MikroTik Firewall Concept

Hi everybody !

Today I write about firewall conecept in MikroTik. If you have background in linux firewall, I think it's not difficult for you to study firewall on MikroTik. It has the same concept. In this post maybe not include any example. I just write about the concept. I will do firewall example and lab for you in the next post. So let's start 🙂

There are three difference table in MikroTik firewall and all of them have diffence function. All firewall rule run from top to bottom follow the rule number. If the first rule match, it will not process to the next rule but except if passthrough option has been selected. Now we start from firewall filter.

Firewall Filter: Most of the time we use it for filter traffic simply say to protect our network from unauthorize user or bad guy. There are three default chain in firewall filter. It's input, output and forward.

  • Input: used to process packets entering the router. For example If we want to filter packet that telnet or ssh to router we need to use input chain in firewall filter.
  • Output: used to process packets that originated from the router. Normally we rarely use this chain. Example we ping from router to Internet that's output traffic.
  • Forward: Used to process packets passing through the router. Example we want to block users to open facebook. We will use firewall forward chain to do it.

But we can create our own chain that we called user define chain. User define chain used to group filter policy. Using user define chain make user friendly and easy to understand the rule in firewall. To use user define you need to jump from default chain to your chain that you defined.
Let's see the picture above. To easy understanding I categorize the tab menu in firewall filter function to three group.

  • Matching:  To match packet to firewall filter condition. It's operate by General, Advanced and Extra tab.
  • Action: What we do if the packet match. It's perform by action tab.
  • Status: How many packet/bytes has been match. It's use to monitor whether our rule have any affect or not. You can see the status in Statistics tab.

To see what each parameter in each group mean please see in the MikroTik documentation http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

Firewall NAT: This table used to modify IP header of source/destination IP to another IP or simply say it's translate IP. In firewall NAT there are two default chain.

  • dstnat or destination NAT: This type of NAT is performed on packets that are destined to the natted network. We usually use to allow user from Internet to access device in our local network.. For example we have camera security but IP of camera security has been set with private IP and netted by router. So we may not able to access from the Internet. To solve this problem we can do dstnet(Some vender called port forwarding) to translate traffic that go to public IP with specific port to our camera security IP. But sometime we also use to redirect traffic like we do transparent web proxy or transparent dns
  • srcnat or source NAT: This type of NAT is performed on packets that are originated from a natted network. It's commonly used in real world networking because the lack of public IPV4 address. Example our ISP provide point to point IP to our organization. You already know, normally point to point IP is /30 mean we have 4 IPs but we can use only 1 IP to setup on our side. So how can we share Internet to 100 users in our organization? The solution is we nat our private IP by using srcnat option in Firewall NAT table.

The same as firewall filter, firewall nat also categorize into three group. You can see this link http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT to understand the meaning of paremeters in firewall nat.

Firewall Mangle: Firewall mangle use to mark IP packet. These marks are used by other router facilities like routing, firewall filter and bandwidth management to identified the packets. Moreover it also used modify some fields in the IP header, like TOS (DSCP) and TTL fields. There are 5 default chain in firewall mangle.

  • Prerouting: It's happen before input chain. The packet that forword passthrough the router will match prerouting first.
  • Input: Packet that come into router will check with input chain.
  • Forward: Afer prerouting, packet that passthrough router will process by forward chain.
  • Postrouting: It's happen after forward.
  • Output: used to process packets that originated from the router

See the diagram below to understand packet flow of MikroTik feature.


Thanks for reading my post 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *