SlideShare a Scribd company logo

Mikrotik IP Settings For Performance and Security

GLC Networks
GLC Networks

The document discusses Mikrotik IP settings for performance and security, presented by Achmad Mardiansyah during a GLC webinar. It covers basic networking concepts, including OSI layers, IP addressing, routing types (static and dynamic), and necessary configurations for Mikrotik routers. Additionally, it emphasizes the importance of understanding network principles and offers guidance on best practices for secure configurations.

Technology
1 of 50
Downloaded 34 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Most read
39
40
41
42
43
Most read
44
Most read
45
46
47
48
49
50
www.glcnetworks.com Mikrotik IP settings for performance and security GLC Webinar, 3 Feb 2022 Achmad Mardiansyah achmad@glcnetworks.com GLC Networks, Indonesia
www.glcnetworks.com Agenda ● Introduction ● Review prerequisite knowledge ● Mikrotik IP settings ● Live practice ● Q & A 2
www.glcnetworks.com Introduction 3
www.glcnetworks.com What is GLC? ● Garda Lintas Cakrawala (www.glcnetworks.com) ● Based in Bandung, Indonesia ● Areas: Training, IT Consulting ● Certified partner for: Mikrotik, Ubiquity, Linux foundation ● Product: GLC radius manager ● Regular event 4
www.glcnetworks.com Trainer Introduction ● Name: Achmad Mardiansyah ● Base: bandung, Indonesia ● Linux user since 1999, mikrotik user since 2007, UBNT 2011 ● Mikrotik Certified Trainer (MTCNA/RE/WE/UME/INE/TCE/IPv6) ● Mikrotik/Linux Certified Consultant ● Website contributor: achmadjournal.com, mikrotik.tips, asysadmin.tips ● More info: http://au.linkedin.com/in/achmadmardiansyah 5
www.glcnetworks.com Past experience ● 2020-2022 (Congo DRC, PNG, Malaysia): network support, radius/billing integration ● 2019, Congo (DRC): build a wireless ISP from ground-up ● 2018, Malaysia: network revamp, develop billing solution and integration, setup dynamic routing ● 2017, Libya (north africa): remote wireless migration for a new Wireless ISP ● 2016, United Kingdom: workshop for wireless ISP, migrating a bridged to routed network ● 2015, Kalimantan, wireless support ● See our website for more details 6
www.glcnetworks.com About GLC webinar? ● First webinar: january 1, 2010 (title: tahun baru bersama solaris - new year with solaris OS) ● As a sharing event with various topics: linux, networking, wireless, database, programming, etc ● Regular schedule ● Irregular schedule: as needed ● Checking schedule: http://www.glcnetworks.com/schedule ● You are invited to be a presenter ○ No need to be an expert ○ This is a forum for sharing: knowledge, experiences, information 7
www.glcnetworks.com Please introduce yourself ● Your name ● Your company/university? ● Your networking experience? ● Your mikrotik experience? ● Your expectation from this course? 8
www.glcnetworks.com Prerequisite ● This presentation requires some prerequisite knowledge ● We assume you already know: ○ Computer network ○ Mikrotik RouterOS 9
www.glcnetworks.com Review prerequisite knowledge 10
www.glcnetworks.com 7 OSI layer & protocol ● OSI layer Is a conceptual model from ISO (International Standard Organization) for project OSI (Open System Interconnection) ● When you send a message with a courier, you need to add more info to get your message arrived at the destination (This process is called encapsulation) ● What is protocol ○ Is a set of rules for communication ○ Available on each layer ● Communication consist of series encapsulation ○ SDU: service data unit (before PDU) ○ PDU: protocol data unit (after header is added) 11
www.glcnetworks.com Layered model (TCP/IP vs ISO) and encapsulation 12 / datagram
www.glcnetworks.com Layer 4 header 13
www.glcnetworks.com Layer 3 header 14
www.glcnetworks.com Layer 2 header, ethernet 15
www.glcnetworks.com Layer 2 header, 802.11 16
www.glcnetworks.com Did you notice? ● There is a big overhead on encapsulation process ● More encapsulation means less payload? 17
www.glcnetworks.com Layer 2 vs Layer 3 addressing 18 Layer 2 Layer 3 ● Burned-in address ● Adjacent communication ● Consist of 48 bit binary, written in HEX format. 1 HEX = 4 bit ● Unique for every physical port ● 6 first HEX digit -> represent the manufacturer ● Logical address ● End-to-end communication ● IPv4 32 bit long ● 2 versions: IPv4 (our focus) and IPv6 ● Consist of network part & host part ● Can be class based IP address (without subnet) ● Now it is classless IP address -> VLSM (variable length subnet mask) ● CIDR (classless inter domain routing)
www.glcnetworks.com IP spec (RFC 791) ● Defined long time ago (what 1981?) ● Defines how the IP header looks like ● Still used up to know ● New version -> IPv6 19
