MikroTik RouterOS (v6) Training Traffic Control

MikroTik RouterOS (v6) Training Traffic Control
01/08/2014
Schedule
• 09:00 – 10:30 Morning Session I
– 10:30 – 11:00 Morning Break
MikroTik RouterOS (v6) Training
Traffic Control
• 11:00 – 12:30 Morning Session II
– 12:30 – 13:30 Lunch Break
• 13:30 – 15:00 Afternoon Session I
– 15:00 – 15:30 Afternoon Break
• 15:30 – 17:00 (18:00) Afternoon Session II
Vahid Shahbazian fard jahromy
www.LearnMikroTik.ir
©LearnMikroTik.ir 2013
Instructor
Housekeeping
• Vahid Shahbazian fard jahromy
• Course materials
• Routers, cables
• Break times and lunch
– Training, Support & Consultant
– Specialization: Wireless, Firewall, The Dude,
Routing
©LearnMikroTik.ir 2013
2
3
©LearnMikroTik.ir 2013
Course Objective
4
Introduce Yourself
• Provide knowledge and hands-on training for
MikroTik RouterOS basic and advanced traffic
control capabilities for any size networks
• Upon completion of the course you will be
able to plan, implement, adjust and debug
traffic control configurations implemented by
MikroTik RouterOS.
• Please, introduce yourself to the class
–
–
–
–
–
Your name
Your Company
Your previous knowledge about RouterOS
Your previous knowledge about networking
What do you expect from this course?
• Please, remember your class XY number.
(X is number of the row, Y is your seat number in the
row)
My number is: X=_____ Y=_____
©LearnMikroTik.ir 2013
5
©LearnMikroTik.ir 2013
6
1
01/08/2014
Class Setup Lab
Class Setup
• Create an 192.168.XY.0/24 Ethernet network
between the laptop (.1) and the router (.254)
• Connect routers to the AP SSID “MTCTCEclass”
• Assign IP address 10.1.1.XY/24 to the wlan1
• Router’s main GW and DNS address is 10.1.1.254
• Gain access to the internet from your laptops via
local router
• Create new full access user for your router and
change “admin” access rights to “read”
©LearnMikroTik.ir 2013
7
©LearnMikroTik.ir 2013
Class setup Lab (cont.)
8
Small ISP
• Set system identity of the board and wireless
radio name to “XY_<your_name>”. Example:
“88_Shahbazian”
• Upgrade your router to the latest Mikrotik
RouterOS version
• Upgrade your Winbox loader version
• Set up NTP client – use 10.1.1.254 as server
• Create a configuration backup and copy it to
the laptop (it will be default configuration)
©LearnMikroTik.ir 2013
9
DNS Client and Cache
©LearnMikroTik.ir 2013
10
DNS Client and Cache
• DNS client is used only by router in case of
web-proxy or hotspot configuration
• Enable “Allow Remote Requests” option to
transform DNS client into DNS cache
• DNS cache allows to use your router instead of
remote DNS server, as all caches - it minimizes
resolution time
• DNS cache also can act as DNS server for local
area network address resolution
©LearnMikroTik.ir 2013
11
©LearnMikroTik.ir 2013
12
2
01/08/2014
Static DNS Entry
DNS Cache Lab
• Configure your router as DNS cache. Use
10.1.1.254 as primary server
• Add static DNS entry “www.XY.com” to your
router's Local IP address (XY – your number)
• Add static DNS entry “www.XY.com” to neighbour
router's Public IP address (XY – your neighbours
number)
• Change your laptops DNS server address to your
routers address
• Try the configuration and monitor cache list
• Each Static DNS entry will add or override
(replace existing) entry in the DNS cache
©LearnMikroTik.ir 2013
13
DHCP
IP address and netmask
Default gateway address
DNS and NTP server addresses
More than 100 other custom option (supported only
by specific DHCP clients)
• DHCP is basically insecure and should only be
used in trusted networks
©LearnMikroTik.ir 2013
14
DHCP Communication scenario
• The Dynamic Host Configuration Protocol is used
for dynamic distribution of network setting such
as:
–
–
–
–
©LearnMikroTik.ir 2013
15
• DHCP Discovery
– src-mac=<client>, dst-mac=<broadcast>, protocol=udp,
src-ip=0.0.0.0:68, dst-ip=255.255.255.255:67
• DHCP Offer
– src-mac=<DHCP-server>, dst-mac=<broadcast>, protocol=udp,
src-ip=<DHCP-server>:67, dst-ip=255.255.255.255:67
• DHCP Request
– src-mac=<client>, dst-mac=<broadcast>, protocol=udp,
src-ip=0.0.0.0:68, dst-ip=255.255.255.255:67
• DHCP Acknowledgement
– src-mac=<DHCP-server>, dst-mac=<broadcast>, protocol=udp,
src-ip=<DHCP-server>:67, dst-ip=255.255.255.255:67
©LearnMikroTik.ir 2013
DHCP Client Identification
16
DHCP Client
• DHCP server are able to track lease association
with particular client based on identification
• The identification can be achieved in 2 ways
– Based on “caller-id” option (dhcp-client-identifier
from RFC2132)
– Based on MAC address, if “caller-id” option is not
specified
• “hostname” option allow RouterOS clients to
send additional identification to the server, by
default it is “system identity” of the router
©LearnMikroTik.ir 2013
17
©LearnMikroTik.ir 2013
18
3
01/08/2014
DHCP Server
DHCP Networks
• There can be only one DHCP server per
interface/relay combination on the router
• To create DHCP server you must have
• In DHCP Networks menu you can configure
specific DHCP options for particular network.
