DECISION FORWARD FORWARD
OUTPUT
ROUTING MANGLE
DST-NAT
ADJUSMENT POSTROUTING
INPUT

MANGLE FILTER
MANGLE SRC-NAT
PREROUTING
MANGLE
CONNECTION
FILTER CONNECTION GLOBAL HTB POST
TRACKING
TRACKING ROUTING

RAW HTB
PRE GLOBAL HTB RAW INTERFACE
ROUTING

INPUT LOCAL ROUTING OUTPUT


INTERFACE PROCESS DECISION INTERFACE
Raw tidak memiliki parameter yang berhubungan dengan
connection-tracking, seperti connection-state, L7, packet-
mark, dll.
Tanpa FastPath– 30-50% CPU Load
Dengan FastPath– 10-20% CPU Load
Dengan RAW – 10-20% CPU Load
Contoh Aplikasi RAW
• RAW untuk trafik yang melalui router, sedangkan pengamanan
“input” tetap bisa menggunakan L7, connection-tracking, dll.

• Firewalling, port-scan, ddos detection menggunakan firewall forward.


Jika terdeteksi ada serangan, add-src-to-ddress-list.
• RAW action=drop untuk trafik yang berasal dari address-list
penyerang tersebut
• CPU load yang dibutuhkan untuk melakukan drop pada RAW jauh
lebih kecil dibandingkan Filter-drop
?
FastPath
Raw
FastTrack
FastPath RAW
• Berlaku pada seluruh • RAW adalah matcher untuk masuk ‘fast-
trafik di router tersebut, path’
tidak bisa memilih • Berlaku sesuai dengan matcher, traffic
• Tidak bisa menjalankan lainnya bisa melalui “slow-path” atau “fast-
connection-tracking, track”
firewall, dll • Connection-tracking tetap dapat berfungsi
untuk trafik non-RAW, juga fitur komplex
lainnya
• Bisa digunakan untuk connection-less
traffic (di Fast-Track tidak bisa)
• RAW juga bisa digunakan melakukan drop
Lihat lebih detail:
• FastPath: https://wiki.mikrotik.com/wiki/Manual:Fast_Path
• FastTrack: https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack
• RAW: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Raw
Thank You!
Valens Riyadi
PT Citraweb Solusi Teknologi
www.mikrotik.id
@valensriyadi
@valensriyadi

You might also like