[HamWAN PSDR] Mikrotik Firewall

Nigel Vander Houwen nigel at nigelvh.com
Mon May 25 16:33:25 PDT 2020


Rob,

It sounds like your wading into some deeper territory. I’d suggest referencing the packet flow diagrams for this, which describe how a packet will be processed in a given scenario. https://wiki.mikrotik.com/wiki/Manual:Packet_Flow <https://wiki.mikrotik.com/wiki/Manual:Packet_Flow>

With regards to a mangle then filter vs filter only, filter only is almost certainly more performant. As you’ll see in the diagrams, mangle and filter processing happen at separate stages. Needing to process at both stages is likely to be slower. How much slower, or if that amount slower will be of any impact in your use case will come to significant testing and understanding of your network/use case/applications.

Having a larger number of addresses in an address list does take more time to check, but the binary search trees are very fast. Unless you’re talking thousands of entries, I wouldn’t worry about it much.

Ordering of firewall rules does matter. It is going to check for a match sequentially, so your most commonly hit rules should be placed first so it’s not wasting time checking the other non-matching rules before it gets there. But again, in general this is very fast and you’re unlikely to see significant differences unless you have huge numbers of rules, or individual rules that take a longer time to check as noted above.

In terms of testing, open source tools like Nping may serve you well in terms of being able to set up a custom packet and test flow through your device. Looking at the CPU load on the router will also be a useful indicator.

Nigel

> On May 25, 2020, at 15:53, Rob Martin via PSDR <psdr at hamwan.org> wrote:
> 
> Greetings,
> 
> I have been writing a lot of Mikrotik Firewall rules lately. I know I am getting better at it, but the more I know, the more apparent it is that there is a lot more to learn!
> 
> I have questions about how best to use the Mikrotik Firewall. The lines below are to illustrate the issue, and are not comprehensive. Also, I have used extra spaces to make it easier to see what I am doing.
> 
> Let’s say I want to block a list of address ranges, in this case (some of the) Bogons, those non-routable addresses that should never be the src-address of any incoming traffic from outside my network. For whatever reason, traffic from Bogons shows up anyway.
> 
> First, add the addresses to the address-list.
> 
> /ip firewall address-list
>  add address=10.0.0.0/8     list=Bogon
>  add address=172.16.0.0/12  list=Bogon
>  add address=192.168.0.0/16 list=Bogon
> 
> Technique #1 – Drop incoming Bogon traffic in the Firewall Filter. The determination as to whether the traffic is arriving through the tunnel, and whether its src-address in on the Bogon list is performed twice, once for chain=input and again for chain=forward. 
> 
> /ip firewall filter
>  add chain=input   action=drop in-interface=Tnl src-address-list=Bogon
>  add chain=forward action=drop in-interface=Tnl src-address-list=Bogon   
> 
> Technique #2 – Mark the incoming Bogon traffic prior to routing using Firewall Mangle – chain=prerouting - then drop it in Firewall Filter with two simpler rules. A single Firewall Mangle rule will mark everything in one rule. That is all it does. The two Firewall Filter rules that follow only have match the packet-mark.
> 
> /ip firewall mangle
>  add 
>    chain=prerouting 
>    action=mark-packet 
>    new-packet-mark=Bogon_from_Tnl     
>    passthrough=no 
>    src-address-list=Bogon 
>    in-interface=Tnl
> 
> /ip firewall filter
>  add
>    chain=input   action=drop packet-mark=Bogon_from_Tnl
>    chain=forward action=drop packet-mark=Bogon_from_Tnl
> 
> I think both of the above techniques will achieve the same result, blocking Bogon traffic arriving through the tunnel. 
> 
> Questions:
> 1.	 Which method is better, and by better I think I mean, which has the lowest impact on the performance of the router?
> 2.	Does the answer depend on the number of the Bogons in the address-list?
> 3.	Does the answer depend on where in the Firewall Mangle list the Mangle rule is positioned?
> 4.	Does the answer depend on where in the Firewall Filter list the Filter rules are positioned?
> 5.	Is there a way to measure any of this quickly with simple tools, and on a limited budget?
> 
> Who out there is a Firewall expert?!!
> 
> Rob
> K7QJ
> _______________________________________________
> PSDR mailing list
> PSDR at hamwan.org
> http://mail.hamwan.net/mailman/listinfo/psdr

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.hamwan.net/pipermail/psdr/attachments/20200525/6c4c7638/attachment.html>


More information about the PSDR mailing list