justin wilson - mikrotik · why you should care…sorta s justin wilson ccnp – comtrain – mtcna...
TRANSCRIPT
![Page 1: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/1.jpg)
S
Mikrotik everyday Justin Wilson
www.mtin.net www.j2sw.com
www.midwest-ix.com
![Page 2: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/2.jpg)
Why you should care…sorta
S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE
S Active in ISP industry since 1993
S COO MidWest-IX / CEO MTIN.NET
S Active Member of Brothers WISP
S Owned and operated several ISPs
S Huge Gi Joe Collector
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 3: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/3.jpg)
Topics
S 1:1 Nat, 1:Many Nat, DMZ trick
S Carrier Grade Nat
S BGP notes
S Questions
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 4: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/4.jpg)
Who do we NAT?
S NAT isn’t all bad, but needs managed
S IPv4 is scarce or expensive
S IPv6 is slowly being adopted
S “Security” by obscurity
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 5: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/5.jpg)
NAT
S The triple threat S Natted at edge
S Natted at cpe
S Natted at customer router
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 6: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/6.jpg)
NAT
S Most ISPs hate this guy
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 7: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/7.jpg)
Why?
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 8: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/8.jpg)
=
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 9: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/9.jpg)
DMZ Nat
S Forwards all ports to a single IP
S Setup DHCP to hand out that one IP
S Very hands off approach
S Can be used on a CPE in router mode or a wired router.
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 10: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/10.jpg)
1:Many Nat
S Useful for mitigating some of the port issues
S Do on a per tower or per sector basis
S Can be dropped in anytime
S Splits up “nat domains”
S Balance between giving publics and natting
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 11: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/11.jpg)
1:Many Nat
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 12: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/12.jpg)
1:Many Nat
S Use src-nat and dst-nat
S Do on a per tower or per sector basis
S Netmap can also be used
S /ip firewall nat add chain=srcnat src-address=10.1.2.0/24 action=src-nat to-addresses=2.2.2.3
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 13: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/13.jpg)
1:Many Nat scheme
S Route a /29 or appropriate block S 1.2.3.0/24 is our example
S 6 useable IP addresses 1.2.3.1-1.2.3.6
S IP breakdown S 1.2.3.1- Customer gateway
S 1.2.3.2-1.2.3.5 – Static/business customers
S 1.2.3.6 – 1:Many Nat IP
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 14: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/14.jpg)
Carrier Grade Nat
S How is it different?
S Nat444 vs Nat44
S Know your RFCS
S RFC 6598
S RFC 7422
S RFC 6888
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 15: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/15.jpg)
Disadvantages
S CPU and Memory intensive
S Port forwarding no longer an option
S You end up deploying IPv6 anyway
S Still is Nat
S Multiple ppl behind a single address causes issues for accounting and tracking
S Still have issues with services “seeing” too many Ips
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 16: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/16.jpg)
Advantages
S Ummmm….....
S Seriously not many. Better usage of natting
S “Easier” than IPv6
S If you know nat you can configure CGN
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 17: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/17.jpg)
Better things than CGN
S Dual-Stack
S Nat64
S DS-Lite
S 6RD
S Kittens..cus it’s the Internet
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 18: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/18.jpg)
UPnP can be your friend
S Universal Plug and Play get a bad rep S Mikrotik addresses the biggest issues with UPnP. S Allow-disable-external-interfaces
S Many UPnP vulnerabilities are a direct result of router code vulnerabilities (not Mikrotik)
S Most articles are more than 2 years old.
S If you provide managed Mikrotiks you can be a hero
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 19: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/19.jpg)
UPnP can be your friend
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 20: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/20.jpg)
Let’s talk about BGP baby..just you and me
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 21: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/21.jpg)
BGP considerations
S Design and Engineering
S Peer Setup
S Filters & Security
S Types of peering
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 22: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/22.jpg)
Design and Engineering
S Everything starts with a good foundation
S Modular approach
S Redundancy and serviceability
S 3 Tier design S Edge
S Core
S Access
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 23: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/23.jpg)
Design and Engineering
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 24: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/24.jpg)
Design and Engineering
S Don’t make your routers do everything – Modularize
S Sales will love you
S Redundancy S Greg Sowell’s upcoming presentation
S Easier to upgrade
S Better performance
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 25: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/25.jpg)
BGP Tips
S Deny-ALL in & out filters for testing
S Global routing table is above 600,000 non aggreggated
S New methods of thinking S Some folks are filtering out the large netblocks
S 38.0.0.0/8 is a good example (Cogent ASN 174)
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 26: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/26.jpg)
38.0.0.0/8 example
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 27: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/27.jpg)
BGP Filters
S Tom Smyth’s presentation
S In-Bound filter S Lots of Denies
S Deny your own IP space
S Deny non-routeable (ie. 192.168.0.0./16)
S Don’t accept smaller than a /24
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 28: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/28.jpg)
Types of peering
S Public Peering S Usually at an Internet Exchange (IX)
S 50-80% of your traffic can be offloaded
S Usually much cheaper (.27 per meg for Netflix?)
S Private peering S Usually between two individual parties
S Settlement free and paid peering
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 29: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/29.jpg)
Resources
S www.mtin.net/blog
S www.thebrotherswisp.com
S j2sw.com
S Ask questions.
S Facebook has very active groups
www.mtin.net • j2sw.com • www.thebrotherswisp.com • www.midwest-ix.com
![Page 30: Justin Wilson - MikroTik · Why you should care…sorta S Justin Wilson CCNP – Comtrain – MTCNA – MTCRE – MTCWE S Active in ISP industry since 1993 S COO MidWest-IX / CEO](https://reader033.vdocument.in/reader033/viewer/2022042613/5fa7ba45bea0b310145d38f2/html5/thumbnails/30.jpg)
Questions? Callouts