www.glcnetworks.com How the layer 3 address look like? ● IPv4 address is 32 bit long ● Written in binary -> always think in binary ● Displayed to human in decimal every 8 bit (octet). ● Has 2 parts: network part and host part ● Like a phone number 0812 XXXXXXXX -> hierarchical ● All devices in the network will have same network part ● First and last address cannot be used (for network id and broadcast id) 20 Network part host part
www.glcnetworks.com Variable-Length Subnet Masking (VLSM) ● Variable-Length Subnet Masking (VLSM) ● Can divide an IP address block into subnets of different sizes using / (slash) notation ● Solution the in efficient of classful IP address (fixed length). No more class A, B, C ● RFC: 1878 (1895) ● Basis for CIDR ● Example: 23.45.0.0/17 ○ 23.45.0.0/25 ○ 23.45.0.128/25 21
www.glcnetworks.com Classless Inter-Domain Routing (CIDR) ● Provides a new and more flexible way to specify network addresses in routers (using slash as notation) ● allow flexible allocation of Internet Protocol (IP) addresses. ● CIDR lets a routing table entry represent an aggregation of networks that exist in the forward path ● Each IP address has a network prefix that identifies their network ● RFC: 1519 22
www.glcnetworks.com Router vs Routing ● Router is a network device that is used to forward packets, based on layer 3 information (layer 3 header) ● Routing is the process of selecting a path for traffic in a network, or between or across multiple networks 23 Physical router Router icon
www.glcnetworks.com Network design: physical connection (physical topology) ● Router connects layer 2 segments ● Router works on layer 3 ● Meaning, each layer 2 segment has network ID 24 R1 R2 R3 R4 ISP2 ISP1 internet
www.glcnetworks.com Network design: logical connection (logical topology) 25 192.168.0.0/26 R1 192.168.0.1/26 192.168.0.3/26 192.168.0.2/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24 destination gateway 192.168.0.0/26 direct 192.168.1.0/24 direct 192.168.2.0/24 192.168.0.2 192.168.3.0/24 192.168.0.3 192.168.16.3/32 192.168.0.2 0.0.0.0/0 (default gw) 192.168.0.3 Routing table: ● A table at router that is used to forward packet ● Available on every devices (router and host) ● Entry is executed sequentially
www.glcnetworks.com Forwarding packets using routing table ● It works like a firewall: match and action ● When a packet arrived, routing table is used to forward packets ● You should think in binary to understand how it works 26 destination gateway 192.168.16.3/32 11000000 10101000 00001000 00000011 192.168.0.2 192.168.0.0/26 11000000 10101000 00000000 00 direct 192.168.1.0/24 11000000 10101000 00000001 direct 192.168.2.0/24 11000000 10101000 00000010 192.168.0.2 192.168.3.0/24 11000000 10101000 00000011 192.168.0.3 0.0.0.0/0 (no match) 192.168.0.3
www.glcnetworks.com A packet arrived at R1… (example) Destination IP address of the packet is 192.168.2.6, which gateway do we use? A: 192.168.2.6 = (11000000 10101000 00000010 00000110 27 destination gateway 192.168.16.3/32 11000000 10101000 00001000 00000011 192.168.0.2 192.168.0.0/26 11000000 10101000 00000000 00 direct 192.168.1.0/24 11000000 10101000 00000001 direct 192.168.2.0/24 11000000 10101000 00000010 192.168.0.2 192.168.3.0/24 11000000 10101000 00000011 192.168.0.3 0.0.0.0/0 (no match) 192.168.0.3
www.glcnetworks.com Where routing table lookup happens? 28
www.glcnetworks.com Administrative distance (analogy) 29 CITY 1 100 km CITY 2 120 km CITY 2 90 km CITY 3 500 km CITY 4 250 km 10.10.10.0/24 192.168.0.1 10 10.10.20.0/24 192.168.0.2 12 10.10.20.0/24 192.168.0.3 9 10.10.30.0/24 192.168.0.3 50 10.10.40.0/24 192.168.0.4 25
www.glcnetworks.com Administrative distance ● Distance is considered when prefix length is same ● Lowest distance wins ● Administrative distance policy is depends on vendor ● Table on the right shows an example of administrative distance on cisco router 30
www.glcnetworks.com Static routing 31 192.168.0.0/26 R1 192.168.0.1/26 192.168.0.3/26 192.168.0.2/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24 destination gateway 192.168.0.0/26 direct 192.168.1.0/24 direct 192.168.2.0/24 192.168.0.2 192.168.3.0/24 192.168.0.3 192.168.16.3/32 192.168.0.2 0.0.0.0/0 (default gw) 192.168.0.3 ● Entries on routing table is created manually ● Admin must manage routing table in all routers ● Admin have full control on routing table
www.glcnetworks.com Dynamic routing 32 192.168.0.0/26 R1 192.168.0.1/26 192.168.0.3/26 192.168.0.2/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24 destination gateway 192.168.0.0/26 direct 192.168.1.0/24 direct 192.168.2.0/24 192.168.0.2 192.168.3.0/24 192.168.0.3 192.168.16.3/32 192.168.0.2 0.0.0.0/0 (default gw) 192.168.0.3 ● Router will talk to each other with routing protocol (RIP, OSPF, BGP) ● Entries on routing table is created automatically ● Admin must have a good knowledge about routing protocol