• Same of the options are integrated into
RouterOS, others can be assigned in raw form
(specified in RFCs)
• Additional information at:
– IP address on desired DHCP server interface
– Address pool for clients
– Information about planned DHCP network
http://www.iana.org/assignments/bootp-dhcp-parameters
• All 3 options must correspond
• “Lease on Disk” should be used to reduce
number of writes to the drive (useful with flash
drives)
• DHCP server is able to send out any option
• DHCP client can receive only implemented
options
©LearnMikroTik.ir 2013
©LearnMikroTik.ir 2013
19
DHCP Options
20
Custom DHCP Option
• Implemented DHCP options
–
–
–
–
–
–
Subnet-Mask (option 1) - netmask
Router (option 3) – gateway
Domain-Server (option 6) - dns-server
Domain-Name (option 15) – domain
NTP-Servers (option 42) - ntp-server
NETBIOS-Name-Server (option 44) - wins-server
• Custom DHCP options (Example:)
– Classless Static Route (option 121) “0x100A270A260101” = “network=10.39.0.0/16
gateway=10.38.1.1”
©LearnMikroTik.ir 2013
21
IP Address Pool
©LearnMikroTik.ir 2013
22
IP Address Pools
• IP address pools are used to define range of IP
addresses for dynamic distribution (DHCP, PPP,
Hotspot)
• Address pool must exclude already occupied
addresses (such as server or static addresses)
• It is possible to assign more that one range to
the pool
• It is possible to chain several pools together by
using “Next Pool” option
©LearnMikroTik.ir 2013
23
©LearnMikroTik.ir 2013
24
4
01/08/2014
Address Pool in Action
Other DHCP Server Settings
• Src.address – specifies DHCP servers address if
more than one IP on DHCP server's interface
• Delay Threshold – prioritize one DHCP server
over another (bigger delay less priority)
• Add ARP For Leases – allow to add ARP
entries for leases if interface ARP=reply-only
• Always Broadcast – allow communication
with non-standard clients like pseudo-bridges
• Bootp Support, Use RADIUS – (obvious)
©LearnMikroTik.ir 2013
25
©LearnMikroTik.ir 2013
Authoritative DHCP Server
26
DHCP Server
• Authoritative – allow DHCP server to reply on
unknown client's broadcast and ask client to
restart the lease
(client send broadcasts only if unicast to the
server fails when renewing the lease)
• Authoritative allow to:
– Prevent rouge DHCP server operations
– Faster network adaptation to DHCP configuration
changes
©LearnMikroTik.ir 2013
27
©LearnMikroTik.ir 2013
28
DHCP Server Leases
DHCP Server Leases (cont.)
• address: Specify ip address (or ip pool) for
static lease. If set to 0.0.0.0 - pool from server
will be used
• mac-address: If specified, must match the
MAC address of the client
• client-id: If specified, must match DHCP 'client
identifier' option of the request
• server: Server name which serves this client
• block-access: Block access for this client
• always-broadcast: Send all replies as broadcasts
• rate-limit: Sets rate limit for active lease.
Format is: rx-rate[/tx-rate] [rx-burst-rate[/txburst-rate] [rx-burst-threshold[/tx-burstthreshold] [rx-burst-time[/tx-burst-time]]]]
• address-list: Address list to which address will
be added if lease is bound.
©LearnMikroTik.ir 2013
©LearnMikroTik.ir 2013
29
30
5
01/08/2014
DHCP Relay
DHCP Relay
• DHCP Relay is just a proxy that is able to
receive a DHCP discovery and request and
resend them to the DHCP server
• There can be only one DHCP relay between
DHCP server and DHCP client
• DHCP communication with relay does not
require IP address on the relay, but relay's
“local address” option must be the same with
server's “relay address” option
©LearnMikroTik.ir 2013
31
DHCP Lab
• Interconnect with your neighbour
Ethernet cable
• Create 3 independent setups:
©LearnMikroTik.ir 2013
32
Simple Packet Flow structure
using
– Create DHCP server for your laptop
– Create DHCP server and relay for your neighbour
laptop (use relay option)
– Create a bridged network with 2 DHCP servers and
2 DHCP clients (laptops) and try out
“authoritative” and “delay threshold” options
©LearnMikroTik.ir 2013
33
Firewall Filters Structure
©LearnMikroTik.ir 2013
34
Firewall Filter Structure Diagram
• Firewall filter rules are organized in chains
• There are default and user-defined chains
• There are three default chains
– Input: processes packets sent to the router
– Output: processes packets sent by the router
– Forward: processes packets sent through the router
• Every user-defined chain should subordinate to at
least one of the default chains
©LearnMikroTik.ir 2013
35
©LearnMikroTik.ir 2013
36
6
01/08/2014
Connection Tracking
Conntrack Placement
• Connection Tracking (or Conntrack) system is the
heart of firewall, it gathers and manages
information about all active connections.
