Examples of using RAW firewall?

Koman · January 28, 2019, 8:37am

Thanks MKX.
I tried all variants but rule is not working. I have task from my chief - block all connections on ports 5060-5080 from abroad. I tried to block one subnet 37.0.0.0 but rule not working
Here are my firewall settings
Regards.

mkx · January 28, 2019, 10:07am

Screenshots don’t show complete story and it’s hard to tell why rules are not working for you.

It’d be much easier to comment if you posted output of command /ip firewall export … run it in command window, copy contents and post it here in [ code ] environment (you may want to obfuscate your public IP address if it’s used in any of rules).

ivicask · January 28, 2019, 10:24am

Rule actually seams working fine as u can see one block in raw filter, its not showing in IP firewall because RAW already filtered it.

Koman · January 28, 2019, 12:17pm

Thanks MKX. I made export and attached file
export.txt (6.21 KB)

Koman · January 28, 2019, 12:21pm

Thanks ivicask.
Rule was worked once. Now users from IP addresses of the Black list tring to connect to sip port 5060 and rule not working.

ivicask · January 28, 2019, 12:34pm

I think u should change all those blacklist to
for example from add address=37.0.0.0 → address=37.0.0.0/24

anav · January 28, 2019, 12:47pm

The one thing I noticed from the getgo is that you are blocking 5080 but you want incoming 5080 to be dstnatted, which may prove difficult to setup.
I think you have a big honking mess of rules and need to strip down and simplify after making it clear what you want to accomplish.

mkx · January 28, 2019, 1:04pm

In addition to the remark by @ivicask about adding subnet masks to the addresses in blacklist I have another remark:

there are a number of dst-nat rulest (a.k.a. ports forwarded) where dst-address is used. If you only have single public address, you can use in-interface=pppoe-wan instead of using dst-address=95.a.b.c to eliminate setting public IP address there. You only have to use IP address there if you want to perform hair-pin NAT, but for that you’d have to masquerade connections towards LAN servers as well (you don’t have that currently).

Koman · January 28, 2019, 1:19pm

Thanks MKX, IICASK, ANAV.
I went to implement your recommendations.
Regards.

Maggiore81 · December 30, 2019, 2:24pm

MikrotikHap:

The biggest advantage of the raw table is that it happens prior to connection state tracking.
It’s a good place to drop packets from a blacklist because doing so in raw prevents the connection attempts from clogging up the connection tracking table.
(…)
One basic example of a good use of the raw table would be on core routers where you don’t do any kind of filtering / nat translation / etc - you may want to use connection tracking for the input/output chains, but just forward packets as quickly as possible. In raw, you could use the prerouting chain to perform an action of “notrack” for all packets whose dst-address-type=!local
This one rule would make all forwarded traffic skip the connection tracking engine, speeding things up for you, but w/o having to disable connection tracking system-wide. The input/output chains could still leverage this functionality.

sorry for resurrecting an old thread.
we use in the core two ccr1036
using RAW filter to filter off some simple ports, then having fasttrack for everything else.
can you share on example of no-track in raw to !local?
I tried but I am not able to let it work.

CZFan · December 31, 2019, 1:38am

I guess it will be something like

/ip firewall raw
Add chain=pre-routing dst-address-type=!local action=notrack

Maggiore81 · December 31, 2019, 4:20am

Hello i did that. I switched from a fast track traffic to everuthing that was passing through the router to a no track. The cpu went from 10 to 30. I am figuring it why

I hade a core router.
before it was doing some drop on raw table (port 53 etc).
then everything was in fasttrack.
cpu load average 15% with 3gbps traffic.

yesterday I tried as the following:
created a rule where dest !local is NO TRACK, because I didnt need it. On this core router i have one rule for srcnat for the router itself (when dns and ntp), and one rule for a subnet that is connecitng to it from outside in l2tp.
everything was untracked now except local traffic. Ok!
cpu load raised over 25/30% with the same amount of traffic.
what did i do wrong?

https://mum.mikrotik.com/presentations/TR18/presentation_5628_1539936230.pdf
according to this presentation, if i set them to NOTRACK they go in slowpath so I get worsened performances.
since I am not able to achieve fastpath, I need to go with fasttrack, right?

mkx · December 31, 2019, 2:28pm

When you disable connection tracking (with no-track), you disable fastteack as well - and fasttrack is a highly effective way of using firewall. Now with fasttrack disabled, all packets have to go through firewall filter rules … and the constructs referring to connection-state (established, related, …) don’t work for those packets … which might mean that now many packets have to pass multiple firewall filter evaluations to get accepted …

Maggiore81 · December 31, 2019, 3:06pm

Hello. When i use no track they dont enter the conntrack. They are passed directly but i assume in slowpath

mkx · December 31, 2019, 3:44pm

They don’t enter conntrack (and thus can only follow slow path), but they still enter firewall filter chains … with limitations I described earlier which mean a lot more work for each packet passing. So even if you have one single rule in firewall filter section, the whole firewall engine will start, making no-track config somehow non-productive. The only benefit of no-tracking packets in case where there’s still some firewall running is to save RAM which would otherwise be used by connection tracking table.