Mikrotik firewall mangle что это
Mangle is a kind of 'marker' that marks packets for future processing with special marks. Many other facilities in RouterOS make use of these marks, e.g. queue trees, NAT, routing. They identify a packet based on its mark and process it accordingly. The mangle marks exist only within the router, they are not transmitted across the network.
Additionally, the mangle facility is used to modify some fields in the IP header, like TOS (DSCP) and TTL fields.
▍ 1. Firewall Mangle
Рассмотрим имеющиеся возможности по маркировке трафика в контексте родительского контроля. Firewall Mangle подробно изучается на курсе MikroTik Certified Traffic Control Engineer (MTCTCE), тема требует внимательности и сосредоточенности. Разметим проходящий через маршрутизатор трафик:
В текстовом варианте они плохо представляются, поэтому объясним их по скриншоту. Как видно, трафик пользователей размечается на входящий (WAN => LAN) и исходящий (LAN => WAN).
На самом деле, так делать не нужно, ведь достаточно маркировать только исходящий трафик, потому что входящий – это всегда ответ на исходящий, в контексте домашнего устройства. TCP соединение устанавливается по инициативе пользователя, так же как и UDP пакеты к нам идут в ответ на наши запросы.
Чтобы понять, почему это нужно делать именно в prerouting, следует обратиться к схеме прохождения трафика внутри маршрутизатора MikroTik. Например, можно воспользоваться рисунком от этой компании.
Для самоконтроля, рекомендую на каждом этапе проводить зеркалирование пакетов и их ручную обработку в Wireshark (как настроить прием трафика, рассмотрено ранее):
Трафик размечен, теперь прикрутим сюда параметры блокировки. В Firewall Mangle во вкладке Advanced имеются следующие интересующие нас возможности: Content и TLS Hosts.
Видно, что его доменное имя несколько раз проходит в устанавливаемом соединении. Используем его в качестве фильтра, для всех типов размеченных пакетов: DNS и остального трафика Именно поэтому нужна была перемаркеровка пакетов, выполненная ранее в цепочке Forward:
Конечно, такой анализ сильно грузит процессор роутера. Как видно, при срабатывании хотя бы одно из правил ставится запрет на дальнейшую перемаркировку трафика, что разгрузит маршрутизатор (passthrough=no).
Наличие в выводе строки TLS server extension «server name» (id=0), len=0 будет означать, что SNI используется, и на сервере с одним IP адресом можно разместить любое количество сайтов. Таким образом, можно помечать пакеты на основании параметра TLS Hosts:
Запретим дальнейшую перемаркеровку пакетов (passthrough=no) и поставим эти правила перед правилами с параметром Content. Говорят, таким же образом работает великий китайский firewall, но при этом он умеет лезть еще глубже. Жалко пока нет технических подробностей.
Во вкладке Mangle Extra для решения поставленной задачи нам ничего не подойдет, увы…
Теперь соберем все правила Mangle воедино по следующей схеме:
Пакеты, помеченные как Children Filter, будем дропать в Firewall Filter. Иллюстрация ниже, взятая опять же у этих ребят, объясняет почему это нужно делать именно там, а не в результате, например, роутинга:
Блокирующее правило придется поставить самым первым в цепочке Forward, иначе пакеты, подлежащие фильтрации, перескочат через Firewall:
В результате ограничиваемые соединения будут просто прибиваться, браузер ребенка не сможет загрузить ничего из запрещенного контента.
Упомяну еще про /ip firewall layer7-protocol. Данный фильтр позволяет искать совпадения в первых 2 KB трафика (или 10 первых пакетах) по регулярным выражениям в ICMP, TCP и UDP потоках. Не рекомендую его использовать, слишком вероятностно все там работает и очень сильно загружает процессор роутера.
Detailed Section Overview
IP address
The router has two upstream ether1 and ether2 interfaces with the addresses of 10.111.0.2/24 and 10.112.0.2/24. The ether3 interface has an IP address of 192.168.1.1/24.