www.glcnetworks.com Autonomous system (AS) ● Is a collection of routers and networks under one administration and apply single routing policy ● AS is identified by a number (Autonomous System Number - ASN), given by RIR (Regional Internet Registry: APNIC, ARIN, RIPE, etc) 33 AS1 AS4 AS3 AS2
www.glcnetworks.com Addressing, IANA, RIR ● Internet is based on IP (internet protocol) addressing scheme -> RFC791 ● Addressing has to be unique ● IANA (Internet Assigned Number Authority) regulates IP address allocation ● IANA delegates (some of its authority) to RIR (Regional Internet Registry) ● RIR delegates to country’s ● Every organisation must have IP address block to join the internet and build a routing scheme among their equipment 34
www.glcnetworks.com Asymmetric routing ● Currently, routing is done one-way only (outbound) ● Forwarding process on router is based on destination IP address ● There is no guarantee incoming path is similar to outgoing path ● We can only control outbound traffic 35 R1 192.168.0.1/26 192.168.0.3/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24
www.glcnetworks.com Private IP, public IP and NAT 36 Public IP Private IP (RFC1918) ● Public IP is used globally (internet) ● Must be unique ● Usually borrowed from ISP (via ADSL, GPON, GSM, 4G, etc) ● Private IP is used privately (internal organisation) ● Duplicated in many organisations
www.glcnetworks.com Mikrotik IP settings 37
www.glcnetworks.com IP forward ● A feature to forward packets 38
www.glcnetworks.com ICMP Redirect ● Send-redirects - Whether to send ICMP redirects. Recommended to be enabled on routers ● Accept-redirects - Whether to accept ICMP redirect messages. Typically should be enabled on host and disabled on routers ● Secure-redirects - Accept ICMP redirect messages only for gateways, listed in default gateway list 39 R1 R2 192.168.1.0/24 .1 .2 .10 internet
www.glcnetworks.com Accept-source-route ● Source routing ● Whether to accept packets with Source-and-Record-Route (SRR) option ● 40
www.glcnetworks.com Allow fastpath ● Enable fast-path feature ● Enable this! 41
www.glcnetworks.com Route cache ● Disable or enable Linux route cache. Note that by disabling route cache, it will also disable fast path. ● Enable this! 42
www.glcnetworks.com Reverse-path filtering (RFC3704) ● Disables/enables source validation. ○ no - No source validation. ○ strict - applies Strict Reverse Path. Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded. ○ loose - applies Loose Reverse Path. Each incoming packet's source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail. ● Recommendation: use strict mode to prevent IP spoofing from DDoS attacks. ● For asymmetric routing, complex routing, and vrrp case loose mode is recommended. 43 R1 12.1.1.0/24 .1 .10 internet dst: y.y.y.y src: 12.1.1.99 dst: 12.1.1.10 src: x.x.x.x dst: x.x.x.x src: 12.1.1.10 .99
www.glcnetworks.com TCP syncookies ● Send out syncookies when the syn backlog queue of a socket overflows. ● This is to prevent against the common 'SYN flood attack'. 44
www.glcnetworks.com ARP ● Max-neighbor-entries: Maximum number of allowed neighbors in ARP table ● Arp-timeout: Sets Linux base_reachable_time_ms Once a neighbor has been found, the entry is considered to be valid for at least a random value between base_reachable_time/2 and 3*base_reachable_time/2. An entry's validity will be extended if it receives positive feedback from higher level protocols. Default is 30 seconds. 45
www.glcnetworks.com ICMP rate ● Icmp-rate-mask: Mask made of ICMP types for which rates are being limited. Default: 0x1818 ● Icmp-rate-limit: Limit the maximum rates for sending ICMP packets whose type matches icmp-rate-mask to specific targets. 0 to disable any limiting, otherwise the minimum space between responses in milliseconds 46
www.glcnetworks.com Live practice ● SSH client ● SSH parameters ○ SSH address ○ SSH port ○ SSH username ○ SSH password 47
www.glcnetworks.com QnA Any questions? 48
www.glcnetworks.com Interested? Just come to our training... ● Topics are arranged in systematic and logical way ● You will learn from experienced teacher ● Not only learn the materials, but also sharing experiences, best-practices, and networking 49
www.glcnetworks.com End of slides ● Thank you for your attention ● Please submit your feedback: http://bit.ly/glcfeedback ● Find our further event on our website : https://www.glcnetworks.com ● Like our facebook page: https://www.facebook.com/glcnetworks ● Slide: https://www.slideshare.net/glcnetworks/ ● Discord (bahasa indonesia): (https://discord.gg/6MZ3KUHHBX ) ● Recording (youtube): https://www.youtube.com/c/GLCNetworks ● Stay tune with our schedule 50

