Belajar MANGLE Di MikroTik Router
Belajar MANGLE Di MikroTik Router
Belajar MANGLE Di MikroTik Router
What is Mangle?
The mangle facility allows to mark IP packets
with special marks.
These marks are used by other router facilities
to identify the packets.
Additionally, the mangle facility is used to
modify some fields in the IP header, like TOS
(DSCP) and TTL fields.
Firewall Mangle
The firewall filter facility is a tool for packet
marking
Firewall filters consist from the sequence of IFTHEN rules
0) IF <condition(s)> THEN <action>
1) IF <condition(s)> THEN <action>
2) IF <condition(s)> THEN <action>
Firewall Mangle
Mangle Structure
Mangle rules are organized in chains
There are five built-in chains:
Prerouting- making a mark before Global-In queue
Postrouting - making a mark before Global-Out
queue
Input - making a mark before Input filter
Output - making a mark before Output filter
Forward - making a mark before Forward filter
Mangle actions
There are 7 more actions in the mangle:
mark-connection mark connection (from a
single packet)
mark-packet mark a flow (all packets)
mark-routing - mark packets for policy routing
change MSS - change maximum segment size of
the packet
change TOS - change type of service
change TTL - change time to live
strip IPv4 options
7
Marking Connections
Use mark connection to identify one or group of
connections with the specific connection mark
Connection marks are stored in the connection
tracking table
There can be only one connection mark for one
connection.
Connection tracking helps to associate each
p
acket to a specific connection (connection mark)
8
Marking Packets
Packets can be marked
Indirectly. Using the connection tracking facility,
based on previously created connection marks
(faster)
Directly. Without the connection tracking - no
connection marks necessary, router will compare
each packet to a given conditions (this process
imitates some of the connection tracking features)
10
11
Mangle Lab
Mark all HTTP connections
Mark all packets from HTTP connections
Mark all ICMP packets
Mark all other connections
Mark all packets from other connections
Check the configuration
12
13