A few odd things in routeros compared to an asa

So I recently got an asa firewall and I noticed that routeros does some odd things. Maybe some of you can give me some input.

So on the asa I can’t ping my external ip or access my web server with it but with my rb I can, this is an odd behaviour I should not be able to ping my external ip or access my web server with my external ip from the inside why does router os allow this.

Second thing is on the asa i dont need any of these rules only a masquerade rule.

add chain=input connection-state=invalid action=drop \
	comment="Drop Invalid connections"  
add chain=input connection-state=established action=accept \
	comment="Allow Established connections"  
add chain=input protocol=icmp action=accept \

Third is on the asa I don’t need a rule for the vpn to work but on the rb I need to specify an rule on the input chain for my vpn to be allowed.

Fourth is speed my rb has gigabit ports now when i do pppoe with my asa to my isp i get 300mbit download but with my rb it caps out at 100mbit this is not normal at all since the rb is gigabit.

No I know that the asa and rb are two very different platforms but who do the firewalls act differently shouldn’t it all be similar. Anyone have any input about this?

Thanks

RouterOS firewall default policy is accept.

RouterOS motto is “use your mind”. Nothing is already “cooked”, or should be taken as “granted”, everything should be specified by the administrator and it will do only and exclusively what you program it for.

The pro: You can achieve crazy setups. the Con: if you already know how.

RB’s aren’t firewalls, but an all-purpose router platform, firewalling is just one of the possible uses.

That is actually the Asa being weird.

So this is an asa thing? what about the funky speed issue I mentioned the routerboard should be able to get the same speed as the asa.

Speed - make sure the interface hasn’t somehow negotiated a 100Mbps connection with the modem.
However, depending on your platform, you may be running out of CPU horsepower (watch the CPU utilization while doing speed testing) if your firewall/nat rules are intricate. Many models can’t come near filling up a 300Mbps connection with actual live IP data - let alone a gigabit. (the 2011 line gets around 100 - 130Mbps in my bench testing, for instance - this was long before fast track was available, and I haven’t stress tested any platforms with fast track, so I’m not sure how much this can help)

– as far as the different behaviors, Mikrotik’s configuration is essentially identical to Linux/Netfilter because that’s what the underlying technology is, vis-à-vis the firewall/nat functionality. It’s a different paradigm, but definitely worth learning.

I started my career in Cisco IOS (IOS 10 was the current version) and learned ACLs and such from the beginning, but prefer the tables/chains method in RoS (Linux netfilter) 10 times out of 10. Connection tracking in ROS is braindead simple compared to IOS - ASA is much better than IOS for this, so the two platforms are pretty much equivalent in that regard (in my opinion).

As far as client GUI applications go, Winbox > ASM… this statement is like saying the sun is larger than an amoeba… I --loathe-- the java-based H.P. Lovecraft elder abomination that is ASM.

As for learning the ropes in firewall/nat design for Mikrotik, a good starting point would be to reference the packet flow diagram for ROSv6. This shows in complete detail exactly which chains are used for any packet you can imagine.

http://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6

In general, the most useful chains getting started are filter:input, filter:forward, nat:srcnat, and nat:dstnat

filter:output is useful if you want to limit packets from the Mikrotik itself - perhaps putting a rate-limit on icmp packets it sends to a particular IP address, or the addresses where it may send DNS replies if it’s running as a DNS proxy… but these are more specialized rules. The MANGLE table is for all of the packet marking and dark evil voodoo things you can do with packets (changing TTLs, TCP-MSS, IP-TOS, and other quantum properties of packets) You can get a lot of mileage from a Mikrotik router without ever touching those special-purpose areas, though.

FILTER TABLE:
INPUT = towards the control plane of the router. (in other words, any traffic that is talking to the Mikrotik itself, even if the packet is entering on the LAN interface, with a destination IP of the WAN interface - that’s still an INPUT packet.

FORWARD = packets going through the Mikrotik, but not talking to any IP of the Mikrotik itself.

NAT TABLE:
DSTNAT = this chain is called before routing decisions are made - and is able to make changes in the destination IP / port number
SRCNAT = this chain is called after routing decisions, and can perform actions that modify the src address/port.

Since these two chains are separate flows, this allows you to do something that ASA can’t even dream of doing - hairpin NAT. Many platforms let you do src nat OR dst nat, but not both on the same packet. This is easily doable on Mikrotik.

It’s definitely a different paradigm than Cisco IOS / ASA use, but it’s very much worth the learning curve. I find the packet flow logic in netfilter (and thus Mikrotik) to be far superior to Cisco. Cisco beats Linux routers in several other ways (sorry fanboys) but Mikrotik is a very very attractive SOHO or access router alternative to Cisco. There are still a few things about ROS that keep it far from the core in my opinion (some buggy behaviors in BGP / OSPF behavior, for instance), but as a highly versatile swiss army knife of a platform, Mikrotik is an EXCELLENT device and well worth learning to use.

Remote troubleshooting capabilities are fantastic - you can packet capture directly to flash, and download them for analysis in Wireshark, for instance, and you can also use realtime analysis tools like torch to identify bandwidth hogs on the fly, or IPs that are performing port scans, or P2P, etc.

All in all, a Mikrotik can be configured to do many things that an ASA can do as a firewall / VPN concentrator, but as a router, Mikrotik smokes ASA. In the end, they’re two power tools in your shop, each with their own strengths and weaknesses.

so i have both a mikrotik rb2011uias-2hnd-in and an asa5510 which should i use as my main router? i love both equally and can’t decide

The security level design of the asa is really bad. It’s much too simplistic to do anything useful with and then just stands in the way.

I think the security level doesn’t even do anything once you start putting actual input/output rules onto interfaces. I was experimenting with an older version of ASA (8.1 I think) and as soon as I put any rule on one interface, the whole “allow secure->insecure / block insecure->secure” model just stopped working.

I’m much less experienced with ASA than I am with Mikrotik, but I think ASA has some IDS functionality that can be leveraged. You can “roll your own” IDS behaviors into Mikrotik, but in general, when it comes to security, it’s better to use tools developed by people more expert than yourself if possible. (I’d probably choose snort for IDS, for instance)

My company uses ASA, but we still have dedicated IDS/IPS appliances as well.

ASA has better redundancy features than Mikrotik IMOHO - If Mikrotik could produce a stateful chassis failover mechanism, that would be fantastic, but ASA has this and also has redundant interface configurations that don’t need spanning tree, pagp, or dynamic routing.

So - if you’re going to need redundancy or performance, the ASA is going to win, (CCR model Mikrotik would keep up with the 5510), but if your bandwidth needs are modest (less than 100Mbps) and you want more flexibility and freedom from Cisco’s totally insane licensing, then Mikrotik is going to work well for you.

I set all interfaces to the same security level and enabled same level forwarding. Still I think the firewall interface of the asa to be rather clunky.

You can do redundancy on Mikrotik with hsrp, but it is of course stateless and doesn’t replicate configuration. A real firewall can do all that, but Mikrotik is a router at heart, not a firewall.
Mikrotik is much cheaper or faster for the same money though.