More Related Content

What's hot (20)

PDF
BGP vs OSPF on Mikrotik
GLC Networks
 
PDF
Mikrotik Hotspot
GLC Networks
 
PDF
BGP on mikrotik
Achmad Mardiansyah
 
PDF
Detecting network virus using mikrotik
Achmad Mardiansyah
 
PDF
Layer 7 Firewall on Mikrotik
GLC Networks
 
PDF
OSPF On Router OS7
GLC Networks
 
PDF
Mikrotik fastpath
Achmad Mardiansyah
 
PDF
Mikrotik Load Balancing with PCC
GLC Networks
 
PDF
Mikrotik Fastpath vs Fasttrack
GLC Networks
 
PDF
ISP load balancing with mikrotik nth
Achmad Mardiansyah
 
PDF
GLC webinar: limiting bandwidth using mikrotik
Achmad Mardiansyah
 
PDF
Mikrotik router os qos best practice
Bassel Kablawi
 
PDF
Connection load balancing with mikrotik [workshop]
Achmad Mardiansyah
 
PDF
ISP Load Balancing with Mikrotik ECMP
GLC Networks
 
PDF
BGP on RouterOS7 -Part 1
GLC Networks
 
PDF
Mikrotik fasttrack
Achmad Mardiansyah
 
PDF
Stable OSPF: choosing network type.pdf
GLC Networks
 
PDF
MikroTik & RouterOS
Faelix Ltd
 
PDF
MikroTik Security
Rofiq Fauzi
 
PDF
VLAN on mikrotik
Achmad Mardiansyah
 
BGP vs OSPF on Mikrotik
GLC Networks
 
Mikrotik Hotspot
GLC Networks
 
BGP on mikrotik
Achmad Mardiansyah
 
Detecting network virus using mikrotik
Achmad Mardiansyah
 
Layer 7 Firewall on Mikrotik
GLC Networks
 
OSPF On Router OS7
GLC Networks
 
Mikrotik fastpath
Achmad Mardiansyah
 
Mikrotik Load Balancing with PCC
GLC Networks
 
Mikrotik Fastpath vs Fasttrack
GLC Networks
 
ISP load balancing with mikrotik nth
Achmad Mardiansyah
 
GLC webinar: limiting bandwidth using mikrotik
Achmad Mardiansyah
 
Mikrotik router os qos best practice
Bassel Kablawi
 
Connection load balancing with mikrotik [workshop]
Achmad Mardiansyah
 
ISP Load Balancing with Mikrotik ECMP
GLC Networks
 
BGP on RouterOS7 -Part 1
GLC Networks
 
Mikrotik fasttrack
Achmad Mardiansyah
 
Stable OSPF: choosing network type.pdf
GLC Networks
 
MikroTik & RouterOS
Faelix Ltd
 
MikroTik Security
Rofiq Fauzi
 
VLAN on mikrotik
Achmad Mardiansyah
 

Similar to Mikrotik IP Settings For Performance and Security (20)