• By disabling the conntrack system you will lose
functionality of the NAT and most of the filter and
mangle conditions.
• Each conntrack table entry represents
bidirectional data exchange
• Conntrack takes a lot of CPU resources (disable it,
if you don't use firewall)
©LearnMikroTik.ir 2013
37
Conntrack – Winbox View
©LearnMikroTik.ir 2013
38
Condition: Connection State
• Connection state is a status assigned to each
packet by conntrack system:
– New: packet is opening a new connection
– Established: packet belongs to already known
connection
– Invalid: packet does not belong to any of the known
connections
– Related: packet is also opening a new connection, but
it is in some kind relation to already known
connection
• Connection state ≠ TCP state
©LearnMikroTik.ir 2013
39
©LearnMikroTik.ir 2013
40
First Rule Example
Protection of the router – allowing only necessary services from reliable
source with agreeable load.
CHAIN INPUT
©LearnMikroTik.ir 2013
41
©LearnMikroTik.ir 2013
42
7
01/08/2014
Connection State Lab
• Create 3 rules to ensure that only connectionstate new packets will proceed through the input
filter
– Drop all connection-state invalid packets
– Accept all connection-state related packets
– Accept all connection-state established packets
• Create 2 rules to ensure that only you will be able
to connect to the router
– Accept all packets from your local network
– Drop everything else
©LearnMikroTik.ir 2013
43
RouterOS Services
Nr.
Port
Protocol
Comment
Nr.
Port
Protocol
Comment
1
20
TCP
FTP data connection
21
53
UDP
DNS
2
21
TCP
FTP control connection
22
67
UDP
BootP or DHCP Server
3
22
TCP
Secure Shell (SSH)
23
68
UDP
BootP or DHCP Client
4
23
TCP
Telnet protocol
24
123
UDP
Network Time Protocol
5
53
TCP
DNS
25
161
UDP
SNMP
6
80
TCP
World Wide Web HTTP
26
500
UDP
Internet Key Exchange (IPSec)
7
179
TCP
Border Gateway Protocol
27
520
UDP
RIP routing protocol
8
443
TCP
Secure Socket Layer (SSL)
28
521
UDP
RIP routing protocol
9
646
TCP
LDP transport session
29
646
UDP
LDP hello protocol
10
1080
TCP
SOCKS proxy protocol
30
1701
UDP
Layer 2 Tunnel Protocol
11
1723
TCP
PPTP
31
1900
UDP
Universal Plug and Play
12
2828
TCP
Universal Plug and Play
32
5678
UDP
MNDP
13
2000
TCP
Bandwidth test server
33
20561
UDP
MAC winbox
14
8080
TCP
Web Proxy
34
---
/41
IPv6 (encapsulation)
15
8291
TCP
Winbox
35
---
/47
GRE (PPTP, EOIP)
16
8728
TCP
API
36
---
/50
ESP (IPSec)
17
8729
TCP
API-SSL
37
---
/51
AH (IPSec)
18
---
/1
ICMP
38
---
/89
OSPF routing protocol
19
---
/2
Multicast | IGMP
39
---
/103
Multicast | PIM
20
---
/4
IPIP encapsulation
40
---
/112
VRRP
©LearnMikroTik.ir 2013
44
RouterOS Service Lab
• Create a chain “services”
• Create rules to allow necessary RouterOS services
to be accessed from the public network
• Create a “jump” rule from the chain “input” to
the chain “services”
• Place a “jump” rule accordingly
• Write comment for each firewall rule
• Ask your neighbour to check the setup
©LearnMikroTik.ir 2013
45
Protection of the customers from the viruses and protection of the
Internet from the customers
CHAIN FORWARD
©LearnMikroTik.ir 2013
46
Virus Port Filter
Chain Forward Lab
• At the moment the are few hundreds active
trojans and less than 50 active worms
• You can download the complete “virus port
blocker” chain (~330 drop rules with ~500
blocked
virus
ports)
from
ftp://test@10.1.1.254
• Some viruses and trojans use standard
services ports and can not be blocked.
• Create 3 rules to ensure that only connectionstate new packets will proceed through the
input filter
©LearnMikroTik.ir 2013
©LearnMikroTik.ir 2013
47
– Drop all connection-state invalid packets
– Accept all connection-state related packets
– Accept all connection-state established packets
• Import the virus.rsc file into the router
• Create a jump rule to the chain “virus”
48
8
01/08/2014
Bogon IPs
Address List Options
• Instead of creating one
filter rule for each IP
network address, you
can create only one
rule for IP address list.
