MTCNA Class 06: Security Management

-

 Class 06: Security Management


Objectives -

  • Firewall rules & port blocking

  • Site blocking

  • VPN/Tunnels overview

  • PPPoE system

  • Load balancing

1. Firewall Rules & Port Blocking (Baseline Security)

Step 1: Basic Firewall Protection

/ip firewall filter

# Allow established & related traffic

add chain=input connection-state=established,related action=accept comment="Allow established"

# Drop invalid packets

add chain=input connection-state=invalid action=drop comment="Drop invalid"

# Allow LAN access to router

add chain=input src-address=192.168.0.0/16 action=accept comment="Allow LAN"

# Drop all other access (WAN protection)

add chain=input in-interface=WAN action=drop comment="Block WAN access"


Step 2: Block Dangerous Ports (Example)

# Block Telnet (23), FTP (21), SMB (445)

add chain=forward protocol=tcp dst-port=21,23,445 action=drop comment="Block risky ports"

# Block Torrent ports (common range)

add chain=forward protocol=tcp dst-port=6881-6999 action=drop comment="Block torrent"

# Block SMTP spam (port 25 except mail server)

add chain=forward protocol=tcp dst-port=25 action=drop comment="Block SMTP spam"


2. Site Blocking (Content Filtering)

Step 1: DNS-Based Blocking (Simple & Effective)

/ip dns static

add name=facebook.com address=0.0.0.0

add name=www.facebook.com address=0.0.0.0

add name=youtube.com address=0.0.0.0


Step 2: Layer 7 Filtering (Advanced)

/ip firewall layer7-protocol

add name=block-sites regexp="^.+(facebook|youtube|tiktok).*\$"


/ip firewall filter

add chain=forward layer7-protocol=block-sites action=drop comment="Block social media"


Step 3: Block via TLS Host (Modern HTTPS Method)

/ip firewall filter

add chain=forward tls-host=*.facebook.com action=drop

add chain=forward tls-host=*.youtube.com action=drop


Assessment: MikroTik Block Website (Facebook, YouTube and Other Sites) 👍


Work Process:


1-add in firewall Layer7

ip firewall layer7-protocol add name=Blockface&youtube regexp=^.+(facebook.com|youtube).*$


2-add in address list the allow list

ip firewall address-list add address=192.168.1.5 list=allow_face_youtube


3-add in address list the Block list

ip firewall address-list add address=192.168.1.112 list=block_face_youtube


4-mark packet in mangle for allow list

ip firewall mangle add chain=forward src-address-list=allow_face_youtube action=mark-packet new-packet-mark=allow_fb_youtube_mark passthrough=no



5-mark packet in mangel for block list

ip firewall mangle add chain=forward src-address-list=block_face_youtube action=mark-packet new-packet-mark=block_fb_youtube_mark passthrough=no


6-firewall drop in port 80

ip firewall filter add chain=forward protocol=tcp port=80 packet-mark=mark-packet new-packet-mark=block_fb_youtube_mark action=drop


7-firewall drop in port 443

ip firewall filter add chain=forward protocol=tcp port=443 packet-mark=mark-packet new-packet-mark=block_fb_youtube_mark action=drop


Example:

/ip firewall layer7-protocol

add name=YouTube regexp="^.+(youtube.com|googlevideo.com|akamaihd.net).*\$"

/ip firewall mangle

add action=mark-connection chain=output comment="YouTube " layer7-protocol=YouTube new-connection-mark=YouTube passthrough=yes

/ip firewall filter

add action=drop chain=output connection-mark=YouTube protocol=udp

(Or..)


... /ip firewall layer7-protocol add comment="Selects for YouTube traffic" name="YouTube L7" regexp=\ "^..+\\.(youtube.com|googlevideo.com|akamaihd.net).*\$" ... protocol=tcp add action=drop chain=input comment="block everything else" add action=fasttrack-connection …


3. VPN/Tunnel Overview (Secure Remote Access)

Option 1: PPTP (Simple but less secure)

/interface pptp-server server set enabled=yes


/ppp secret

add name=user1 password=1234 service=pptp profile=default


/ip firewall filter

add chain=input protocol=tcp dst-port=1723 action=accept

add chain=input protocol=gre action=accept


Option 2: L2TP/IPsec (Recommended)

/interface l2tp-server server set enabled=yes use-ipsec=yes ipsec-secret=StrongKey


/ppp secret

add name=vpnuser password=secure123 service=l2tp


/ip firewall filter

add chain=input protocol=udp dst-port=500,1701,4500 action=accept

add chain=input protocol=ipsec-esp action=accept


Assessment-01: MikroTik Site to Site VPN Configuration with IPsec Tunnel

Work Process: 

  • Step-01: MikroTik RouterOS basic configuration

  • Step-02: IPsec Peer configuration

  • Step-03: IPsec Policy and Proposal Configuration

  • Step-04: NAT Bypass Configuration

Configuration with IPsec:

https://systemzone.net/mikrotik-site-to-site-vpn-configuration-with-ipsec/ 

Assessment-02: MikroTik Router GRE Tunnels

MikroTik Router GRE Tunnel Configuration:

https://ovroshyam.medium.com/mikrotik-to-mikrotik-gre-tunnel-configuration-1fbf657ce584 

PPPoE SYSTEM (SERVER & CLIENT)

Table-01: Network Architecture 

Device

Role

Example IP

MikroTik R1

PPPoE Server

10.10.10.1

MikroTik R2 / User

PPPoE Client

Dynamic

IP Pool

Clients

10.10.10.10–10.10.10.100


Work Process for PPPoE Server Configuration


Step-01: Pool Creation in the PPPoE Server Router

/ip pool

add name=pppoe-pool ranges=10.10.10.10-10.10.10.100


Step-02: Create PPP Profile

/ppp profile

add name=pppoe-profile local-address=10.10.10.1 remote-address=pppoe-pool dns-server=8.8.8.8,8.8.4.4