PDF
Best Current Practice (BCP) 38 Ingress Filtering for Security
GLC Networks
 
PDF
Internet Protocol Deep-Dive
GLC Networks
 
PDF
Routing fundamentals with mikrotik
Achmad Mardiansyah
 
PDF
MPLS on Router OS V7 - Part 1
GLC Networks
 
PDF
CCNA : Intro to Cisco IOS - Part 1
GLC Networks
 
PDF
Controlling Access Between Devices in the same Layer 2 Segment
GLC Networks
 
PDF
Firewall mangle PBR: steering outbound path similar to inbound
GLC Networks
 
PDF
RouterOS Migration From v6 to v7
GLC Networks
 
PDF
Steering traffic in OSPF: Interface cost
GLC Networks
 
PDF
BGP Services IP Transit vs IP Peering
GLC Networks
 
PDF
Tuning OSPF: Prefix Aggregate
GLC Networks
 
PDF
Internal BGP tuning: Mesh peering to avoid loop
GLC Networks
 
PDF
Mikrotik User Meeting Manila: bgp vs ospf
Achmad Mardiansyah
 
PDF
Tuning OSPF: Bidirectional Forwarding Detection (BFD)
GLC Networks
 
PDF
Tuning OSPF: area hierarchy, LSA, and area type
GLC Networks
 
PDF
MTCNA Intro to routerOS
GLC Networks
 
PDF
MTCNA : Intro to RouterOS - Part 1
GLC Networks
 
PDF
BGP troubleshooting: route origin
GLC Networks
 
PDF
Policy Based Routing with Indirect BGP - Part 1
GLC Networks
 
PDF
BGP tuning: Peer with loopback
GLC Networks
 
Best Current Practice (BCP) 38 Ingress Filtering for Security
GLC Networks
 
Internet Protocol Deep-Dive
GLC Networks
 
Routing fundamentals with mikrotik
Achmad Mardiansyah
 
MPLS on Router OS V7 - Part 1
GLC Networks
 
CCNA : Intro to Cisco IOS - Part 1
GLC Networks
 
Controlling Access Between Devices in the same Layer 2 Segment
GLC Networks
 
Firewall mangle PBR: steering outbound path similar to inbound
GLC Networks
 
RouterOS Migration From v6 to v7
GLC Networks
 
Steering traffic in OSPF: Interface cost
GLC Networks
 
BGP Services IP Transit vs IP Peering
GLC Networks
 
Tuning OSPF: Prefix Aggregate
GLC Networks
 
Internal BGP tuning: Mesh peering to avoid loop
GLC Networks
 
Mikrotik User Meeting Manila: bgp vs ospf
Achmad Mardiansyah
 
Tuning OSPF: Bidirectional Forwarding Detection (BFD)
GLC Networks
 
Tuning OSPF: area hierarchy, LSA, and area type
GLC Networks
 
MTCNA Intro to routerOS
GLC Networks
 
MTCNA : Intro to RouterOS - Part 1
GLC Networks
 
BGP troubleshooting: route origin
GLC Networks
 
Policy Based Routing with Indirect BGP - Part 1
GLC Networks
 
BGP tuning: Peer with loopback
GLC Networks
 
Ad

More from GLC Networks (12)

PDF
BGP security tuning: pull-up route
GLC Networks
 
PDF
GIT as Mikrotik Configuration Management
GLC Networks
 
PDF
Building a Web Server with NGINX
GLC Networks
 
PDF
EOIP Deep Dive
GLC Networks
 
PDF
Policy Based Routing with Indirect BGP - Part 2
GLC Networks
 
PPTX
Automatic Backup via FTP - Part 2
GLC Networks
 
PDF
Automatic Backup via FTP - Part 1
GLC Networks
 
PDF
Voice Services, From Circuit Switch to VoIP
GLC Networks
 
PDF
MPLS on Router OS V7 - Part 2
GLC Networks
 
PDF
BGP on RouterOS7 - Part 2
GLC Networks
 
PDF
OSPF On Router OS7 - Part 2
GLC Networks
 
PDF
Using Zettabyte Filesystem (ZFS)
GLC Networks
 
BGP security tuning: pull-up route
GLC Networks
 
GIT as Mikrotik Configuration Management
GLC Networks
 
Building a Web Server with NGINX
GLC Networks
 
EOIP Deep Dive
GLC Networks
 
Policy Based Routing with Indirect BGP - Part 2
GLC Networks
 
Automatic Backup via FTP - Part 2
GLC Networks
 
Automatic Backup via FTP - Part 1
GLC Networks
 
Voice Services, From Circuit Switch to VoIP
GLC Networks
 
MPLS on Router OS V7 - Part 2
GLC Networks
 
BGP on RouterOS7 - Part 2
GLC Networks
 
OSPF On Router OS7 - Part 2
GLC Networks
 
Using Zettabyte Filesystem (ZFS)
GLC Networks
 
Ad

Recently uploaded (20)

PDF
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
PDF
Python basic programing language for automation
DanialHabibi2
 
PDF
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
PDF
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
PPTX
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PDF
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
PDF
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
PDF
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
PPTX
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
PDF
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
PDF
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
PDF
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PDF
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
PDF
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
PDF
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
PPTX
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
PPTX
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
PPTX
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
Python basic programing language for automation
DanialHabibi2
 