• Use “Src./Dst. Address
List” options
• Create an address list
in
“/ip firewall
address-list” menu
• There are ~4,3 billion IPv4 addresses
• There are several IP ranges restricted in public
network
• There are several of IP ranges reserved (not
used at the moment) for specific purposes
• There are lots of unused IP ranges!!!
• You can find information about all unused IP
ranges – judy google for “bogon IPs”
©LearnMikroTik.ir 2013
49
Address List Lab
50
Adv. Address Filtering Lab
• Allow packets to enter your network only from
the valid Internet addresses
• Allow packets to enter your network only to
the valid customer addresses
• Allow packets to leave your network only from
the valid customers addresses
• Allow packets to leave your network only to
the valid Internet addresses
• Place the rules accordingly
• Make an address list of most common bogon
IPs
©LearnMikroTik.ir 2013
©LearnMikroTik.ir 2013
51
©LearnMikroTik.ir 2013
52
NAT Types
• As there are two IP addresses and ports in an
IP packet header, there are two types of NAT
– The one, which rewrites source IP address and/or
port is called source NAT (src-nat)
– The other, which rewrites destination IP address
and/or port is called destination NAT (dst-nat)
Destination NAT, Source NAT, NAT traversal
NETWORK ADDRESS TRANSLATION
(NAT)
©LearnMikroTik.ir 2013
• Firewall NAT rules process only the first packet
of each connection (connection state “new”
packets)
53
©LearnMikroTik.ir 2013
54
9
01/08/2014
Firewall NAT Structure
IP Firewall Diagram
• Firewall NAT rules are organized in chains
• There are two default chains
– Dstnat: processes traffic sent to and through the
router, before it divides in to “input” and
“forward” chain of firewall filter.
– Srcnat: processes traffic sent from and through
the router, after it merges from “output” and
“forward”
chain
of
firewall
filter.
• There are also user-defined chains
©LearnMikroTik.ir 2013
55
Dst-nat Action
©LearnMikroTik.ir 2013
56
Dst-nat Rule Example
• Action “dst-nat” changes packet's destination
address and port to specified address and port
• This action can take place only in chain dstnat
• Typical application: ensure access to local
network services from public network
©LearnMikroTik.ir 2013
57
Redirect
©LearnMikroTik.ir 2013
58
Redirect Rule Example
• Action “redirect” changes packet's destination
address to router's address or to the router
specified port
• This action can take place only in chain dstnat
• Typical application: transparent proxying of
network services (DNS,HTTP)
©LearnMikroTik.ir 2013
59
©LearnMikroTik.ir 2013
60
10
01/08/2014
Redirect Lab
Dst-nat Lab
• Capture all TCP and UDP port 53 packets
originated from your private network
192.168.XY.0/24 and redirect them to the router
itself.
• Set your laptops DNS server to the random IP
address
• Clear your router's and your browser's DNS cache
• Try browsing the Internet
• Take a look at DNS cache of the router
• Capture all TCP port 80 (HTTP) packets
originated from your private network
192.168.XY.0/24 and change destination
address to 10.1.2.1 using dst-nat rule
• Clear your browser's cache on the laptop
• Try browsing the Internet
©LearnMikroTik.ir 2013
©LearnMikroTik.ir 2013
61
Universal Plug-and-Play
62
UPnP
• RouterOS allow to enable uPnP support for
the router.
• UPnP allow to establish both-directional
connectivity even if client is behind the NAT,
client must have uPnP support
• There are two interface types for UPnPenabled router: internal (the one local clients
are connected to) and external (the one the
Internet is connected to)
©LearnMikroTik.ir 2013
63
First VIP clients
Requirements:
Public IP address for
VIP clients
 Guaranteed speed for

VIP clients
©LearnMikroTik.ir 2013
64
Source NAT Drawbacks
• Hosts behind a NAT-enabled router do not
have true end-to-end connectivity:
Situation:
You have public IP
address and
/30 subnet of public
addresses,
You sometimes reach
ISP speed limitation
(5Mbps/5Mbps)
©LearnMikroTik.ir 2013
Clients:
“I love my ISP”
Web-server
VIP client 2
– connection initiation from outside is not possible
– some TCP services will work in “passive” mode
– src-nat behind several IP addresses is
unpredictable
– same protocols will require so-called NAT helpers
to to work correctly (NAT traversal)
VIP client 1
65
©LearnMikroTik.ir 2013
66
11
01/08/2014
NAT Helpers
Src-nat Lab
• You can specify ports for existing NAT helpers,
but you can not add new helpers
• You have been assigned one “public” IP address
172.16.0.XY/32
• Assign it to the wireless interface
• Add src-nat rule to “hide” your private network
192.168.XY.0/24 behind the “public” address
• Connect from your laptop using winbox, ssh, or
telnet via your router to the main gateway
10.1.1.254
• Check the IP address you are connecting from
(use “/user active print” on the main gateway)
©LearnMikroTik.ir 2013
©LearnMikroTik.ir 2013
67
68
What is Mangle?
• The mangle facility allows to mark IP packets
with special marks.