Mangle
With policy routing, it is possible to force all traffic to the specific gateway, even if traffic is destined to the host (other than gateway) from the connected networks. This way routing loop will be generated and communications with those hosts will be impossible. To avoid this situation we need to allow usage of the default routing table for traffic to connected networks:
First, it is necessary to manage connections initiated from outside - replies must leave via the same interface (from the same Public IP) request came. We will mark all new incoming connections, to remember what was the interface.
Before configuring mark-routing, we have to create a routing table for each of them:
Action mark-routing can be used only in mangle chain output and prerouting, but mangle chain prerouting is capturing all traffic that is going to the router itself. To avoid this we will use dst-address-type=!local. And with the help of the new PCC, we will divide traffic into two groups based on source and destination addresses:
Then we need to mark all packets from those connections with a proper mark. As policy routing is required only for traffic going to the Internet, do not forget to specify the in-interface option:
As routing decision is already made we just need rules that will fix src-addresses for all outgoing packets. If this packet will leave via wlan1 it will be NATed to 10.112.0.2, if via wlan2 then NATed to 10.111.0.2:
Routes
Create a route for each routing-mark
Load Balancing With Per Connection Classifier
PCC matcher will allow you to divide traffic into equal streams with the ability to keep packets with a specific set of options in one particular stream (you can specify this set of options from src-address, src-port, dst-address, dst-port, etc.)
Basic examples
Load Balancing Multiple Same Subnet Links
This example demonstrates how to set up load balancing if the provider is giving IP addresses from the same subnet for all links.
Router protection
Lets say our private network is 192.168.0.0/24 and public (WAN) interface is ether1. We will set up firewall to allow connections to router itself only from our local network and drop the rest. Also we will allow ICMP protocol on any interface so that anyone can ping your router from internet.
Overview
Every rule has its own counter. When the rule receives a packet counter for a current rule is increased by one. If the counter matches the value of 'every' packet will be matched and the counter will be set to zero.
To match 50% of all traffic only with one rule:
To split traffic into more than two parts we can use the following configuration. The first rule sees all packets and matches 1/3 of all, the second rule sees 2/3 of packets and matches half of them, the third rule sees and matches all packets that passed through the first two rules ( 1/3 of all packets ):
This example is a different version of the round-robin load balancing example. It adds persistent user sessions, i.e. a particular user would use the same source IP address for all outgoing connections. Consider the following network layout:
Marking packets
Marking each packet is quite resource expensive especially if rule has to match against many parameters from IP header or address list containing hundreds of entries.
Lets say we want to
- mark all tcp packets except tcp/80 and match these packets against first address list
- mark all udp packets and match them against second address list.
Setup looks quite simple and probably will work without problems in small networks. Now multiply count of rules by 10, add few hundred entries in address list, run 100Mbit of traffic over this router and you will see how rapidly CPU usage is increasing. The reason for such behavior is that each rule reads IP header of every packet and tries to match collected data against parameters specified in firewall rule.
Fortunately if connection tracking is enabled, we can use connection marks to optimize our setup.
Now first rule will try to match data from IP header only from first packet of new connection and add connection mark. Next rule will no longer check IP header for each packet, it will just compare connection marks resulting in lower CPU consumption. Additionally passthrough=no was added that helps to reduce CPU consumption even more.
Mangle is a kind of 'marker' that marks packets for future processing with special marks. Many other facilities in RouterOS make use of these marks, e.g. queue trees, NAT, routing. They identify a packet based on its mark and process it accordingly. The mangle marks exist only within the router, they are not transmitted across the network.
Additionally, the mangle facility is used to modify some fields in the IP header, like TOS (DSCP) and TTL fields.
Firewall mangle rules consist of five predefined chains that cannot be deleted:
- The PREROUTING chain: Rules in this chain apply to packets as they just arrive on the network interface;
- The INPUT chain: Rules in this chain apply to packets just before they’re given to a local process;
- The OUTPUT chain: The rules here apply to packets just after they’ve been produced by a process;
- The FORWARD chain: The rules here apply to any packets that are routed through the current host;
- The POSTROUTING chain: The rules in this chain apply to packets as they just leave the network interface;
For example, if a router receives an IPsec encapsulated Gre packet, then rule ipsec-policy=in,ipsec will match Gre packet, but a rule ipsec-policy=in,none will match the ESP packet.