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 

Mikrotik IP Settings For Performance and Security

  • 1. www.glcnetworks.com Mikrotik IP settings for performance and security GLC Webinar, 3 Feb 2022 Achmad Mardiansyah [email protected] GLC Networks, Indonesia
  • 2. www.glcnetworks.com Agenda ● Introduction ● Review prerequisite knowledge ● Mikrotik IP settings ● Live practice ● Q & A 2
  • 4. www.glcnetworks.com What is GLC? ● Garda Lintas Cakrawala (www.glcnetworks.com) ● Based in Bandung, Indonesia ● Areas: Training, IT Consulting ● Certified partner for: Mikrotik, Ubiquity, Linux foundation ● Product: GLC radius manager ● Regular event 4
  • 5. www.glcnetworks.com Trainer Introduction ● Name: Achmad Mardiansyah ● Base: bandung, Indonesia ● Linux user since 1999, mikrotik user since 2007, UBNT 2011 ● Mikrotik Certified Trainer (MTCNA/RE/WE/UME/INE/TCE/IPv6) ● Mikrotik/Linux Certified Consultant ● Website contributor: achmadjournal.com, mikrotik.tips, asysadmin.tips ● More info: http://au.linkedin.com/in/achmadmardiansyah 5
  • 6. www.glcnetworks.com Past experience ● 2020-2022 (Congo DRC, PNG, Malaysia): network support, radius/billing integration ● 2019, Congo (DRC): build a wireless ISP from ground-up ● 2018, Malaysia: network revamp, develop billing solution and integration, setup dynamic routing ● 2017, Libya (north africa): remote wireless migration for a new Wireless ISP ● 2016, United Kingdom: workshop for wireless ISP, migrating a bridged to routed network ● 2015, Kalimantan, wireless support ● See our website for more details 6
  • 7. www.glcnetworks.com About GLC webinar? ● First webinar: january 1, 2010 (title: tahun baru bersama solaris - new year with solaris OS) ● As a sharing event with various topics: linux, networking, wireless, database, programming, etc ● Regular schedule ● Irregular schedule: as needed ● Checking schedule: http://www.glcnetworks.com/schedule ● You are invited to be a presenter ○ No need to be an expert ○ This is a forum for sharing: knowledge, experiences, information 7
  • 8. www.glcnetworks.com Please introduce yourself ● Your name ● Your company/university? ● Your networking experience? ● Your mikrotik experience? ● Your expectation from this course? 8
  • 9. www.glcnetworks.com Prerequisite ● This presentation requires some prerequisite knowledge ● We assume you already know: ○ Computer network ○ Mikrotik RouterOS 9
  • 11. www.glcnetworks.com 7 OSI layer & protocol ● OSI layer Is a conceptual model from ISO (International Standard Organization) for project OSI (Open System Interconnection) ● When you send a message with a courier, you need to add more info to get your message arrived at the destination (This process is called encapsulation) ● What is protocol ○ Is a set of rules for communication ○ Available on each layer ● Communication consist of series encapsulation ○ SDU: service data unit (before PDU) ○ PDU: protocol data unit (after header is added) 11
  • 12. www.glcnetworks.com Layered model (TCP/IP vs ISO) and encapsulation 12 / datagram
  • 17. www.glcnetworks.com Did you notice? ● There is a big overhead on encapsulation process ● More encapsulation means less payload? 17
  • 18. www.glcnetworks.com Layer 2 vs Layer 3 addressing 18 Layer 2 Layer 3 ● Burned-in address ● Adjacent communication ● Consist of 48 bit binary, written in HEX format. 1 HEX = 4 bit ● Unique for every physical port ● 6 first HEX digit -> represent the manufacturer ● Logical address ● End-to-end communication ● IPv4 32 bit long ● 2 versions: IPv4 (our focus) and IPv6 ● Consist of network part & host part ● Can be class based IP address (without subnet) ● Now it is classless IP address -> VLSM (variable length subnet mask) ● CIDR (classless inter domain routing)
  • 19. www.glcnetworks.com IP spec (RFC 791) ● Defined long time ago (what 1981?) ● Defines how the IP header looks like ● Still used up to know ● New version -> IPv6 19
  • 20. www.glcnetworks.com How the layer 3 address look like? ● IPv4 address is 32 bit long ● Written in binary -> always think in binary ● Displayed to human in decimal every 8 bit (octet). ● Has 2 parts: network part and host part ● Like a phone number 0812 XXXXXXXX -> hierarchical ● All devices in the network will have same network part ● First and last address cannot be used (for network id and broadcast id) 20 Network part host part
