[HamWAN PSDR] Mikrotik Firewall

Rob Martin rgmrob at yahoo.com
Mon May 25 15:53:39 PDT 2020 

Greetings,

I have been writing a lot of Mikrotik Firewall rules lately. I know I am getting better at it, but the more I know, the more apparent it is that there is a lot more to learn!

I have questions about how best to use the Mikrotik Firewall. The lines below are to illustrate the issue, and are not comprehensive. Also, I have used extra spaces to make it easier to see what I am doing.

Let’s say I want to block a list of address ranges, in this case (some of the) Bogons, those non-routable addresses that should never be the src-address of any incoming traffic from outside my network. For whatever reason, traffic from Bogons shows up anyway.

First, add the addresses to the address-list.

/ip firewall address-list
  add address=10.0.0.0/8     list=Bogon
  add address=172.16.0.0/12  list=Bogon
  add address=192.168.0.0/16 list=Bogon

Technique #1 – Drop incoming Bogon traffic in the Firewall Filter. The determination as to whether the traffic is arriving through the tunnel, and whether its src-address in on the Bogon list is performed twice, once for chain=input and again for chain=forward. 

/ip firewall filter
  add chain=input   action=drop in-interface=Tnl src-address-list=Bogon
  add chain=forward action=drop in-interface=Tnl src-address-list=Bogon   

Technique #2 – Mark the incoming Bogon traffic prior to routing using Firewall Mangle – chain=prerouting - then drop it in Firewall Filter with two simpler rules. A single Firewall Mangle rule will mark everything in one rule. That is all it does. The two Firewall Filter rules that follow only have match the packet-mark.

/ip firewall mangle
  add 
    chain=prerouting 
    action=mark-packet 
    new-packet-mark=Bogon_from_Tnl     
    passthrough=no 
    src-address-list=Bogon 
    in-interface=Tnl
      
/ip firewall filter
  add
    chain=input   action=drop packet-mark=Bogon_from_Tnl
    chain=forward action=drop packet-mark=Bogon_from_Tnl

I think both of the above techniques will achieve the same result, blocking Bogon traffic arriving through the tunnel. 

Questions:
1.	 Which method is better, and by better I think I mean, which has the lowest impact on the performance of the router?
2.	Does the answer depend on the number of the Bogons in the address-list?
3.	Does the answer depend on where in the Firewall Mangle list the Mangle rule is positioned?
4.	Does the answer depend on where in the Firewall Filter list the Filter rules are positioned?
5.	Is there a way to measure any of this quickly with simple tools, and on a limited budget?

Who out there is a Firewall expert?!!

Rob
K7QJ

More information about the PSDR mailing list