Home > MikroTik > Router > MikroTik Router OS V3.0 User Manual

MikroTik Router OS V3.0 User Manual

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual MikroTik Router OS V3.0 User Manual. The MikroTik manuals for Router are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 311

    Page 311 +           !&%!)(%+%+&1    /ip firewall mangle add chain=forward src-address=192.168.0.0/24 \action=mark-connection new-connection-mark=users-con/ip firewall mangle add connection-mark=users-con action=mark-packet \new-packet-mark=users chain=forward 9    -  $3@     :$           +     8     7          8     ... 
    +
 
 	 	 
	 
  	 

!&%!)(%+%+&1
 	 	
/ip firewall mangle add chain=forward src-address=192.168.0.0/24 \action=mark-connection new-connection-mark=users-con/ip firewall mangle add connection-mark=users-con action=mark-packet \new-packet-mark=users chain=forward
9   	 - 
 $3@ 
  
 	:$  	 
	  

	


	 +   	

	 
 8 
 
 
7

	 
  	
 	 
	 8  	...

    Page 312

    Page 312  6*   *!$               4    8                      /queue tree add parent=Local queue=pcq-download packet-mark=users/queue tree add parent=Public queue=pcq-upload packet-mark=users Page 301 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their... 
    
6*  *!$ 	


 		

  	  	

  
	  	
  4
 
 8  	
	
 
  
	 	

	 
 
 
 

	
/queue tree add parent=Local queue=pcq-download packet-mark=users/queue tree add parent=Public queue=pcq-upload packet-mark=users
Page 301 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their...

    Page 313

    Page 313 Filter Document revision 2.8 (February 11, 2008, 4:14 GMT) This document applies to MikroTik RouterOS V3.0 Table of Contents TableofContents Summary QuickSetupGuide Specifications FirewallFilter Description PropertyDescription Notes FilterApplications ProtectyourRouterOSrouter ProtectingtheCustomersNetwork General Information Summary             (                         +      9 ... 
    Filter
Document revision 2.8 (February 11, 2008, 4:14 GMT)
This document applies to MikroTik RouterOS V3.0
Table of Contents
TableofContents
Summary
QuickSetupGuide
Specifications
FirewallFilter
Description
PropertyDescription
Notes
FilterApplications
ProtectyourRouterOSrouter
ProtectingtheCustomersNetwork
General Information
Summary
 	 

 	
 

 	
 
 ( 
 


 
	
 	  
 	
	
	
	  
  	
 
 
 
 +
 
 
 9
...

    Page 314

    Page 314 Hardware usage:Increases with filtering rules count Firewall Filter Home menu level:/ip firewall filter Description 9              (  (         6 (     4                           A+9 !   7      (            (               (     # ... 
    Hardware usage:Increases with filtering rules count
Firewall Filter
Home menu level:/ip firewall filter
Description
9
 	  
 
	
 		  

( 	
	 	(		 
 
 

 6
(


 

 	 4
 

 
  		 	 
	
 
	
 
  
   


 	 

  A+9 ! 	7
 	 
 
 (	
 	
	 
 

 	
 

 (		
	
	 
 	
  
  

 	 ( 
 	 #	...

    Page 315

    Page 315                $                      (  9 7           !       (            =   ( =                  Filter Chains +                     *              ... 
     
 	
 	 
 	
 	


	$	



	
 	 
  
	

  
 	
 
 
 
 
( 9 7
 	
 	
  	 	 
	
!
 
 	
 	( 
 	
 
	 
 	
  

=	
 (	

=

  	 
 
    
 
 	
 	

Filter Chains
+ 


  
 	 

  	  

 
 	
 *
 	 	 	
 
 
	
 		

 
 
 ...