  • 21. www.glcnetworks.com Variable-Length Subnet Masking (VLSM) ● Variable-Length Subnet Masking (VLSM) ● Can divide an IP address block into subnets of different sizes using / (slash) notation ● Solution the in efficient of classful IP address (fixed length). No more class A, B, C ● RFC: 1878 (1895) ● Basis for CIDR ● Example: 23.45.0.0/17 ○ 23.45.0.0/25 ○ 23.45.0.128/25 21
  • 22. www.glcnetworks.com Classless Inter-Domain Routing (CIDR) ● Provides a new and more flexible way to specify network addresses in routers (using slash as notation) ● allow flexible allocation of Internet Protocol (IP) addresses. ● CIDR lets a routing table entry represent an aggregation of networks that exist in the forward path ● Each IP address has a network prefix that identifies their network ● RFC: 1519 22
  • 23. www.glcnetworks.com Router vs Routing ● Router is a network device that is used to forward packets, based on layer 3 information (layer 3 header) ● Routing is the process of selecting a path for traffic in a network, or between or across multiple networks 23 Physical router Router icon
  • 24. www.glcnetworks.com Network design: physical connection (physical topology) ● Router connects layer 2 segments ● Router works on layer 3 ● Meaning, each layer 2 segment has network ID 24 R1 R2 R3 R4 ISP2 ISP1 internet
  • 25. www.glcnetworks.com Network design: logical connection (logical topology) 25 192.168.0.0/26 R1 192.168.0.1/26 192.168.0.3/26 192.168.0.2/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24 destination gateway 192.168.0.0/26 direct 192.168.1.0/24 direct 192.168.2.0/24 192.168.0.2 192.168.3.0/24 192.168.0.3 192.168.16.3/32 192.168.0.2 0.0.0.0/0 (default gw) 192.168.0.3 Routing table: ● A table at router that is used to forward packet ● Available on every devices (router and host) ● Entry is executed sequentially
  • 26. www.glcnetworks.com Forwarding packets using routing table ● It works like a firewall: match and action ● When a packet arrived, routing table is used to forward packets ● You should think in binary to understand how it works 26 destination gateway 192.168.16.3/32 11000000 10101000 00001000 00000011 192.168.0.2 192.168.0.0/26 11000000 10101000 00000000 00 direct 192.168.1.0/24 11000000 10101000 00000001 direct 192.168.2.0/24 11000000 10101000 00000010 192.168.0.2 192.168.3.0/24 11000000 10101000 00000011 192.168.0.3 0.0.0.0/0 (no match) 192.168.0.3
  • 27. www.glcnetworks.com A packet arrived at R1… (example) Destination IP address of the packet is 192.168.2.6, which gateway do we use? A: 192.168.2.6 = (11000000 10101000 00000010 00000110 27 destination gateway 192.168.16.3/32 11000000 10101000 00001000 00000011 192.168.0.2 192.168.0.0/26 11000000 10101000 00000000 00 direct 192.168.1.0/24 11000000 10101000 00000001 direct 192.168.2.0/24 11000000 10101000 00000010 192.168.0.2 192.168.3.0/24 11000000 10101000 00000011 192.168.0.3 0.0.0.0/0 (no match) 192.168.0.3
  • 29. www.glcnetworks.com Administrative distance (analogy) 29 CITY 1 100 km CITY 2 120 km CITY 2 90 km CITY 3 500 km CITY 4 250 km 10.10.10.0/24 192.168.0.1 10 10.10.20.0/24 192.168.0.2 12 10.10.20.0/24 192.168.0.3 9 10.10.30.0/24 192.168.0.3 50 10.10.40.0/24 192.168.0.4 25
  • 30. www.glcnetworks.com Administrative distance ● Distance is considered when prefix length is same ● Lowest distance wins ● Administrative distance policy is depends on vendor ● Table on the right shows an example of administrative distance on cisco router 30
  • 31. www.glcnetworks.com Static routing 31 192.168.0.0/26 R1 192.168.0.1/26 192.168.0.3/26 192.168.0.2/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24 destination gateway 192.168.0.0/26 direct 192.168.1.0/24 direct 192.168.2.0/24 192.168.0.2 192.168.3.0/24 192.168.0.3 192.168.16.3/32 192.168.0.2 0.0.0.0/0 (default gw) 192.168.0.3 ● Entries on routing table is created manually ● Admin must manage routing table in all routers ● Admin have full control on routing table
  • 32. www.glcnetworks.com Dynamic routing 32 192.168.0.0/26 R1 192.168.0.1/26 192.168.0.3/26 192.168.0.2/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24 destination gateway 192.168.0.0/26 direct 192.168.1.0/24 direct 192.168.2.0/24 192.168.0.2 192.168.3.0/24 192.168.0.3 192.168.16.3/32 192.168.0.2 0.0.0.0/0 (default gw) 192.168.0.3 ● Router will talk to each other with routing protocol (RIP, OSPF, BGP) ● Entries on routing table is created automatically ● Admin must have a good knowledge about routing protocol
  • 33. www.glcnetworks.com Autonomous system (AS) ● Is a collection of routers and networks under one administration and apply single routing policy ● AS is identified by a number (Autonomous System Number - ASN), given by RIR (Regional Internet Registry: APNIC, ARIN, RIPE, etc) 33 AS1 AS4 AS3 AS2