• These marks are used by other router facilities
like routing and bandwidth management to
identify the packets.
• Additionally, the mangle facility is used to
modify some fields in the IP header, like TOS
(DSCP) and TTL fields.
IP packet marking and IP header fields adjustment
FIREWALL MANGLE
©LearnMikroTik.ir 2013
69
Mangle Structure
©LearnMikroTik.ir 2013
70
Firewall Diagram (Filter, NAT and Mangle)
• Mangle rules are organized in chains
• There are five built-in chains:
– Prerouting: making a mark before dstnat
– Postrouting: making a mark before srcnat
– Input: making a mark before Input filter
– Output: making a mark before Output filter
– Forward: making a mark before Forward filter
• New user-defined chains can be added, as
necessary
©LearnMikroTik.ir 2013
71
©LearnMikroTik.ir 2013
72
12
01/08/2014
Mangle actions
Mangle actions (cont.)
• There are 9 more actions in the mangle:
–
–
–
–
mark-connection – mark connection (only first packet)
mark-packet – mark a flow (all packets)
mark-routing - mark packets for policy routing
change MSS - change maximum segment size of the
packet
– change TOS - change type of service
– change TTL - change time to live
– strip IPv4 options
©LearnMikroTik.ir 2013
73
Marking Connections
– change-dscp - change Differentiated Services Code
Point (DSCP) field value
– set-priority - set priority on the packets sent out
through a link that is capable of transporting
priority (VLAN or WMM-enabled wireless
interface).
©LearnMikroTik.ir 2013
74
Mark Connection Rule
• Use mark connection to identify one or group of
connections with the specific connection mark
• Connection marks are stored in the connection
tracking table
• There can be only one connection mark for one
connection.
• Connection tracking helps to associate each
packet to a specific connection (connection mark)
©LearnMikroTik.ir 2013
75
Marking Packets
©LearnMikroTik.ir 2013
76
Mark Packet Rule
Packets can be marked
• Indirectly. Using the connection tracking
facility, based on previously created
connection marks (faster)
• Directly. Without the connection tracking - no
connection marks necessary, router will
compare each packet to a given conditions
(this process imitates some of the connection
tracking features)
©LearnMikroTik.ir 2013
77
©LearnMikroTik.ir 2013
78
13
01/08/2014
Mangle Packet Mark Lab
Mangle View
• Mark all connections from 192.168.XY.100
address (imaginary VIP 1)
• Mark all packets from VIP 1 connections
• Mark all connections from 192.168.XY.200
address (imaginary VIP 2)
• Mark all packets from VIP 2 connections
• Mark all other connections
• Mark packets from all other connections
©LearnMikroTik.ir 2013
79
©LearnMikroTik.ir 2013
80
HTB
• All Quality of Service implementation in RouterOS
is based on Hierarchical Token Bucket
• HTB allows to create hierarchical queue structure
and determine relations between parent and
child queues and relation between child queues
• RouterOS v5 or older versions support 3 virtual
HTBs (global-in, global-total, global-out) and one
more just before every interface
• RouterOS v6 support 1 virtual HTB (global) and
one more just before every interface
Hierarchical Token Bucket
HTB
©LearnMikroTik.ir 2013
81
Mangle and HTBs in RouterOS v5 or older versions
©LearnMikroTik.ir 2013
83
©LearnMikroTik.ir 2013
82
Mangle and HTBs in RouterOS v6
©LearnMikroTik.ir 2013
84
14
01/08/2014
HTB (cont.)
HTB Features - Structure
• In RouterOS v5 or older versions when packet
travels through the router, it passes all 4 HTB
trees
• In RouterOS v5 or older versions when packet
travels to the router, it passes only global-in
and global-total HTB.
• In RouterOS v5 or older versions when packet
travels from the router, it passes global-out,
global-total and interface HTB.
