segunda-feira, 27 de março de 2017

Mikrotik - Configuration example

 I've managed to compile a list of basic firewall rules for home use. This implements an automatic blacklist feature. Feel free to ask for more firewall configs or suggest improvements. I've also tried to make the config lean for performance. order of rules are important for the same chain. I will add other configs on request. You can also use this example with other routers such as ubiquiti and iptables but it is not a copy and paste for them.

To use this you will first need to define a few things.
Address lists
-DNS (IP addresses you use for DNS and NTP such as
-Networked (LAN IP addresses you whitelist such as
-LAN interface (its just the name of the LAN interface in /interfaces)
-WAN interface (name of the WAN interface in /interfaces)
- assuming the router's IP is
For /filters,

note: XI for disabled, these rules are for alternative use if you want even more security but can cause problems. New rules added, you may need to add exceptions for output for other services too or instead of using IP based filtering you can go with port based by using the interface instead. Some of these rules can be applied in mangle instead.

Mangle rules (used for filter)
if you want to use mangle for QoS, mark packets in mangle and you can use those marked packets in filters too. I cannot give QoS examples because of my network.

NAT (requires connection tracking)
note: You may need to add an out interface if needed.

Hijacking rules, for proxy and other services.
If your proxy/dns/NTP server isnt the router itself you can use dst-nat action for the hijacking to set the server but you will than need to add an exception for it before the hijacking rules.
For multicore systems under system---resources---irq you can assign some functionality to a specific core. First core is 0. Some settings can be changed under IP---settings which is where it shows some settings for TCP and other things and shows whether acceleration is enabled.

If you need to access some of your internal services outside, do it through VPN using the router as a VPN server (hence the accept PPTP but disable the rule if you arent using vpn or change it to the port you use) so it requires config and authentication, something some services that have it arent secured such as the nissan car vulnerability or being able to bypass CCTV server authentications. If you do want to host a server (such as a public Web or game server) than there are clear enough port forwarding rules on mikrotik wiki.
 Mikrotik hardware acceleration guide
Mikrotik routerOS has 3 types of hardware acceleration. Fastpath, Fasttrack and encryption. Both Fastpath and Fasttrack acceleration if enabled will be shown in /IP settings.

Fastpath is hardware acceleration for bridging and routing. It cannot be used for NAT so if you are using your routerboard for only routing and bridging with no need for QoS or filters or rules (say for example you are making a point to point wifi bridge) than you can definitely use this for that situation allowing you to use a low cost routerboard for it. Fastpath is enabled under bridge settings and cannot use the IP firewall. It is very much like using acceleration on a consumer router, tick to enable but with no other features used. Every routerboard should support this.

Fasttrack is hardware acceleration for NAT and with connection tracking enabled (the wiki says it is fastpath with connection tracking). There are 2 ways you can use it either by the filter rule in firewall filters or in mangle. In routerOS the acceleration is unique in that you can select which connections (as long as it is TCP or UDP). If a packet is used to uniquely selected for acceleration than the connection will be accelerated. Only connections that have been established can be accelerated so the best way to perform selective acceleration is by filtering new connections. What isnt mentioned in the mikrotik wiki is that fasttrack can be applied in mangle to give even more performance and even more selective choices. It also seems that mangle is used during acceleration whereas filters and QoS are simply ignored. You could also use fasttrack to lower CPU load for the input and output chain for various other services on the routerboard such as for DNS and NTP services (also not mentioned in the wiki). Supported routerboards are . Fasttrack is applied on the connection and not on packets. Mikrotik says the plan to extend Fasttrack to support non TCP/UDP packets so your firewall rules can be generic but you will still need rules after fasttrack to catch the non-accelerated connections.

The basic rule for fasttrack shown in the wiki is

Under mangle you can actually apply the rules there instead. The rules for fasttrack should be applied below after all your filtering but before you drop everything else in the chain you are accelerating.
Using fasttrack for prerouting in mangle if it works may yield better results if you dont have any restrictions to apply on it. It may be possible to apply QoS on it by limiting the data rate (not packet rate) of the connection in the firewall rule under mangle and it may be possible to apply priority style QoS by using the mangle firewall for performing selective fasttrack and using the rule order. None of this is verified yet but upon trying different combinations of rules on my CCR it says enabled but i havent yet seen any packets accelerated in statistics (though this could be a bug or i simply am not in the setup where acceleration can be applied).

If any of you has any routerboards please test this and let me know by PM if the stuff not on the wiki works. If it does work you should see a lower CPU usage or better throughput than without.

According to the wiki only AES hardware acceleration is supported in routerOS so it wont matter if the hardware supports other types of acceleration, only AES will be accelerated. Some optimisations can be done to improve performance from the wiki but nowhere does it mention where to enable/disable it.

PM me for any mistakes, corrections or requests regarding mikrotik routerOS configuration.

0 comentários: