Firewall and Defense in Depth

ISPs are big targets: public ASN, BGP-visible prefixes, exposed OLTs. Loose rules on MikroTik become backdoors. Defense must be designed, not stacked.

What firewall means in ISP context

Not just "block port 22 from the world." In ISPs, the firewall protects infrastructure (management, RADIUS, monitoring, database), segments traffic (residential customers can't reach corporate network, IoT can't reach cameras), applies per-VLAN/VRF policies, and absorbs edge attacks before they hit the core.

What RASYS does with firewall

  • Edge hardening — infrastructure ACLs (management only from authorized IPs, deny default on control plane), strict uRPF to prevent spoofing, control-plane rate limits (CoPP).
  • VLAN/VRF isolation — segmenting management network, RADIUS/database, residential customers, corporate customers, IoT, cameras. L3 firewall between segments.
  • NAT and port forwarding — for internal services needing exposure (web, email, VPN), with clear policy.
  • Edge anti-DDoS — rate-limit per flow, drop abusive protocols (NTP amplification, open DNS recursors), integration with scrubbing services when the ISP has a contract.
  • Site-to-site VPN — IPSec or WireGuard between PoPs or to corporate customers. L2TP/SSTP for remote access.
  • RADIUS, DB, management hardening — fail2ban, IP whitelist, MFA where applicable.
  • Logging and alerts — centralized Syslog, alert on blocked-traffic spike, SIEM integration if the ISP has one.

Equipment we work with

MikroTik RouterOS, FortiGate, pfSense, OPNsense, iptables/nftables on Linux, IPSec/WireGuard. On large edge, integration with Huawei/Juniper router service modules.

When it makes sense to talk to us

You have firewall rules piled up for years with nobody reviewing; OLT management is on the public internet; suffered a recent DDoS without mitigation; want to separate corporate from residential network but don't know how; need site-to-site VPN for customers.

Talk to us. See also: BGP, Monitoring.

FREQUENTLY ASKED QUESTIONS

Can a firewall degrade ISP edge performance?

Yes. Stateful tracking of millions of connections on generic CPU degrades under load. For high-throughput ISP edge, we recommend purpose-built hardware (MikroTik CCR, Juniper SRX, Fortinet) or stateless rules where full state tracking is unnecessary. Generic x86 with iptables handles up to a few Gbps; beyond that, purpose-built silicon or DPDK is needed.

Do you configure L7 (application layer) anti-DDoS?

Pure L7 mitigation requires specialized equipment or service (FastNetMon + scrubbing center, Cloudflare Magic Transit, Voxility). What we do: NetFlow-based detection, edge rate-limiting per source, drop of abusive protocols, and integration with scrubbing services when the ISP already has a contract. L3/L4 and L7 mitigation at dedicated scale is a separate project with a scrubbing provider.

Can a MikroTik firewall handle mid-size ISP traffic (5–20 Gbps)?

Yes, with care. CCR2004/2216 with fastpath enabled handles 10–20 Gbps on forwarding rules. Heavy stateful tracking (connection tracking enabled) degrades throughput significantly. Above 20 Gbps, recommend dedicated hardware: Juniper SRX, CCR2216 with tuning, or x86 with DPDK-based software.

How do you segregate the management network from client traffic?

Dedicated VLAN for management, private subnet (RFC1918 or a /29 public without an announced route), inbound ACL allowing only authorized jump host or VPN gateway, no direct route from the internet. Management access only via VPN with MFA. This isolates RADIUS, OLT management, monitoring, and databases from any path reachable by customers or the public internet.