About Me
MikroTik Certified Traffic Control Engineer (MTCTCE)
1 Introduction to Traffic Control
1-1 Understanding Traffic Control
1-2 Importance of Traffic Control in Network Management
1-3 Overview of MikroTik RouterOS
2 Basic Concepts of Traffic Control
2-1 Bandwidth Management
2-2 Quality of Service (QoS)
2-3 Traffic Shaping
2-4 Packet Prioritization
3 MikroTik RouterOS Basics
3-1 Installation and Configuration
3-2 User Interface Overview
3-3 Basic Commands and Navigation
4 Traffic Control Tools in MikroTik RouterOS
4-1 Queue Types
4-2 Simple Queues
4-3 Queue Trees
4-4 Queue Chains
4-5 Queue Meters
5 Advanced Traffic Control Techniques
5-1 Class-Based Queuing
5-2 Hierarchical Token Bucket (HTB)
5-3 Differentiated Services (DiffServ)
5-4 Traffic Policing and Shaping
6 Monitoring and Troubleshooting Traffic Control
6-1 Traffic Monitoring Tools
6-2 Analyzing Traffic Patterns
6-3 Troubleshooting Common Issues
6-4 Performance Optimization
7 Practical Scenarios and Case Studies
7-1 Implementing Traffic Control in Small Networks
7-2 Traffic Control in Medium-Sized Enterprises
7-3 Large-Scale Network Traffic Management
7-4 Real-World Case Studies
8 Security and Traffic Control
8-1 Role-Based Access Control (RBAC)
8-2 Firewall Integration
8-3 Traffic Filtering and Blocking
8-4 Secure Traffic Control Practices
9 Automation and Scripting
9-1 Introduction to Scripting in MikroTik RouterOS
9-2 Automating Traffic Control Tasks
9-3 Advanced Scripting Techniques
9-4 Integration with Other Network Tools
10 Certification Exam Preparation
10-1 Exam Format and Structure
10-2 Key Topics to Focus On
10-3 Practice Questions and Simulations
10-4 Tips for Success
8.3 Traffic Filtering and Blocking Explained

8.3 Traffic Filtering and Blocking Explained

Key Concepts

Traffic Filtering and Blocking in MikroTik RouterOS are essential for managing network security and performance. These techniques allow administrators to control and restrict network traffic based on various criteria, such as source and destination IP addresses, protocols, and port numbers.

1. Firewall Rules

Firewall Rules are the primary mechanism for filtering and blocking traffic in MikroTik RouterOS. These rules define the conditions under which traffic is allowed or denied. Common firewall rules include:

For example, you can create an input rule to block all incoming traffic from a specific IP address. The command might look like this: /ip firewall filter add chain=input src-address=192.168.1.10 action=drop.

An analogy for firewall rules is a security guard at a building entrance. The guard checks each person's credentials and decides whether to allow them in or not.

2. NAT (Network Address Translation)

NAT is used to modify the source or destination IP addresses of packets as they pass through the router. This can be used to filter and block traffic by redirecting or altering packet headers.

For instance, you can use NAT to redirect all incoming HTTP traffic to a specific server. The command might look like this: /ip firewall nat add chain=dstnat protocol=tcp dst-port=80 action=redirect to-addresses=192.168.1.20.

An analogy for NAT is a mail forwarding service. The service changes the address on the envelope before sending it to the correct recipient.

3. Mangle Rules

Mangle Rules are used to alter packet headers, such as changing the DSCP (Differentiated Services Code Point) value or marking packets for QoS (Quality of Service). These rules can also be used to filter and block traffic based on specific criteria.

For example, you can create a mangle rule to mark all VoIP traffic with a high priority. The command might look like this: /ip firewall mangle add chain=prerouting protocol=udp dst-port=5060 action=mark-packet new-packet-mark=VoIP.

An analogy for mangle rules is a customs officer who inspects and modifies the contents of a package before it is delivered.

4. IP Accounting

IP Accounting tracks the amount of traffic passing through each IP address. This information can be used to identify and block traffic from specific sources that are consuming excessive bandwidth.

For instance, you can enable IP Accounting to monitor traffic from a specific IP address. The command might look like this: /ip accounting enable.

An analogy for IP Accounting is a utility meter that records the amount of water or electricity used. This meter helps in tracking consumption and identifying any unusual usage patterns.

5. Hotspot User Filtering

Hotspot User Filtering allows you to control access to the internet for users connected to a Hotspot network. This can be used to block specific users or restrict access to certain websites.

For example, you can create a Hotspot user filter to block access to social media sites. The command might look like this: /ip hotspot walled-garden add dst-host=facebook.com.

An analogy for Hotspot User Filtering is a library that restricts access to certain sections of the internet for its patrons.

6. Traffic Shaping with Policing

Traffic Shaping with Policing involves limiting the rate of traffic from specific sources to prevent congestion and ensure fair usage. This can be used to block traffic that exceeds predefined limits.

For example, you can create a traffic policer to limit the bandwidth for a specific user. The command might look like this: /queue simple add name=User-Policer target=192.168.1.10 max-limit=2M.

An analogy for traffic shaping with policing is a traffic officer who monitors the flow of cars on a highway. If a car is speeding, the officer might issue a ticket.

7. Blacklisting and Whitelisting

Blacklisting involves blocking traffic from specific IP addresses or ranges, while whitelisting allows traffic only from specific IP addresses or ranges. These techniques are used to enhance network security and control access.

For example, you can create a blacklist to block all traffic from a specific IP range. The command might look like this: /ip firewall filter add chain=input src-address=192.168.1.0/24 action=drop.

An analogy for blacklisting and whitelisting is a guest list at a party. Only those on the list (whitelist) are allowed in, while those not on the list (blacklist) are denied entry.

By mastering these traffic filtering and blocking techniques, you can enhance the security and performance of your network. These skills are essential for any MikroTik Certified Traffic Control Engineer (MTCTCE).

© 2024 Ahmed Baheeg Khorshid. All rights reserved.