At Inveneo, we push technology hard. Our engineers work with the latest tools on the market and our deployments span some of the harshest environments on the planet. Connecting remote islands, rural communities and refugee camps can make quick work of most consumer-grade equipment, which makes identifying and configuring robust, cost-effective solutions an integral part of our services.
The latest additions to our vetted product list are the current array of Mikrotik routers. These routers are robust, affordable and low power – all things we look for in ICT4D deployments. Along with custom configuration files, these devices are used as part of most of our network deployments, and while small in size they can be configured to perform many of the same tasks as more expensive, enterprise-grade appliances.
And while they may not be able to handle extremely high bandwidth connections as well as a big Cisco router, the majority of the networks that Inveneo and our partners deploy are not . The Mikrotik devices fit our needs perfectly.
Product + Configuration = Solution
Products are important, but identifying a good device is only half of the game: setting up a device so it’s ready to work in the field is what turns a product into a solution. At Inveneo, our engineers develop custom configurations that take the guesswork out of deployment, reducing the time it takes to set up a network and streamlining our support cycle.
We use these custom configurations in our own projects, but we also make them available to the general public on our website. And with Mikrotik routers themselves available worldwide, you can put our engineering solutions to work in your network design today.
Building the Firewall
A large part of our configuration is configuring a firewall solution. In it’s most basic form, a firewall is simply a gatekeeper that sits between your internal network and the Internet, making sure that the information going in and out is approved and secure. Firewalls create private networks and set up basic security protocols, protecting internal networks from external attacks.
At the core of a firewall is it’s set of rules. As packets of data come through a router they’re inspected and checked against a defined set of instructions. These rules can be quite complicated but have a few main parts:
- Source IP and port (where is the packet coming from)
- Destination IP and port (where is the packet going) and
- Action (what do we do with the packet once a rule has been matched).
If the packet matches the criteria of a firewall rule, then the action will be applied, usually resulting in the packet being “accepted” or “dropped.” Sometimes the packet will be marked or the Source IP added to an address list for reference in the future. Once the packet matches a rule, it is immediately accepted or dropped and does not pass through the rest of the firewall. With this in mind, it is important to put the rules that will be matched the most often at the beginning of the firewall, and the less commonly matched rules at the end. Most firewalls are very configurable, and can allow special access for services like VoIP or multiplayer gaming.
Firewalls are meant to protect not only the router itself, but also the devices on the network behind the router, and have to be written with this in mind. For Mikrotik devices, firewall rules that are in the “input” chain protect the router itself, and the “forward” chain is protects devices on the network like the user’s computers.
Every firewall needs to be customized to the fit the needs of the network it is protecting, but our custom configuration is based best practices we use in our deployment and is a great place to get started!
What Can the Firewall Do, Exactly?
With our custom configuration files, these Mikrotik devices can perform some very specific firewall tasks including:
|Accept Valid Established or Related Traffic – Anytime a user opens a webpage, one or more TCP “streams” are opened to allow data to be up- or downloaded. Once a TCP stream is created, all of the packets for that stream are considered “established” or “related”. The large majority of the traffic on your Internet link is going to match this firewall rule.||Drop FTP Brute Forcers – If you’ve ever considered opening a combination lock simply by trying every number, you’re familiar with Brute Force hacking. This firewall rule detects anyone who has had too many failed FTP login attempts within a certain period of time and blacklists the IP initiating the FTP session.||Drop SSH Brute Forcers – This rule is similar to the FTP brute force rule, blocking anyone trying to establish a SSH session. The rule allows 10 failed attempts before it will block the IP initiating the session for 10 minutes.|
|Drop Port Scanners – This rule prevents hackers from scanning for open ports to gain entry into a device or network. The rule detects and blocks the IP address of those attempting to connect to common port scanning ports.||Accept Limited Pings – Many network administrators use ping as a tool to help troubleshoot network problems and determine if a device is responding. This rule allows 10 pings per second from any given IP.||Drop Excess Pings – If an IP has initiated more than 10 pings per second, it will no longer be “accepted” and will hit this drop rule, blocking any DoS attacks. If you find that you can no longer ping your device but know that it is up, you may have to tweak this rule to be more lenient.|
|Accept Management from Outside SSH and WinBox – This rule accepts SSH and Winbox traffic in the WAN interface to allow network administrators to access and manage the Mikrotik from the Internet.||Accept Port 80 on LAN Interface – This rule accepts HTTP traffic from any of the LAN interfaces, allowing network admins to manage the device from the LAN. For security reasons, this is not enabled on the WAN interface.||Drop DNS Requests on WAN Interface – This rule prevents the Mikrotik from responding to DNS requests on its WAN interface. This means that any DNS requests coming from the Internet will be ignored.|
|Drop Invalid Traffic – This rule looks at the traffic and determines if it is invalid in any way. If the packet or connection is invalid, it will be dropped.||Block Bogon IP addresses – Bogon IP addresses are IP addresses that are not valid. Any traffic destined to or passing through the router with invalid IP addresses are dropped.||Drop the Rest – Most firewalls contain a “drop all” or “drop the rest” statement for traffic hasn’t matched any of the rules and specifically been accepted. It’s good practice to log this traffic rather than drop it for the first few days to analyze your traffic to make sure that you won’t be dropping valid traffic.|
As part of the configuration, we’ve made a few key assumptions. The Inveneo config file assumes that your Mikrotik router is setup like a “home router” with ether1 set up as the Ethernet interface which you have your Internet connection plugged into. Ethernet interfaces 2-5 and the wlan1 (if your router supports wireless) are bridged together on a bridge called “bridge1”. If you have different configuration, you’ll have to search through the firewall configuration and change the names of the interfaces to match your configuration.
Ready to Try it Yourself?
If you’re interested in using this solution in your own networks, please watch a short video for instructions on loading the firewall. We suggest applying the firewall to a test unit first to familiarize yourself with the configuration and do some testing before applying it on a device currently serving users. It is important to understand that applying or changing a firewall has the possibility of locking you out of your router so you need to be aware of both the interface you’re using to log into the router and the method you’re using to access the router! Our preferred method is to use WinBox, connected to one of the LAN ports. This helps avoid getting locked out when making firewall changes!
Developing this firewall solution has been no small task, and it’s important to note that the rules in this firewall configuration are not purely original Inveneo configurations. Learning from the community we’ve discovered and borrowed several rules from other users on the Mikrotik wiki and forums. Thanks to all the Mikrotik power users out there for sharing your configurations!