MikroTik Router OS V3.0 User Manual

							\... max-limit=100000000 priority=1[admin@MikroTik] > /queue tree add parent=Local packet-mark=other limit-at=1000000 \\... max-limit=100000000 priority=1
Mark by MAC address
 	 
	  	 

 +3 	   
 
 
  
 
  
 

[admin@MikroTik] > / ip firewall mangle add chain=prerouting \\... src-mac-address=00:01:29:60:36:E7 action=mark-connectionnew-connection-mark=known_mac_conn[admin@MikroTik] > / ip firewall mangle add chain=prerouting \\... connection-mark=known_mac_conn action=mark-packet new-packet-mark=known_mac
Change MSS
*
  	  

 	
 
	
 O$9 
 	( 	 	
 2  
 
		

 (	 + 	 	

 !! 
	
  
 !!  
 O$9 
   	

  
 

 
 (	 
	
 
 




 ,(  
 	
 	 5# 	 
 
 	


  	

 	
   	  


 
	
 	( 
 	
 0 ( &$05 
 	 	 
 	 
   


 
 #$ 	
 ,$ 	
	 
	
 	
 7	 (
*
 	  
 
 
 $05 	 	  
 !!  
 	
 
 
 
 O$9 

( 
   
 	 

	
  
 	 
 !! (	 (	 	

[admin@MikroTik] > /ip firewall mangle add out-interface=pppoe-out \\... protocol=tcp tcp-flags=syn action=change-mss new-mss=1300 chain=forward[admin@MikroTik] > /ip firewall mangle printFlags: X - disabled, I - invalid, D - dynamic0 chain=forward out-interface=pppoe-out protocol=tcp tcp-flags=synaction=change-mss new-mss=1300
[admin@MikroTik] >
Page 320 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							NAT
Document revision 2.9 (February 11, 2008, 4:14 GMT)
This document applies to MikroTik RouterOS V3.0
Table of Contents
TableofContents
Summary
Specifications
NAT
Description
PropertyDescription
NATApplications
Description
ExampleofSourceNAT(Masquerading)
ExampleofDestinationNAT
Exampleof1:1mapping
General Information
Summary
9
 + 	
	

 &9+  	 
 	
 
	
 	  	
 & 

	

 *$ 	
 
 *$ 	
 	 
 	 
 
 
 *
  
 
  
 
	 
 
 
 	
(	
 

 
 	 
 *



 
 	 
  *$ 	
Specifications
Packages required:system
License required:level1 (number of rules limited to 1), level3
Home menu level:/ip firewall nat
Standards and Technologies:IP,RFC1631,RFC2663
Hardware usage:Increases with the count of rules
NAT
Description
9
 + 	
	

  	
 *



 
	
	 
	
 	 
 
 	 		 

 
  
 
 *$ 	  


	 
	

 	
 	

 
  *$ 	  

	 
	

 +
A+9 
	
  9+   	natted

 # 9+ 
 


 
   	 9+ 	
	 

	 
	

 

  9+ 	
	 &9+ 
  *$ 	 

 
 
 	 	 	

	( 1
 A+9
 	 
 
  9+
Page 321 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							• 9+  
	
  
  9+   
 	
 
	
 	 
	
  	 
	




 + 9+ 
 	 
 (	
  	  	
 *$ 	
 
 	 
  *$
	 	 
 
	( 
 
 
 + ( 	

  	 
 
  	
 
	(
 


 
 


•

	

 9+  
	
  
  9+   
 	
 
	
 	 

 
 
 
	




 *
  
 
  
 	 
 
 	 (	
 

 
  	  

*



 + 9+ 
 
 
	
 	 
 

	

 *$ 	  	
 *$ 	
 	 

	( 
 
 
 
	 	 (	
 


NAT Drawbacks
,
 
 	 9+7
	 
  

 	( 
 
7
7
 


(
   *




 
 

  
 
	 
 9+ !( 
	
 8 
 

	

  3$ 



 

 
 (	
 

  
	
 
  	 05$ 	
  
 (  

	 


 
	
 
 9+ 	  	  +, 
  
 *$ 


 ! 
 	 