  • 34. www.glcnetworks.com Addressing, IANA, RIR ● Internet is based on IP (internet protocol) addressing scheme -> RFC791 ● Addressing has to be unique ● IANA (Internet Assigned Number Authority) regulates IP address allocation ● IANA delegates (some of its authority) to RIR (Regional Internet Registry) ● RIR delegates to country’s ● Every organisation must have IP address block to join the internet and build a routing scheme among their equipment 34
  • 35. www.glcnetworks.com Asymmetric routing ● Currently, routing is done one-way only (outbound) ● Forwarding process on router is based on destination IP address ● There is no guarantee incoming path is similar to outgoing path ● We can only control outbound traffic 35 R1 192.168.0.1/26 192.168.0.3/26 R3 R2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.3.3/24 192.168.3.9/24 192.168.2.9/24 192.168.2.2/24 192.168.1.1/24 192.168.1.9/24
  • 36. www.glcnetworks.com Private IP, public IP and NAT 36 Public IP Private IP (RFC1918) ● Public IP is used globally (internet) ● Must be unique ● Usually borrowed from ISP (via ADSL, GPON, GSM, 4G, etc) ● Private IP is used privately (internal organisation) ● Duplicated in many organisations
  • 38. www.glcnetworks.com IP forward ● A feature to forward packets 38
  • 39. www.glcnetworks.com ICMP Redirect ● Send-redirects - Whether to send ICMP redirects. Recommended to be enabled on routers ● Accept-redirects - Whether to accept ICMP redirect messages. Typically should be enabled on host and disabled on routers ● Secure-redirects - Accept ICMP redirect messages only for gateways, listed in default gateway list 39 R1 R2 192.168.1.0/24 .1 .2 .10 internet
  • 40. www.glcnetworks.com Accept-source-route ● Source routing ● Whether to accept packets with Source-and-Record-Route (SRR) option ● 40
  • 41. www.glcnetworks.com Allow fastpath ● Enable fast-path feature ● Enable this! 41
  • 42. www.glcnetworks.com Route cache ● Disable or enable Linux route cache. Note that by disabling route cache, it will also disable fast path. ● Enable this! 42
  • 43. www.glcnetworks.com Reverse-path filtering (RFC3704) ● Disables/enables source validation. ○ no - No source validation. ○ strict - applies Strict Reverse Path. Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded. ○ loose - applies Loose Reverse Path. Each incoming packet's source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail. ● Recommendation: use strict mode to prevent IP spoofing from DDoS attacks. ● For asymmetric routing, complex routing, and vrrp case loose mode is recommended. 43 R1 12.1.1.0/24 .1 .10 internet dst: y.y.y.y src: 12.1.1.99 dst: 12.1.1.10 src: x.x.x.x dst: x.x.x.x src: 12.1.1.10 .99
  • 44. www.glcnetworks.com TCP syncookies ● Send out syncookies when the syn backlog queue of a socket overflows. ● This is to prevent against the common 'SYN flood attack'. 44
  • 45. www.glcnetworks.com ARP ● Max-neighbor-entries: Maximum number of allowed neighbors in ARP table ● Arp-timeout: Sets Linux base_reachable_time_ms Once a neighbor has been found, the entry is considered to be valid for at least a random value between base_reachable_time/2 and 3*base_reachable_time/2. An entry's validity will be extended if it receives positive feedback from higher level protocols. Default is 30 seconds. 45
  • 46. www.glcnetworks.com ICMP rate ● Icmp-rate-mask: Mask made of ICMP types for which rates are being limited. Default: 0x1818 ● Icmp-rate-limit: Limit the maximum rates for sending ICMP packets whose type matches icmp-rate-mask to specific targets. 0 to disable any limiting, otherwise the minimum space between responses in milliseconds 46
  • 47. www.glcnetworks.com Live practice ● SSH client ● SSH parameters ○ SSH address ○ SSH port ○ SSH username ○ SSH password 47
  • 49. www.glcnetworks.com Interested? Just come to our training... ● Topics are arranged in systematic and logical way ● You will learn from experienced teacher ● Not only learn the materials, but also sharing experiences, best-practices, and networking 49
  • 50. www.glcnetworks.com End of slides ● Thank you for your attention ● Please submit your feedback: http://bit.ly/glcfeedback ● Find our further event on our website : https://www.glcnetworks.com ● Like our facebook page: https://www.facebook.com/glcnetworks ● Slide: https://www.slideshare.net/glcnetworks/ ● Discord (bahasa indonesia): (https://discord.gg/6MZ3KUHHBX ) ● Recording (youtube): https://www.youtube.com/c/GLCNetworks ● Stay tune with our schedule 50