Definitions

Drop vs Reject

For packets that come from abroad it is recommended to use DROP , for packets within a local or private network Reject can be used. The REJECT option sends an ICMPP message advising that it was rejected, however this can be used by other people who carry out a DDOS (denial of services) attack. Many of these attacks are forgeries, taking advantage of the REJECT vs DROP advantage.

Port knocking

Port blocking is a method that allows access to the router only after receiving sequenced connection attempts on a previously specified set of closed ports. Once the correct sequence of connection attempts is received, RouterOS dynamically adds a source IP from the host to the list of allowed addresses and you can connect to your router.

Improve the security of our device and minimize the risk of hacking attempts in protocols such as SSH, Telnet, Winbox, etc.

Regular phrase

Regular expressions are patterns used to find a certain combination of characters within a text string. Regular expressions provide a very flexible way of searching for or recognizing text strings. For example, the group consisting of the strings Handel, Händel, and Haendel is described by the pattern "H(a|ä|ae)ndel" .

IPsec

Internet Protocol Security (IPsec) is a set of protocols defined by the Internet Engineering Task Force (IETF) to secure packet exchange over unprotected IP / IPv6 networks such as the Internet. The set of IPsec protocols can be divided into the following groups:

• Internet Key Exchange (IKE) protocols . Dynamically generate and distribute cryptographic keys for AH and ESP.

It is a protocol that provides authenticated key material for the Internet Security Association and Key Management Protocol (ISAKMP) framework. There are other key exchange schemes that work with ISAKMP, but IKE is the most widely used. Together they provide means for host authentication and automatic security association (SA) management.

• Authentication Header (AH) RFC 4302

It is a protocol that provides authentication of all or part of the content of a datagram by adding a header that is calculated based on the values in the datagram. The parts of the datagram that are used for the calculation and the location of the header depend on whether tunnel or transport mode is used.

The presence of the AH header allows verification of the integrity of the message, but does not encrypt it. Therefore, AH provides authentication but not privacy. Another protocol (ESP) is considered superior, it provides data privacy and also its own authentication method.

• Encapsulation Security Payload (ESP) RFC 4303

It uses shared key encryption to provide data privacy. ESP also supports its own authentication scheme like the one used in AH.

ESP packages its fields in a very different way than AH. Instead of having just one header, it splits its fields into three components:

• ESP header - Comes before encrypted data and its location depends on whether ESP is used in transport or tunnel mode.

• ESP Trailer : This section is placed after the encrypted data. Contains padding that is used to align the encrypted data.

• ESP Authentication Data - This field contains an Integrity Check Value (ICV), calculated similar to how the AH protocol works, for when the optional ESP authentication feature is used.

Datagrams

Simple packet routed on a network without recognition.

A datagram is a fragment of a packet that is sent with enough information so that the network can simply route the fragment to the receiving computer, independently of the remaining fragments. This can cause a messy or incomplete recomposition of the packet on the target computer. Its structure consists of header and data .

TZSP

TaZmen Sniffer Protocol (TZSP) is an encapsulation protocol used to wrap other protocols. It is commonly used to wrap 802.11 wireless packets to support intrusion detection systems (IDS), wireless tracking, or other wireless applications. It uses the UDP protocol and port 37008.

PCAP

It is an interface of a programming application for packet capture. The implementation of pcap for Unix-based systems is known as libpcap; the Windows port of libpcap is called WinPcap.

Some programs that use pcap:

• Snort

• Meerkat

• Nmap

• tcpdump

PCC Matcher method for load balancing

It will allow to divide the traffic into equal flows with the ability to hold packets with a specific set of options in a particular flow (you can specify this set of options from src-address, src-port, dst-address, dst-port)

PCC takes the selected fields from the IP header and, with the help of a hashing algorithm, converts the selected fields to a 32-bit value. This value is divided by a specified Denominator and the remainder is compared to a specified Remnant, if equal, the packet will be captured.

VRRP

Virtual Router Redundancy Protocol (VRRP) is a non-proprietary communications protocol defined in RFC 3768 designed to increase the availability of the default gateway by serving machines on the same subnet. Increased reliability is achieved by advertising a virtual router as a default gateway instead of a physical router. Two or more physical routers are configured to represent the virtual router, with only one of them actually performing the routing. If the current physical router that is routing fails, the other physical router negotiates to replace it. The physical router that actually performs the routing and backup routers that are waiting for the master to fail is called the master router.

Protocol Layer 7

The layer7 protocol is a method of searching for patterns in ICMP / TCP / UDP flows. It works by means of pre-established patterns in the Application layer of the OSI model.

L7 matcher collects the first 10 packets of a connection or the first 2 KB of a connection and looks for the pattern in the collected data. If the pattern is not found in the collected data, the comparator stops inspecting further. The allocated memory is freed and the protocol is considered unknown. You should be aware that many connections will significantly increase memory and CPU usage.

The additional requirement is that the Layer 7 peer must see both directions of traffic (inbound and outbound). To meet this requirement, the rules must be chained forward. If the rule is in the input / prerouting chain then the same rule must also be located in the output / POSTROUTING chain, otherwise the collected data cannot be complete resulting in an incorrectly matched pattern.

To know the true purpose with which this protoloco was designed, which was not to block web pages or any type of censorship, I recommend going to the official page by going to this link

ISP

The Internet Service Provider (ISP) is the company that provides Internet connection to its customers. An ISP connects its users to the Internet through different technologies such as ADSL, cable modem, GSM, dial-up, etc.

CGNAT (Carrier-Grade NAT or NAT444)

The idea is to use the 100.64.0.0/10 shared address space within the carrier's network and perform NAT on the carrier's edge router to indicate public IP or public IP range. What happens is that instead of doing NAT once, they do NAT twice.

Gateway

The gateway (in English gateway) or gateway is the device that acts as a connection interface between devices or devices, and also makes it possible to share resources between two or more computers.

Its purpose is to translate the information from the protocol used in an initial network, to the protocol used in the destination network.

The gateway is normally a computer equipment configured to provide the machines of a local area network (Local Area Network, LAN) connected to it with access to an external network, generally carrying out network address translation operations (Network Address Translation, NAT). This capacity of address translation allows to apply a technique called IP masking, very often used to give Internet access to computers on a LAN by sharing a single Internet connection, and therefore, a single external IP address.

RoMON (Router Manager Overlay Network)

Mikrotik's proprietary protocol, not active by default, which allows to link and access routerOS devices that are both in layer 2 (data link level) and in layer 3 (network level) with version 6.28 or higher in a network via winbox v3.x. You only need to activate this protocol in the routers you want to access

Load balancing

It splits traffic between Layer 4 (transport layer) network interfaces. It is extremely useful where there are redundant communication links, since all links can be used at the same time. By using multiple links simultaneously. bandwidth availability is increased. In this way, congestion or saturation of the network in a single link is avoided.