  7	 9+  
	
 
	 9+ 
	(	  (	 

Redirect and Masquerade

 	
 	8	 	 	   

	

 9+ 	
  9+ 
( 
 
	 
 
 	 

	

 9+ 
 
 	 	 	 	8	  	 
 
  9+ 7
	8	  	 	    9+ 

 
 
 
7 

 

	
	   	
	
	  	   
 7 
  	   

	

 9+ 

 

  7 

 

	 	   

	 9
 
	


 	

  
  7

  
 
  
 ( 
 
 
 
	
  	
 
 8
 &  
6
 	
  
7
	

 &
 	

 7




 
 	  	

*
	

 	
 
	
	

  	 &

 
	 
 	  
 
 
% 


	 
	
	
	

   
 
 
 &
  8
 
 
 
  
 
 
 	

	 
 
	

  


	 
	 	
 
 	   (  
 *  	 
7
	




  

  ( 
 	 
 	 
 
  (% 	  *$ 	 &	 
	  *$ 	
 
	
 ( 	 	   ( 	 	
 
 	   (
!
	

  ,$1// 
  	 	 
 ,$ 8
  
  ( 	  
( 	
  
 

	  
 	  *$ 	
 * 
  
  	 & ,$ (
 



  ( 	
 

 

  ( 	 	
 
 	
 

 
*
 	
 
	
 
   
 
 
	
	

 
 ,$ 
	  
 
  


	
	

7   
 
 	  
 	 
	
	

  
 
 
 
 	
 
 
 

	
  H	H   
 	

7 *
 
 
	

  H	H   

 	( 
  
	
	

	
  	  
 
   
	
	

 	
  	 7
 8
 &	
 


	
	 
 8
 
 	 
	 
	

