Forum Thread: Mikrotik - Part Three [Breaking Chains for the Administrator] by: Mohamed Ahmed

In this last installment (for now) I will teach you how to use RB for network administrators.

The most interesting thing in a network is to guarantee the quality of service (QoS) as well as something implicit is to change the ports.

Let's move on with the settings:

It allows to change the default ports of the services, also to designate that IP are enabled to access the service most importantly, it is possible to install certificates for the services.

IP configurations allow you to configure parameters for redirects, types of routes to use, ARP times and ICMP limit among other FastTrack configurations.

This section allows you to configure which actions will be inserted in the LOG

The users section allows you to separate tasks, create user groups for management, read logs add SSH private keys.

A fairly extensive section.

This "option" allows to choose an action for the following chains:

INPUT: The packets that are addressed to the Router.
OUTPUT: The packets coming out of the Router.
FORWARD: The packets that pass through the router.

Due to the complexity of the different configurations that can be made, the alternatives will remain at the discretion of the reader depending on the scenario faced.

As an introduction, within this section it is possible to reject connections from a source or towards a destination (IP) to work with CIDR you must create lists to use them.

It also has a powerful layer 7 filter that allows you to handle regular expressions.
You can filter by content layer 7 and byte to perform a QoS with different download packages (10MB / 50MB / 100MB).

It allows to make marking of packages and connections to then choose if it should go out to the internet or it must stay in the internal network.

  • NAT

This "option" allows you to choose an action for the following strings:

SRCNAT: Packages that come from the internal network and are destined for the internet.
DSTNAT: Packages that go to the internal internet network.

Here it is possible to perform redirects (DMZ / IP-FORWARDING), the most common is to make a redirect to an RDP server, you find the code would be:


/ ip firewall nat add chain = dstnat dst-address = "IP address" action = dst-nat to-addresses = "Server IP address" protocol = TCP dst-port = 3389

Making the exception what, allows choosing a source IP address to establish the connection or any IP source (for better management question) it is desirable to indicate the IP from where the connection will be established.

This "option" allows you to choose an action for the following chains:

INPUT: Everything that enters the Router.
OUTPUT: Everything that comes out of the Router.
FORWARD: Everything that goes through the Router.
PRE-ROUTING: Data strings before being routed.
POST-ROUTING: Data routing after routing.

Mainly here is the work of Load-Balancing (Load Balancing) as connections and packages are marked, indicating what you enter through an interface comes out the same also the heart of Quee-Tree is Mangle because all brands of packages are used to guarantee a QoS (Quality of service by protocols and services)

The following image aims to show the rules for load balancing of 3 mixed lines (ADSL / WIFI CLIENT / IF FIXED)

Often it happens that the ISP provides a service of inferior quality to which it contracts from there it must resort to different alternatives so that the amount of MB that it offers is equal or balanced (in this case the concepts are not similar), being equal we are going to we must mention that each user is given an equal up / down speed.

Being balanced indicates that the total of the flag width will be a balanced load among the total users.

From here you must differentiate and establish policies according to the place dodne uses or will implement.

The different flaps describe:

  • Simple Queue: Simple queues allow you to intuitively define the download / upload speed, BURST time, work slots or lockout.
  • Interface Queue: Queues by interfaces, the RB defines this parameter.
  • Queue Tree: Queue Tree, used for QoS, a job that must be previously designed and diagrammed, since after being implemented it is complex to add new rules that are above or below the service to be prioritized.
  • Queue Types: Queue types, per connection, fifo, pfifo, network, sfq, allows to set the queue type to use, useful when working with QoS and Queue Tree.

Here you will see Queue-Simple, the image you see below, indicates the configuration to perform to see the operation on a certain IP, exemplifying with the load of On-Line videos.

You must comply with the following rule for Download and Upload.
Limit-At <Max-Limit <Burst-Limit
Time is expressed in seconds.

The following images show the operation of a Cola-Simple with a video in low quality and when the quality varies.
Once the speed limit is reached there are statistics indicating the number of packets that have been discarded queued.

As seen in the previous image, when reaching the established limit, the user can not use more Bandwith or bandwidth, guaranteeing each user an access speed.

The following image will show the statistics of the global interfaces and you will also see a tool included in the RB called TORCH which allows monitoring an interface, a particular IP to know what it does on the LAN and the Internet.

that's for now ....

Our Best Hacking & Security Guides

New Null Byte posts — delivered straight to your inbox.

Be the First to Respond

Share Your Thoughts

  • Hot
  • Active