• As soon as queue have at least one child it
become parent queue
• All child queues (don't matter how many levels of
parents they have) are on the same bottom level
of HTB
• Child queues make actual traffic consumption,
parent queues are responsible only for traffic
distribution
• Child queues will get limit-at first and then rest of
the traffic will distributed by parents
©LearnMikroTik.ir 2013
©LearnMikroTik.ir 2013
85
HTB Features - Structure
86
HTB Features – Dual Limitation
• HTB has two rate limits:
• CIR (Committed Information Rate) – (limit-at in
RouterOS) worst case scenario, flow will get this
amount of traffic no matter what (assuming we
can actually send so much data)
• MIR (Maximal Information Rate) – (max-limit in
RouterOS) best case scenario, rate that flow can
get up to, if there queue's parent has spare
bandwidth
• At first HTB will try to satisfy every child queue's
limit-at – only then it will try to reach max-limit
©LearnMikroTik.ir 2013
87
©LearnMikroTik.ir 2013
Dual Limitation
88
HTB - limit-at
• Maximal rate of the parent should be equal or
bigger than sum of committed rates of the
children
– MIR (parent) ≥ CIR(child1) +...+ CIR(childN)
• Maximal rate of any child should be less or
equal to maximal rate of the parent
– MIR (parent) ≥ MIR(child1)
– MIR (parent) ≥ MIR(child2)
– MIR (parent) ≥ MIR(childN)
©LearnMikroTik.ir 2013
89
©LearnMikroTik.ir 2013
90
15
01/08/2014
HTB - max-limit
HTB Features - Priority
• Work only for child queues to arrange them
• 8 is the lowest priority, 1 is the highest
• Queue with higher priority will get chance to
satisfy its max-limit before other queues
• Actual traffic prioritization will work only if
limits are specified. Queue without limits will
not prioritize anything
©LearnMikroTik.ir 2013
91
HTB – limit-at of the Parent
©LearnMikroTik.ir 2013
©LearnMikroTik.ir 2013
92
HTB – limit-at > parent's max-limit
93
©LearnMikroTik.ir 2013
94
Queue Tree
• Queue tree is direct implementation of HTB
• Each queue in queue tree can be assigned only in one
HTB
• Each child queue must have packet mark assigned to it
Advanced queue structures
QUEUE TREE
©LearnMikroTik.ir 2013
95
©LearnMikroTik.ir 2013
96
16
01/08/2014
Queue Tree and Simple Queues
HTB Lab
• Tree queue in RouterOS v5 or older versions can be placed
in 4 different places:
– Global-in (“direct” part of simple queues are placed here
automatically)
– Global-out (“reverse” part of simple queues are placed here
automatically)
– Global-total (“total” part simple queues are placed here
automatically)
– Interface queue
• In RouterOS v6 can be placed in global or interface queue
• In RouterOS v5 or older versions if placed in same place
Simple queue will take traffic before Queue Tree
• In RouterOS v6 if placed in same place Simple queue will
take traffic after Queue Tree
©LearnMikroTik.ir 2013
97
HTB Lab (cont.)
• Create Queue tree from the example
• Extend mangle and queue tree configuration to
prioritize ICMP and HTTP traffic over all other
traffic only for regular clients
– Replace regular client packet mark with 3 traffic type
specific marks
– Create 3 child queues for regular client queue in
queue tree
– Assign packet marks to queues
• (optional) Create the same queue tree for client
upload
©LearnMikroTik.ir 2013
98
Simple Packet Flow in RouterOS v6
• Consume all the available traffic using
bandwidth-test (through the router) and
check the ping response times
• Set highest priority to ICMP
• Check the ping response times
©LearnMikroTik.ir 2013
99
Medium Size ISP
NAT Action “Netmap”
• Can be used in both (srcnat and dstnat) chains
• Allows to create address range to address
range NATing only with one rule
• It is possible to masquerade 192.168.88.0/24
to 88.188.32.0/24 only with one rule
• It is possible to redirect 88.188.32.0/24 to
192.168.88.0/24 with the second rule
Situation:
Your network is growing rapidly
and now offer public IPs to the
customers
Requirements:
Transfer all old clients from
local address to public
 Increase HTTP browsing
performance

©LearnMikroTik.ir 2013
100
101
©LearnMikroTik.ir 2013
102
17
01/08/2014
NAT Action “same”
QoS Feature “Burst”
• Can be used in both (srcnat and dstnat) chains
• Ensures that client will be NAT'ed to the same
address from the specified range every time it
tries to communicate with destination that
was used before
• If client got 88.188.32.104 from the range
when it communicated to the particular server
– every next time communicating with this
server it will use the same address
• Burst is one of the best ways to increase HTTP
performance
• Bursts are used to allow higher data rates for a
short period of time
• If an average data rate is less than burstthreshold, burst could be used( actual data
rate can reach burst-limit)
• Average data rate is calculated from the last
burst-time seconds
©LearnMikroTik.ir 2013
©LearnMikroTik.ir 2013
103
Burst - Average Data Rate
104
Burst
• Average data rate is calculated as follows:
– burst-time is being divided into 16 periods
– router calculates the average data rate of each class
over these small periods
• Note, that the actual burst period is not equal to
the burst-time. It can be several times shorter
than the burst-time depending on the max-limit,
burst-limit, burst-threshold, and actual data rate
history (see the graph example on the next slide)
©LearnMikroTik.ir 2013
105
©LearnMikroTik.ir 2013
Burst (Part 2)
106
Web-Proxy
• Web-proxy have 3 mayor features
– HTTP and FTP traffic caching
– DNS name filtering
– DNS redirection
• Web-proxy have two operation modes
– Regular – browser must be configured to use this
proxy
– Transparent – this proxy is not visible for
customers NAT rules must be applied
©LearnMikroTik.ir 2013
107
©LearnMikroTik.ir 2013
108
18
01/08/2014
Web-Proxy Caching
Web-Proxy Options
• No caching
• Maximal-clientconnections: number of
connections accepted
from clients
• Maximal-serverconnections: number of
connections made by
server
– Max-cache-size = none
• Cache to RAM
– Max-cache-size ≠ none
– Cache-on-disk = no
• Cache to HDD
– Max-cache-size ≠ none
– Cache-on-disk = yes
• Max cache object size
• Cache drive
©LearnMikroTik.ir 2013
109
Web-Proxy Options
©LearnMikroTik.ir 2013
110
Web-Proxy Statistics
• Serialize-connections: use only one connection
for proxy and server communication (if server
supports persistent HTTP connection)
• Always-from-cache: ignore client refresh
requests if the cache content is considered fresh
– Max-fresh-time: specifies how long objects without
an explicit expiry time will be considered fresh
• Cache-hit-DSCP: specify DSCP value for all
packets generated from the web-proxy cache
©LearnMikroTik.ir 2013
111
©LearnMikroTik.ir 2013
Proxy Rule Lists
Proxy Rules
• It is
possible
to
intercept HTTP request
based on:
• TCP/IP information
• URL
• HTTP method
• Access list also allow
you to redirect denied
request to specific page
• Web-proxy supports 3 sets of rules for HTTP
request filtering
– Access List – dictates policy whether to allow
specific HTTP request or not
– Direct Access List – list works only if parent-proxy
is specified – dictates policy whether to bypass
parent proxy for specific HTTP request or not.