- any - match packet with at least one of the ipv4 options
- loose-source-routing - match packets with a loose source routing option. This option is used to route the internet datagram based on information supplied by the source
- no-record-route - match packets with no record route option. This option is used to route the internet datagram based on information supplied by the source
- no-router-alert - match packets with no router alter option
- no-source-routing - match packets with no source routing option
- no-timestamp - match packets with no timestamp option
- record-route - match packets with record route option
- router-alert - match packets with router alter option
- strict-source-routing - match packets with strict source routing option
- timestamp - match packets with a timestamp
- count - maximum average packet rate measured in packets per time interval
- time - specifies the time interval in which the packet rate is measured (optional, 1s will be used if not specified)
- burst - number of packets that are not counted by packet rate
Sets a new MSS for a packet.
- WeightThreshold - total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence
- DelayThreshold - delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence
- LowPortWeight - the weight of the packets with privileged ( <1024) destination port
- HighPortWeight - the weight of the packet with non-privileged destination port
Matches source address type:
- unicast - IP address used for point to point transmission
- local - if an address is assigned to one of the router's interfaces
- broadcast - packet is sent to all devices in a subnet
- multicast - packet is forwarded to a defined group of devices
- ack - acknowledging data
- cwr - congestion window reduced
- ece - ECN-echo flag (explicit congestion notification)
- fin - close connection
- psh - push function
- rst - drop connection
- syn - new connection
- urg - urgent data
Stats
To show additional read-only properties:
Property | Description |
---|---|
bytes (integer) | The total amount of bytes matched by the rule |
packets (integer) | The total amount of packets matched by the rule |
To print out stats:
Stats
/ip firewall filter print stats will show additional read-only properties
Property | Description |
---|---|
bytes (integer) | Total amount of bytes matched by the rule |
packets (integer) | Total amount of packets matched by the rule |
By default print is equivalent to print static and shows only static rules.
To print also dynamic rules use print all.
Or to print only dynamic rules use print dynamic
Change MSS
In case of link with broken PMTUD, a decrease of the MSS of the packets coming through the VPN link solves the problem. The following example demonstrates how to decrease the MSS value via mangle:
Menu specific commands
Property | Description |
---|---|
reset-counters (id) | Reset statistics counters for specified firewall rules. |
reset-counters-all ( ) | Reset statistics counters for all firewall rules. |
Bandwidth management
This simple firewall filter rule will limit ether1 outgoing traffic to 100Mbps.
Вторая и заключительная статья в цикле организации родительского контроля на оборудовании MikroTik. Ранее подробно рассмотрены организация DNS, работа Firewall Filter и Ip Kid-control. В текущей части поговорим о прикладном применении маркировки трафика посредством Firewall Mangle, а также сделаем общие за представленный цикл статей выводы, касающихся возможностей RouterOS по организации родительского контроля.
Detailed Section Overview
IP Addresses
The router has two upstream (WAN) interfaces with the addresses 10.111.0.2/24 and 10.112.0.2/24. The LAN interface has the name "Local" and an IP address of 192.168.1.1/24.
Mangle
All traffic from customers having their IP address previously placed in the address list "odd" is instantly marked with connection and routing marks "odd". Afterward, the traffic is excluded from processing against successive mangle rules in the prerouting chain:
The same configuration as above, only for customers having their IP address previously placed in the address list "even":
First, we take every second packet that establishes a new session (note connection-state=new), and mark it with the connection mark "odd". Consequently, all successive packets belonging to the same session will carry the connection mark "odd". Note that we are passing these packets to the second and third rules (passthrough=yes). The second rule adds the IP address of the client to the address list to enable all successive sessions to go through the same gateway. The third rule places the routing mark "odd" on all packets that belong to the "odd" connection and stops processing all other mangle rules for these packets in the prerouting chain:
These rules do the same for the remaining half of the traffic as the first three rules for the first half of the traffic.
The following code effectively means that each new connection initiated through the router from the local network will be marked as either "odd" or "even" with both routing and connection marks.