 	
  ( 
 H	H 
Property Description
action(accept|add-dst-to-address-list|add-src-to-address-list|dst-nat|jump|log|masquerade|
netmap|passthrough|redirect|return|same|src-nat; default:accept) - action to undertake if the
packet matches the rule
Page 322 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							•accept- accepts the packet. No action is taken, i.e. the packet is passed through and no more
rules are applied to it
•add-dst-to-address-list- adds destination address of an IP packet to the address list specified
by address-list parameter
•add-src-to-address-list- adds source address of an IP packet to the address list specified by
address-list parameter
•dst-nat- replaces destination address of an IP packet to values specified by to-addresses and
to-ports parameters
•jump- jump to the chain specified by the value of the jump-target parameter
•log- each match with this action will add a message to the system log
•masquerade- replaces source address of an IP packet to an automatically determined by the
routing facility IP address
•netmap- creates a static 1:1 mapping of one set of IP addresses to another one. Often used to
distribute public IP addresses to hosts on private networks
•passthrough- ignores this rule goes on to the next one
•redirect- replaces destination address of an IP packet to one of the routers local addresses
•return- passes control back to the chain from where the jump took place
•same- gives a particular client the same source/destination IP address from supplied range for
each connection. This is most frequently used for services that expect the same client address
for multiple connections from the same client
•src-nat- replaces source address of an IP packet to values specified by to-addresses and
to-ports parameters
address-list(name) - specifies the name of the address list to collect IP addresses from rules having
action=add-dst-to-address-list or action=add-src-to-address-list actions. These address lists could be
later used for packet matching
address-list-timeout(time; default:00:00:00) - time interval after which the address will be
removed from the address list specified by address-list parameter. Used in conjunction with
add-dst-to-address-list or add-src-to-address-list actions
•00:00:00- leave the address in the address list forever
chain(dstnat|srcnatname) - specifies the chain to put a particular rule into. As the different traffic
is passed through different chains, always be careful in choosing the right chain for a new rule. If
the input does not match the name of an already defined chain, a new chain will be created
•dstnat- a rule placed in this chain is applied before routing. The rules that replace destination
addresses of IP packets should be placed there
•srcnat- a rule placed in this chain is applied after routing. The rules that replace the source
addresses of IP packets should be placed there
comment(text) - a descriptive comment for the rule. A comment can be used to identify rules form
scripts
connection-bytes(integerinteger) - matches packets only if a given amount of bytes has already
been transfered through the particular connection
•0- means infinity, exempli gratia: connection-bytes=2000000-0 means that the rule matches if
more than 2MB has been transfered through the relevant connection
connection-limit(integernetmask) - restrict connection number per address or address block
Page 323 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							(matches if the specified number of connection has already been established)
connection-mark(name) - matches packets marked via mangle facility with particular connection
mark
connection-type(ftp|gre|h323|irc|mms|pptp|quake3|tftp) - matches packets from related
connections based on information from their connection tracking helpers. A relevant connection
helper must be enabled under /ip firewall service-port
content(text) - the text packets should contain in order to match the rule
dscp(integer: 0..63) - DSCP (ex-ToS) IP header field value
dst-address(IP addressnetmaskIP addressIP address) - specifies the address range an IP packet is
destined to. Note that console converts entered address/netmask value to a valid network address,
i.e.:1.1.1.1/24 is converted to 1.1.1.0/24
dst-address-list(name) - matches destination address of a packet against user-defined address list
dst-address-type(unicast|local|broadcast|multicast) - matches destination address type of the
IP packet, one of the:
•unicast- IP addresses used for one point to another point transmission. There is only one
sender and one receiver in this case
•local- matches addresses assigned to routers interfaces
•broadcast- the IP packet is sent from one point to all other points in the IP subnetwork
•multicast- this type of IP addressing is responsible for transmission from one or more points to
a set of other points
dst-limit(integertimeintegerdst-address|dst-port|src-addresstime) - limits the packet per second
(pps) rate on a per destination IP or per destination port base. As opposed to the limit match, every
destination IP address / destination port has its own limit. The options are as follows (in order of
appearance):
•count- maximum average packet rate, measured in packets per second (pps), unless followed
by time option
•time- specifies the time interval over which the packet rate is measured
•burst- number of packets to match in a burst
•mode- the classifier(-s) for packet rate limiting
•expire- specifies interval after which recorded IP addresses / ports will be deleted
dst-port(integer: 0..65535integer: 0..65535) - destination port number or range
fragment(yes | no) - whether the packet is a fragment of an IP packet. Starting packet (i.e., first
fragment) does not count. Note that is the connection tracking is enabled, there will be no fragments
as the system automatically assembles every packet
hotspot(multiple choice: auth|from-client|http|local-dst|to-client) - matches packets received
from clients against various HotSpot conditions. All values can be negated
•auth- true, if a packet comes from an authenticted HotSpotclient
•from-client- true, if a packet comes from any HotSpot client
•http- true, if a HotSpot client sends a packet to the address and port previously detected as his
proxy server (Universal Proxy technique) or if the destination port is 80 and transparent
proxying is enabled for that particular client
•local-dst- true, if a packet has local destination IP address
Page 324 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							•to-client- true, if a packet is sent to a client
icmp-options(integerinteger) - matches ICMP Type:Code fields
in-bridge-port(name) - actual interface the packet has entered the router through (if bridged, this
property matches the actual bridge port, while in-interface - the bridge itself)
in-interface(name) - interface the packet has entered the router through (if the interface is bridged,
then the packet will appear to come from the bridge interface itself)
ingress-priority(integer: 0..63) - INGRESS (received) priority of the packet, if set (0 otherwise).
The priority may be derived from either VLAN or WMM priority
ipv4-options(any|loose-source-routing|no-record-route|no-router-alert|no-source-routing|
no-timestamp|none|record-route|router-alert|strict-source-routing|timestamp) - match ipv4
header options
•any- match packet with at least one of the ipv4 options
•loose-source-routing- match packets with loose source routing option. This option is used to
route the internet datagram based on information supplied by the source
•no-record-route- match packets with no record route option. This option is used to route the
internet datagram based on information supplied by the source
•no-router-alert- match packets with no router alter option
•no-source-routing- match packets with no source routing option
•no-timestamp- match packets with no timestamp option
•record-route- match packets with record route option
•router-alert- match packets with router alter option
•strict-source-routing- match packets with strict source routing option
•timestamp- match packets with timestamp
jump-target(dstnat|srcnatname) - name of the target chain to jump to, if the action=jump is used
layer7-protocol(name) - Layer 7 filter name as set in the /ip firewall layer7-protocol menu.
Caution: this matcher needs high computational power
limit(integertimeinteger) - restricts packet match rate to a given limit. Usefull to reduce the amount
of log messages
•count- maximum average packet rate, measured in packets per second (pps), unless followed
by time option
•time- specifies the time interval over which the packet rate is measured
•burst- number of packets to match in a burst
log-prefix(text) - all messages written to logs will contain the prefix specified herein. Used in
conjunction with action=log
nth(integerinteger: 0..15integer) - match a particular Nth packet received by the rule. One of 16
available counters can be used to count packets
•every- match every every+1th packet. For example, if every=1 then the rule matches every 2nd
packet
•counter- specifies which counter to use. A counter increments each time the rule containing
nth match matches
•packet- match on the given packet number. The value by obvious reasons must be between 0
and every. If this option is used for a given counter, then there must be at least every+1 rules
Page 325 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							with this option, covering all values between 0 and every inclusively.
out-bridge-port(name) - actual interface the packet is leaving the router through (if bridged, this
property matches the actual bridge port, while out-interface - the bridge itself)
out-interface(name) - interface the packet is leaving the router through (if the interface is bridged,
then the packet will appear to leave through the bridge interface itself)
packet-mark(text) - matches packets marked via mangle facility with particular packet mark
packet-size(integer: 0..65535integer: 0..65535) - matches packet of the specified size or size range
in bytes
•min- specifies lower boundary of the size range or a standalone value
•max- specifies upper boundary of the size range
port(port) - matches if any (source or destination) port matches the specified list of ports or port
ranges (note that the protocol must still be selected, just like for the regular src-port and dst-port
matchers)
protocol(ddp|egp|encap|ggp|gre|hmp|icmp|idrp-cmtp|igmp|ipencap|ipip|ipsec-ah|
ipsec-esp|iso-tp4|ospf|pup|rdp|rspf|st|tcp|udp|vmtp|xns-idp|xtpinteger) - matches
particular IP protocol specified by protocol name or number. You should specify this setting if you
want to specify ports
psd(integertimeintegerinteger) - attempts to detect TCP and UDP scans. It is advised to assign
lower weight to ports with high numbers to reduce the frequency of false positives, such as from
passive mode FTP transfers
•WeightThreshold- total weight of the latest TCP/UDP packets with different destination ports
coming from the same host to be treated as port scan sequence
•DelayThreshold- delay for the packets with different destination ports coming from the same
host to be treated as possible port scan subsequence
•LowPortWeight- weight of the packets with privileged (
						