– Cache List – dictates policy whether to allow
specific HTTP request be cached or not
©LearnMikroTik.ir 2013
112
113
©LearnMikroTik.ir 2013
114
19
01/08/2014
URL Filtering
Regular Expressions
http://www.mikrotik.com/docs/ros/2.9/graphics:packet_flow31.jpg
Destination host
Destination path
• Place “:” at the beginning to enable regular
expression mode
– ”^“ - show that no symbols are allowed before the
given pattern
– “$“ - show that no symbols are allowed after the given
pattern
– “[....]” - A character class matches a single character
out of all the possibilities offered by the character
class
– \ (backslash) followed by any of [\^$.|?*+() suppress
their special meaning.
• Special characters
– “*” - any number of any characters
– “?” - any character
• www.mi?roti?.com
• www.mikrotik*
• *mikrotik*
©LearnMikroTik.ir 2013
115
©LearnMikroTik.ir 2013
Web-Proxy Lab
Next problems
• Teacher will have proxy, that redirects all requests
to separate web-page on 10.1.1.254
• Enable transparent web-proxy on your router
with caching to the memory
• Create rules in access list to check its functionality
• Create rules in direct access list to check its
functionality
• Create rules in Cache list to check its functionality
©LearnMikroTik.ir 2013
117
Problems:



Sometimes you get unusually big
traffic and packet counts going
trough or to your router
Some of regular clients use
routers to share connection with
neighbours
Some of regular clients use
HTTP port 80 for encrypted p2p
traffic
©LearnMikroTik.ir 2013
Network Intrusion Types
Ping flood
Port scan
DoS attack
DDoS attack
©LearnMikroTik.ir 2013
118
Ping Flood
• Network intrusion is a serious security risk that
could result in not only the temporal denial, but
also in total refusal of network service
• We can point out 4 major network intrusion
types:
–
–
–
–
116
119
• Ping
flood
usually
consist from volumes of
random ICMP messages
• With “limit” condition it
is possible to bound the
rule match rate to a
given limit
• This condition is often
used with action “log”
©LearnMikroTik.ir 2013
120
20
01/08/2014
ICMP Message Types
ICMP Message Rule Example
• Typical IP router uses only five types of ICMP
messages (type:code)
– For PING - messages 0:0 and 8:0
– For TRACEROUTE – messages 11:0 and 3:3
– For Path MTU discovery – message 3:4
• Other types of ICMP messages should be
blocked
©LearnMikroTik.ir 2013
121
©LearnMikroTik.ir 2013
ICMP Flood Lab
Port Scan
• Make the new chain – ICMP
• Port Scan is sequential
TCP (UPD) port probing
• PSD
(Port
scan
detection) is possible
only for TCP protocol
• Low ports
• From 0 to 1023
• High ports
• From 1024 to 65535
– Accept 5 necessary ICMP messages
– Set match rate to 5 pps with 5 packet burst possibility
– Drop all other ICMP packets
• Move all ICMP packets to ICMP chain
–
–
–
–
Create an action “jump” rule in the chain Input
Place it accordingly
Create an action “jump” rule in the chain Forward
Place it accordingly
©LearnMikroTik.ir 2013
•
•
•
•
•
122
123
©LearnMikroTik.ir 2013
124
PSD Lab
DoS Attacks
Create PSD protection
Create a PSD drop rule in the chain Input
Place it accordingly
Create a PSD drop rule in the chain Forward
Place it accordingly
• Main target for DoS attacks is consumption of
resources, such as CPU time or bandwidth, so the
standard services will get Denial of Service (DoS)
• Usually router is flooded with TCP/SYN
(connection request) packets. Causing the server
to respond with a TCP/SYN-ACK packet, and
waiting for a TCP/ACK packet.