The above works fine. There are however some situations where you might find that the same IP address is listed under both the ODD and EVEN scr-address-lists. This behavior causes issues with apps that require persistent connections. A simple remedy for this situation is to add the following statement to your mangle rules and this will ensure that the new connection will not already be part of the ODD src-address-list. You will have to do the same for the ODD mangle rule thus excluding IPs already part of the EVEN scr-address-list:
Fix the source address according to the outgoing interface:
Routes
For all traffic marked "odd" (consequently having 10.111.0.2 translated source address) we use 10.111.0.1 gateway. In the same manner, all traffic marked "even" is routed through the 10.112.0.1 gateway.
Finally, we have one additional entry specifying that traffic from the router itself (the traffic without any routing marks) should go to the 10.111.0.2 gateway:
The firewall implements packet filtering and thereby provides security functions that are used to manage data flow to, from and through the router. Along with the Network Address Translation it serves as a tool for preventing unauthorized access to directly attached networks and the router itself as well as a filter for outgoing traffic.
Network firewalls keep outside threats away from sensitive data available inside the network. Whenever different networks are joined together, there is always a threat that someone from outside of your network will break into your LAN. Such break-ins may result in private data being stolen and distributed, valuable data being altered or destroyed, or entire hard drives being erased. Firewalls are used as a means of preventing or minimizing the security risks inherent in connecting to other networks. Properly configured firewall plays a key role in efficient and secure network infrastrure deployment.
MikroTik RouterOS has very powerful firewall implementation with features including:
- stateful packet inspection
- Layer-7 protocol detection
- peer-to-peer protocols filtering
- traffic classification by:
- source MAC address
- IP addresses (network or list) and address types (broadcast, local, multicast, unicast)
- port or port range
- IP protocols
- protocol options (ICMP type and code fields, TCP flags, IP options and MSS)
- interface the packet arrived from or left through
- internal flow and connection marks
- DSCP byte
- packet content
- rate at which packets arrive and sequence numbers
- packet size
- packet arrival time
- and much more!
CLI Disctinctive
There is a bit different interpretation in each section with the similar configuration.
For example, with the following configuration line you will match packets where tcp-flags does not have SYN, but has ACK flags:
But with this configuration you will match all connections which state is not NEW or RELATED.
Both configure similarly.
Failover With Firewall Marking
This example demonstrates how to set up failover with a firewall mangle, filter and NAT rules.
Change MSS
In the case of a link with broken PMTUD, a decrease of the MSS of the packets coming through the VPN link resolves the problem. The following example demonstrates how to decrease the MSS value via mangle:
This section consists of setup examples with firewall-based load balancing methods.
Properties
For example, if router receives Ipsec encapsulated Gre packet, then rule ipsec-policy=in,ipsec will match Gre packet, but rule ipsec-policy=in,none will match ESP packet.
- any - match packet with at least one of the ipv4 options
- loose-source-routing - match packets with loose source routing option. This option is used to route the internet datagram based on information supplied by the source
- no-record-route - match packets with no record route option. This option is used to route the internet datagram based on information supplied by the source
- no-router-alert - match packets with no router alter option
- no-source-routing - match packets with no source routing option
- no-timestamp - match packets with no timestamp option
- record-route - match packets with record route option
- router-alert - match packets with router alter option
- strict-source-routing - match packets with strict source routing option
- timestamp - match packets with timestamp
- count - maximum average packet rate measured in packets per time interval
- time - specifies the time interval in which the packet rate is measured (optional, 1s will be used if not specified)
- burst - number of packets which are not counted by packet rate
- WeightThreshold - total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence
- DelayThreshold - delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence
- LowPortWeight - weight of the packets with privileged ( <1024) destination port
- HighPortWeight - weight of the packet with non-priviliged destination port
Matches source address type:
- unicast - IP address used for point to point transmission
- local - if address is assigned to one of router's interfaces
- broadcast - packet is sent to all devices in subnet
- multicast - packet is forwarded to defined group of devices
- ack - acknowledging data
- cwr - congestion window reduced
- ece - ECN-echo flag (explicit congestion notification)
- fin - close connection
- psh - push function
- rst - drop connection
- syn - new connection
- urg - urgent data
Menu specific commands
Property | Description |
---|---|
reset-counters (id) | Reset statistics counters for specified firewall rules. |
reset-counters-all ( ) | Reset statistics counters for all firewall rules. |
Chains
The firewall operates by means of firewall rules. Each rule consists of two parts - the matcher which matches traffic flow against given conditions and the action which defines what to do with the matched packet.