    Page 316

    Page 316 •return- passes control back to the chain from where the jump took place •tarpit- captures and holds incoming TCP connections (replies with SYN/ACK to the inbound TCP SYN packet) address-list(name) - specifies the name of the address list to collect IP addresses from rules having action=add-dst-to-address-list or action=add-src-to-address-list actions. These address lists could be later used for packet matching address-list-timeout(time; default:00:00:00) - time interval after which the address will be... 
    •return- passes control back to the chain from where the jump took place
•tarpit- captures and holds incoming TCP connections (replies with SYN/ACK to the inbound
TCP SYN packet)
address-list(name) - specifies the name of the address list to collect IP addresses from rules having
action=add-dst-to-address-list or action=add-src-to-address-list actions. These address lists could be
later used for packet matching
address-list-timeout(time; default:00:00:00) - time interval after which the address will be...

    Page 317

    Page 317 dst-address-type(unicast|local|broadcast|multicast) - matches destination address type of the IP packet, one of the: •unicast- IP addresses used for one point to another point transmission. There is only one sender and one receiver in this case •local- matches addresses assigned to routers interfaces •broadcast- the IP packet is sent from one point to all other points in the IP subnetwork •multicast- this type of IP addressing is responsible for transmission from one or more points to a set of other... 
    dst-address-type(unicast|local|broadcast|multicast) - matches destination address type of the
IP packet, one of the:
•unicast- IP addresses used for one point to another point transmission. There is only one
sender and one receiver in this case
•local- matches addresses assigned to routers interfaces
•broadcast- the IP packet is sent from one point to all other points in the IP subnetwork
•multicast- this type of IP addressing is responsible for transmission from one or more points to
a set of other...

    Page 318

    Page 318 •loose-source-routing- match packets with loose source routing option. This option is used to route the internet datagram based on information supplied by the source •no-record-route- match packets with no record route option. This option is used to route the internet datagram based on information supplied by the source •no-router-alert- match packets with no router alter option •no-source-routing- match packets with no source routing option •no-timestamp- match packets with no timestamp option... 
    •loose-source-routing- match packets with loose source routing option. This option is used to
route the internet datagram based on information supplied by the source
•no-record-route- match packets with no record route option. This option is used to route the
internet datagram based on information supplied by the source
•no-router-alert- match packets with no router alter option
•no-source-routing- match packets with no source routing option
•no-timestamp- match packets with no timestamp option...

    Page 319

    Page 319 •max- specifies upper boundary of the size range port(port) - matches if any (source or destination) port matches the specified list of ports or port ranges (note that the protocol must still be selected, just like for the regular src-port and dst-port matchers) protocol(ddp|egp|encap|ggp|gre|hmp|icmp|idrp-cmtp|igmp|ipencap|ipip|ipsec-ah| ipsec-esp|iso-tp4|ospf|pup|rdp|rspf|st|tcp|udp|vmtp|xns-idp|xtpinteger) - matches particular IP protocol specified by protocol name or number. You should specify this... 
    •max- specifies upper boundary of the size range
port(port) - matches if any (source or destination) port matches the specified list of ports or port
ranges (note that the protocol must still be selected, just like for the regular src-port and dst-port
matchers)
protocol(ddp|egp|encap|ggp|gre|hmp|icmp|idrp-cmtp|igmp|ipencap|ipip|ipsec-ah|
ipsec-esp|iso-tp4|ospf|pup|rdp|rspf|st|tcp|udp|vmtp|xns-idp|xtpinteger) - matches
particular IP protocol specified by protocol name or number. You should specify this...

    Page 320

    Page 320 •rst- drop connection •syn- new connection •urg- urgent data tcp-mss(integer: 0..65535) - matches TCP MSS value of an IP packet time(timetimesat|fri|thu|wed|tue|mon|sun) - allows to create filter based on the packets arrival time and date or, for locally generated packets, departure time and date Notes )   9+                                       9+ Filter Applications Protect your... 
    •rst- drop connection
•syn- new connection
•urg- urgent data
tcp-mss(integer: 0..65535) - matches TCP MSS value of an IP packet
time(timetimesat|fri|thu|wed|tue|mon|sun) - allows to create filter based on the packets
arrival time and date or, for locally generated packets, departure time and date
Notes
)	 
 9+  	 	 
 
  
	

 
  
 
 
 
 


  	 

 
 
	 	
 
  		   
 9+
Filter Applications
Protect your...
    Start reading MikroTik Router OS V3.0 User Manual
    All MikroTik manuals