—--

Or, Optional (Bandwidth Control)

set pppoe-profile rate-limit=2M/2M


Step-03: Enable PPPoE Server

/interface pppoe-server server

add interface=ether2 service-name=ISP-PPPoE default-profile=pppoe-profile one-session-per-host=yes disabled=no


Step-04: Create PPP Users (Authentication)

/ppp secret

add name=user1 password=1234 service=pppoe profile=pppoe-profile

add name=user2 password=abcd service=pppoe profile=pppoe-profile


Step-05: NAT Configuration (Internet Sharing)

/ip firewall nat

add chain=srcnat out-interface=WAN action=masquerade


Step 6: Firewall Allow PPPoE

/ip firewall filter

add chain=input protocol=tcp dst-port=1723 action=accept comment="Allow PPPoE Control"


Work Process for PPPoE Client Configuration

Step 1: Create PPPoE Client

/interface pppoe-client

add name=pppoe-out1 interface=ether1 user=user1 password=1234 disabled=no


Step 2: Add Default Route

/ip route

add dst-address=0.0.0.0/0 gateway=pppoe-out1


Step 3: DNS Configuration

/ip dns

set servers=8.8.8.8 allow-remote-requests=yes


Step 4: NAT (Client Router)

/ip firewall nat

add chain=srcnat out-interface=pppoe-out1 action=masquerade


OPTIONAL : ADVANCED ISP FEATURES

 1. Per-User Bandwidth (Profile-Based)

/ppp profile

set pppoe-profile rate-limit=5M/5M


 2. Different Packages

/ppp profile

add name=1Mbps rate-limit=1M/1M

add name=5Mbps rate-limit=5M/5M

/ppp secret

add name=user3 password=pass profile=5Mbps


 3. Session Limit

/interface pppoe-server server

set 0 one-session-per-host=yes


4. Secure PPPoE

/ppp profile

set pppoe-profile use-encryption=yes only-one=yes



LOAD BALANCING 👍

Best Practices (Enterprise Level)

✔ Always:

  • Disable unused services

/ip service disable telnet,ftp,www

✔ Use strong passwords & SSH, disable admin user
 ✔ Enable logging

/system logging add topics=firewall action=memory

✔ Backup configuration

/system backup save name=backup-config

or

From terminal=> export  file=name-cfg

Or, only backup IP Address/ARP list

/ip address export file=ip_config;  /ip arp print file=arp.txt

✔ Use NAT properly

/ip firewall nat

add chain=srcnat out-interface=WAN action=masquerade


Popular posts from this blog

CCNA Class 10: Introduction of Routed & Routing Protocols and Configuration

-
Image
Introduction of Routing Protocols Routing Fundamental Routing is the process of forwarding data packets from their source to their destination across interconnected networks. It is a critical function in both small-local area networks (LANs) and large-scale wide-area networks (WANs), including the Internet. There are two types of data packets - Routed Protocols and Routing Protocols.   Fig: Basic Routing Key Concepts in Routing Router: A router is a networking device responsible for forwarding data packets between networks based on their IP addresses. It operates at the network layer (Layer 3) of the OSI model. Routing Table: A database stored in a router that contains information about network destinations and how to reach them. Consists of: Destination network Next hop: The next router or device to which the packet should be sent. Metric: A value indicating the "Cost" of reaching a destination (hop count, bandwidth, latency, reliability, load). Interface: The router i...
Read more

RHCSA-EX200: Vendor Exam Problem Solving

-
Image
Vendor Exam Module List following this link:  https://www.redhat.com/en/services/training/ex200-red-hat-certified-system-administrator-rhcsa-exam?section=objectives   Question-01: Manage basic networking  Configure network and set the static parameters. Consider a machine configured as DHCP, and need to configure it with static parameters. IP-ADDRESS= 172.25.250.10 | 192.168.213.10/24 NETMASK= 255.255.255.0 GATEWAY= 172.25.250.254 | 192.168.213.1 Nameserver= 172.24.254.254 | 192.168.213.1 Hostname= servera.lab.example.com Solution Step-01: Changed the hostname of Linux Machine.  #hostnamectl set-hostname servera.lab.example.com #hostname or hostnamectl #cat /etc/hostname Step-02: Changed/Create/Modify Network Adapter following information #nmcli connection show #nmcli device status #nmcli connection modify <profile_name> ipv4.addresses 172.25.250.10/24 ipv4.gateway 172.24.250.254 ipv4.dns 172.24.254.254 ipv4.method manual connection.autoconnect yes #systemctl r...
Read more

CCNA Class 11: Distance vector Routing Protocol (RIPv1 & RIPv2) Configuration

-
Image
DISTANCE VECTOR ROUTING PROTOCOL RIP is known as Distance Vector Routing Protocol. Here Distance means number of hop counts which is calculated by Router to reach traffic source to destination and Vector means direction. In a word, RIP - to choose the least path by calculating metric value from the entire network direction while travelling traffic from source to destination. Here the scenario, when the traffic travels from R1 to destination subnet X via the upper path (R1=>R2....R8=>Subnet-X) of Network, It takes the Metric 4 value. Or, the metric will be 3 while traveling R1 to Destination Subnet X via the middle path (R1=> R5...R8=>Subnet-X) of the network and Vice versa. How to RIP Work - RIP is a distance vector protocol that exchanges routing information between routers periodically. Each router maintains a routing table that contains the next hop and the hop count for each destination network. Every 30 seconds, the router sends its entire routing table to its dir...
Read more