Firewall filtering rules are grouped together in chains. It allows a packet to be matched against one common criterion in one chain, and then passed over for processing against some other common criteria to another chain. For example a packet should be matched against the IP address:port pair. Of course, it could be achieved by adding as many rules with IP address:port match as required to the forward chain, but a better way could be to add one rule that matches traffic from a particular IP address, e.g.: /ip firewall filter add src-address=1.1.1.2/32 jump-target="mychain" and in case of successfull match passes control over the IP packet to some other chain, id est mychain in this example. Then rules that perform matching against separate ports can be added to mychain chain without specifying the IP addresses.
There are three predefined chains, which cannot be deleted:
- input - used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router's addresses. Packets passing through the router are not processed against the rules of the input chain
- forward - used to process packets passing through the router
- output - used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain
Packet flow diagrams illustrate how packets are processed in RouterOS.
When processing a chain, rules are taken from the chain in the order they are listed there from top to bottom. If a packet matches the criteria of the rule, then the specified action is performed on it, and no more rules are processed in that chain (the exception is the passthrough action). If a packet has not matched any rule within the built-in chain, then it is accepted.
Brute force protection
Basic examples
Stats
/ip firewall filter print stats will show additional read-only properties
Property | Description |
---|---|
bytes (integer) | Total amount of bytes matched by the rule |
packets (integer) | Total amount of packets matched by the rule |
By default print is equivalent to print static and shows only static rules.
To print also dynamic rules use print all.
Or to print only dynamic rules use print dynamic
Detailed Section Overview
IP address
In this example, our provider assigned two upstream links, one connected to ether1 and other to ether2. Our local network has two subnets 192.168.1.0/24 and 192.168.2.0/24
Mangle
Connections going through the ether1 interface is marked as "first" and packets going through the ether2 is marked as "other":
Firewall Filter
When the primary link will fail, we will reject all the established connections, so new connections will pass through the secondary link. The same behavior will happen when a primary link will come back again and here we will prevent local IP leakage to a public network, which is one of masquerades disadvantages :
Instead of masquerade, we will use src-nat for our local networks, because we do not want to purge connections which are one of the masquerade's main features when a primary link fails. We will restrict them with firewall rules (later in this example):
Routes
We will add two default routes. With distance parameter we set route preference:
Load Balancing With NTH
Properties
For example, if router receives Ipsec encapsulated Gre packet, then rule ipsec-policy=in,ipsec will match Gre packet, but rule ipsec-policy=in,none will match ESP packet.
- any - match packet with at least one of the ipv4 options
- loose-source-routing - match packets with loose source routing option. This option is used to route the internet datagram based on information supplied by the source
- no-record-route - match packets with no record route option. This option is used to route the internet datagram based on information supplied by the source
- no-router-alert - match packets with no router alter option
- no-source-routing - match packets with no source routing option
- no-timestamp - match packets with no timestamp option
- record-route - match packets with record route option
- router-alert - match packets with router alter option
- strict-source-routing - match packets with strict source routing option
- timestamp - match packets with timestamp
- count - packet or bit count per time interval to match
- time - specifies the time interval in which the packet or bit count cannot be exceeded (optional, 1s will be used if not specified)
- burst - initial number of packets or bits to match: this number gets recharged every 10ms so burst should be at least 1/100 of rate per second
- mode - packet or bit mode
- WeightThreshold - total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence
- DelayThreshold - delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence
- LowPortWeight - weight of the packets with privileged ( <1024) destination port
- HighPortWeight - weight of the packet with non-priviliged destination port
Matches source address type:
- unicast - IP address used for point to point transmission
- local - if address is assigned to one of router's interfaces
- broadcast - packet is sent to all devices in subnet
- multicast - packet is forwarded to defined group of devices
- ack - acknowledging data
- cwr - congestion window reduced
- ece - ECN-echo flag (explicit congestion notification)
- fin - close connection
- psh - push function
- rst - drop connection
- syn - new connection
- urg - urgent data
Customer protection
To protect the customer's network, we should check all traffic which goes through the router and block unwanted. For icmp, tcp, udp traffic we will create chains, where will be dropped all unwanted packets:
Block "bogon" IP addresses
Make jumps to new chains:
Create tcp chain and deny some tcp ports in it:
Deny udp ports in udp chain:
Allow only needed icmp codes in icmp chain:
other ICMP codes are found here.