• Mostly DoS attackers are virus infected customers
©LearnMikroTik.ir 2013
125
©LearnMikroTik.ir 2013
126
21
01/08/2014
DoS Attack Protection
DoS Attack Detection
• All IP's with more than 10 connections to the
router should be considered as DoS attackers
• With every dropped TCP connection we will allow
attacker to create new connection
• We should implement DoS protection into 2
steps:
• Detection - Creating a list of DoS attackers on the
basis of connection-limit
• Suppression – applying restrictions to the
detected DoS attackers
©LearnMikroTik.ir 2013
127
©LearnMikroTik.ir 2013
DoS Attack Suppression
DDoS attacks
• To stop the attacker from
creating
new
connections, we will use
action “tarpit”
• You must set protocol=tcp
for tarpit rule
• We must place this rule
before the detection rule
or else address-list entry
will rewrite all the time
©LearnMikroTik.ir 2013
128
• A Distributed Denial of
Service attack is very
similar to DoS attack
only it occurs from
multiple compromised
systems
• Only thing that could
help is “TCPSyn Cookie”
option in conntrack
system
129
©LearnMikroTik.ir 2013
Mangle Action “change-ttl”
130
Changing TTL
• TTL is a limit of Layer3 devices that IP packet
can experience before it should be discarded
• TTL default value is 64 and each router reduce
value by one just before forwarding decision
• Router will not pass traffic to the next device if
it receives IP packet with TTL=1
• Useful application: eliminate possibility for
clients to create masqueraded networks
©LearnMikroTik.ir 2013
131
©LearnMikroTik.ir 2013
132
22
01/08/2014
Queue Types
100% Shaper
• RouterOS have 4 queue types:
– FIFO – First In First Out (for Bytes or for Packets)
– RED – Random Early Detect (or Drop)
– SFQ – Stochastic Fairness Queuing
– PCQ – Per Connection Queuing (MikroTik Proprietary)
• Each queue type have 2 aspects:
– Aspect of the Scheduler
– Aspect of the Shaper
©LearnMikroTik.ir 2013
133
100% Scheduler
©LearnMikroTik.ir 2013
134
Default Queue Types
135
©LearnMikroTik.ir 2013
FIFO
136
FIFO (Cont.)
Behaviour:
What comes in first is handled first, what comes
in next waits until the first is finished. Number of
waiting units (Packets or Bytes) is limited by
“queue size” option. If queue “is full” next units
are dropped
mq-pfifo is pfifo with support for multiple
transmit queues.
©LearnMikroTik.ir 2013
137
©LearnMikroTik.ir 2013
138
23
01/08/2014
©LearnMikroTik.ir 2013
139
©LearnMikroTik.ir 2013
140
©LearnMikroTik.ir 2013
142
©LearnMikroTik.ir 2013
144
RED
Behaviour:
Same as FIFO with feature – additional drop
probability even if queue is not full.
This probability is based on
comparison of
average
queue length over some
period of time to minimal
and maximal threshold –
closer to maximal threshold
bigger the chance of drop.
©LearnMikroTik.ir 2013
141
SFQ
Behaviour:
Based on
hash value from source and
destination address SFQ divides traffic into 1024
sub-streams
Then
Round
Robin
algorithm will distribute
equal amount of traffic to
each sub-stream
©LearnMikroTik.ir 2013
143
24
01/08/2014
SFQ Example
PCQ
• SFQ should be used for equalizing similar
connection
• Usually used to manage information flow to or
from the servers, so it can offer services to
every customer
• Ideal for p2p limitation, it is possible to place
strict limitation without dropping connections.
Behaviour:
Based on classifier PCQ divides traffic into substreams. Each sub-stream can be considered as
FIFO queue with queue size specified by “limit”
option
After this PCQ can be
considered as FIFO
queue where queue size
is specified by “totallimit” option.
©LearnMikroTik.ir 2013
145
©LearnMikroTik.ir 2013
146
©LearnMikroTik.ir 2013
147
©LearnMikroTik.ir 2013
148
Queue Type Lab
• Try all queue types on “Other-download”
queue in your queue tree. Use band-width
test to check it.
• Adjust your QoS structure with proper queue
type
• Create a packet mark for all p2p traffic and
create SFQ queue for it
• Change HTTP queue type to PCQ
©LearnMikroTik.ir 2013
149
©LearnMikroTik.ir 2013
150
25
01/08/2014
Packet Sniffer
NTH
• Packet sniffer is a tool that can capture and
analyze packets that are going to, leaving or
going through the router
• Packet sniffer can store result in router’s
memory, to a file or send sniffed packets to
streaming server
• The filter can be used to curb the packets
• Matches every nth packet
• It has only two parameters 'every' and
'packet'.
• Every rule has its own counter. When rule
receives packet counter for current rule is
increased by one.
• If counter matches value of 'every' packet will
be matched and counter will be set to zero.
©LearnMikroTik.ir 2013
©LearnMikroTik.ir 2013
151
152
Per Connection Classifier
• PCC matcher allows to divide traffic into equal
streams with ability to keep packets with
specific set of options in one particular
stream.
• PCC is introduced to address configuration
issues with load balancing over multiple
gateways with masquerade
©LearnMikroTik.ir 2013
153
26
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising