Transcription
RouterOs L2 filteringMassimo NuvoliTRAINER #TR0368MUM Europe 2018 Berlin
Massimo Nuvoli (maxnuv)Owner of Progetto Archivio SRL and DICOBITSystem EngineerSystem ArchitectMUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli2
MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli3
Today goals Know about L2 filtering in RouterOs Know where is, and what to do with Changes in the last year A lot of examples!MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli4
Before start.Some L1 filteringMUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli5
MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli6
MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli7
New L2 configuration From RouterOs 6.41 major changes No more “master” “slave” interface Everything is “bridge” but there is “hardwareacceleration”, so nothing changedNew “H” label on bridge port, mean “thisport and the bridge are doing hardwareacceleration”MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli8
New L2 configuration/interface bridge portadd bridge bridge hw no interface ether5add bridge bridge hw no interface ether4add bridge bridge hw no interface ether3 We can enable/disable hardware acceleration “byport”MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli9
New L2 configuration New vlan management at bridge level /interface bridge vlan STP (802.1D) RSTP (802.1w) (rapid) MSTP (802.1s) (multiple)MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli10
“Configuration driven” If you enable bridge with ports then you“may” have hardware accelerationIf you use some feature that requirehardware acceleration disabled then the“software bridge” is used insteadPerformance of the device depends on“configuration” and “active commands”MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli11
Hands on.MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli12
So why L2 filtering? L2 filtering is done to achieve–Security–Performance–Both–L2 filtering can go “inside” the packet (ip address,ip protocol) but only if this is “normal” packet (novpn, no ipsec, no mpls, no ), then in some casethe packet need more steps on the chain to beprocessed!MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli13
Insecure MAC address! Sniff and change MAC address of interface is prettyeasy on most operating systemsSecurity based on MAC address is, what? There isno sense to put “security” and “MAC address” in thesame statement“When” you are connected into a network (wired ornot) security is broken“Secure” is 802.1x authentication with certificate, nosupport on RouterOs at wired level.MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli14
Filtering L2 protocols More useful, filter protocols!Eg, allow pppoe discovery and session anddisable everything elseEg, check more inside packet, block dhcp.MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli15
Filtering L2 headers Eg, filter packets on VLAN header–VLAN–Priority–Service VLAN–QinQMUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli16
RouterOs Packet Flow 1MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli17
RouterOs Packet Flow 1MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli18
L2 Filtering “where” RouterOs can filter at L2 level in–Hardware switch chipset (low cpu cost)–Bridge level (medium cpu cost)–Firewall filter level (raw and normal) (high cpucost)MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli19
Hardware SwitchMUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli20
Hardware Switch Basic Switch can do only some vlan check andsome redirectAlso basic settings can act on priorityAdvanced Switch (CRS125 or similar) can domore nasty thingsThere is a limit on number of rules, kind ofchecks etc. etc. due to hardware limits!Check on wiki for limits!MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli21
Hands on.MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli22
And. SwOs Some RouterOs device can run SwOs No routing (switch only) Simpler setup Also L2 filtering but only hardware supported Same limits on number of rules, groups, etcetc.Check wiki for details!MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli23
Hardware SwitchPlease. Use only one filtering so–Setup vlan at switch hardware levelor–Setup vlan at bridge levelMUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli24
Bridge filtering sample 1/interface bridge filteradd action drop chain forward dst mac address FF:FF:FF:FF:FF:FF/FF:FF:FF:FF:FF:FF dst port 67 in interface ether5 \ip protocol udp log yes mac protocol ip out interface !ether5MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli25
Bridge filtering sample walleth3ClientMUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli26
No bad dhcp servers! One rule ButOn all ports must disable hardware offload!! CPU load !!MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli27
Bridge filtering sample 2/interface bridge filteradd action accept chain input mac protocol pppoe discoveryadd action accept chain input mac protocol pppoeadd action drop chain input log yesadd action drop chain forward in interface list all out interface list allMUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli28
Bridge filtering sample alleth3eth5MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli29
No bad pppoe servers! Enable pppoe session and discover No need to bridge bad clients No other protocol enabled ether5 is not on the bridge! Same as before, no hardware offload!MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli30
Bridge filtering sample 3/interface bridge add name bridge1/interface bridge portadd bridge bridge1 interface ether5add bridge bridge1 interface ether4 pvid 400add bridge bridge1 interface ether3 pvid 300add bridge bridge1 interface ether2 pvid 200MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli31
Bridge filtering sample 3/interface bridge vlanadd bridge bridge1 tagged ether5untagged ether2 vlan ids 200add bridge bridge1 tagged ether5untagged ether3 vlan ids 300add bridge bridge1 tagged ether5untagged ether4 vlan ids 400MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli32
Bridge filtering sample 3ether4 U 400ether5T 400T 300T 200U1ether3 U 300RouterOsBridgeether2 U 200MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli33
Bridge filtering sample 3Then/interface bridge set vlan filtering yes bridge1Now all vlan management is done by the bridgeOn devices supported also hardware offloadedOn devices unsupported hardware offload isdisabled (let me show how)MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli34
Bridge filtering sample 3If you want to “access” vlan 200 packets on thebridge from RouterOs you MUST add the bridgeitself on the filtering:/interface bridge vlanadd bridge bridge1tagged ether5,bridge1 untagged ether2vlan ids 200This mean “from the bridge you can see vlan 200”MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli35
Bridge filtering sample 4 Assign and change priorityOnly WMM packets and VLAN taggedpackets brings inside priorityFor all others priority is “0”MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli36
Bridge filtering sample 4 First we define interface listThen we define filter rule based on the portof the bridgeThen some mangle and queue trick to useassigned priorityMUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli37
Bridge filtering sample 4/interface listadd name phones/interface list memberadd interface ether1 list phonesadd interface ether3 list phonesMUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli38
Bridge filtering sample 4/interface bridge filteradd chain forwardin interface list phonesingress priority 0action set prioritynew priority 7MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli39
Bridge filtering sample 4/ip firewall mangleadd action mark packet chain forwarddisabled no priority 7 new packet mark priority 7 passthrough no/queue simpleadd name "Priority 7" target 0.0.0/0priority 7/7 limit at xxx/xxx max limit xxx/xxx packet mark priority 7MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli40
Questions?MUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli41
Thank you!massimo@dicobit.itMUM EUROPE 2018RouterOs L2 Filtering - (c) Massimo Nuvoli42
MUM EUROPE 2018 RouterOs L2 Filtering - (c) Massimo Nuvoli 13 So why L2 filtering? L2 filtering is done to achieve - Security - Performance - Both - L2 filtering can go "inside" the packet (ip address, ip protocol) but only if this is "normal" packet (no vpn, no ipsec, no mpls, no ), then in some case