▍ 2. Заключение
RouterOS обладает различными возможностями по организации родительского контроля. В статьях представлены различные подходы: работа с DNS протоколом, Firewall Filter, Firewall Mangle и Kid-Control. Последний является средством автоматизации от MikroTik и не несет самостоятельных инженерных решений. Что же лучше использовать: работу с DNS, Firewall Filter или Firewall Mangle?
Работа DNS протокола неизбежна связана с кешированием, как на промежуточных серверах, так и на вашем роутере и даже в операционной системе. Нельзя сказать, чтобы это прямо-таки был минус, но нужно учитывать. Чтобы вы, как родитель, не подставили в DNS ответ, но до него дело может даже не дойти. Устройство ребенка извлечет IP адрес запрашиваемого ресурса из своего собственного хранилища. А вот то, что рано или поздно шифрованный DNS прочно войдет в нашу жизнь, нужно понимать уже сейчас. Поэтому в будущем актуальность эксплуатации собственных DNS серверов или коммерческих аналогов, по моему мнению, сохранится. Для данного подхода придется задействовать дополнительные технические ресурсы и, самое главное, поддерживать всю эту инфраструктуру в исправном и актуальном состоянии, что, скорее всего ляжет на ваши сисадминские плечи.
Дропать пакеты по IP адресу в Firewall Filter – достаточно топорное решение. Автоматический резолвинг доменных имен работает хорошо. Однако поле TLS Hosts в Firewall Mangle имеет перед ним сильное преимущество, так как позволяет фильтровать и субдомены. Ведь забивать их все в address-list совсем не хочется. А если на одном IP адресе окажется несколько сайтов, что было достаточно частой проблемой в период известных блокировок Роскомнадзора, то ничего хорошего из подобного подхода не выйдет. Грамотно разметить трафик в Firewall Mangle – это хороший навык, который позволяет решать много инженерных задач, в том числе таких как, приоритезация трафика и балансировка. Поэтому он мне нравится больше других.
Параметр Content может показаться исключительно хорошим решением, однако прогон толстого трафика через не достаточно сильный MikroTik по множеству фильтров может перегрузить центральный процессор роутера. Поэтому это остается последней мерой качественной фильтрации трафика.
В статье не рассмотрены подходы к блокировкам различных VPN, которые позволят перепрыгнуть через все описанные фильтры, потому как, считаю, это не относится к родительскому контролю.
Получается, что все описанные технические возможности хороши с определенными оговорками. Выбираем, что нравится больше и используем, а лучше все сразу. И потолще и побольше. Если вы действительно хотите организовать родительский контроль за трафиком ребенка. Но это уже не тема нашей статьи.
Detailed Section Overview
IP address
In this example, our provider assigned two upstream links, one connected to ether1 and the other to ether2. Both links have IP addresses from the same subnet. Our local network has two subnets 192.168.1.0/24 and 192.168.2.0/2:
After the IP address is set up, the connected route will be installed as an ECMP route:
Mangle
In our example, very simple policy routing is used. Let`s start with adding routing tables for each mangle mark:
Clients from the 192.168.1.0/24 subnet are marked to use the "first" routing table and 192.168.2.0/24 to use the "other" subnet:
And masquerade our local network:
The same can be achieved by setting up route rules instead of mangle.
Routes
We are adding two gateways, one to resolve in the "first" routing table and another to the "other" routing table:
Читайте также:
- Сколько solo выиграл на своем первом крупном lan турнире в составе профессиональной команды
- Является ли смартфон компьютером
- Утилита для удаления bitdefender antivirus free
- Применяются ли сезонные коэффициенты при расчете стоимости услуг в медийной рекламе в дисплее
- Настройка устройства google chrome