							src-mac-address(MAC address) - source MAC address
src-port(integer: 0..65535integer: 0..65535) - source port number or range
tcp-mss(integer: 0..65535) - matches TCP MSS value of an IP packet
time(timetimesat|fri|thu|wed|tue|mon|sun) - allows to create filter based on the packets
arrival time and date or, for locally generated packets, departure time and date
to-addresses(IP addressIP address; default:0.0.0.0) - address or address range to replace original
address of an IP packet with
to-ports(integer: 0..65535integer: 0..65535) - port or port range to replace original port of an IP
packet with
NAT Applications
Description
*
 
 

  9+ 		

 	
 	  
 	 
Basic NAT configuration
+  	

 
 	
 
 
	

•HH 
 (	
 A+9 H
H 
 	
•( $ *$ 
 
 A	 (
•	
 // 	
  

 	
Example of Source NAT (Masquerading)
*  	

 
 HH 
 (	
 A+9 /;-/GC..1-D H
H 
 	 /.
						

							
 (
 $ *$     	 
	
	

 

+ $ *$ 
 $ 

	
/ip address add address=10.5.8.200/32 interface=Public
+  	
 	 
 
 


	 (  

	 


/ip firewall nat add chain=dstnat dst-address=10.5.8.200 action=dst-nat \to-addresses=192.168.0.109
+  	
 
 


	 ( 
 
	 
 
 
 

 	(
 
  	 
	
	
 

/.
						

							Packet Flow
Document revision 2.8 (February 11, 2008, 4:14 GMT)
This document applies to MikroTik RouterOS V3.0
Table of Contents
TableofContents
GeneralInformation
Summary
Specifications
PacketFlow
Description
ConnectionTracking
Description
PropertyDescription
ConnectionTimeouts
Description
PropertyDescription
Notes
ServicePorts
Description
PropertyDescription
GeneralFirewallInformation
Description
General Information
Summary
 	
	  
  
  	
 *$ 	
 
	( (	 


	 	
  
 
 	

 
	 
	

 	
 	
 	

 
 *$ 
 	
 
 


Specifications
Packages required:system
License required:level3
Home menu level:/ip firewall
Standards and Technologies:IP
Hardware usage:Increases with NAT, mangle and filter rules count
Packet Flow
Description
 
 !  
 
  	 
 	
 
 (	 	
 

 *$ 	 
	 	  	
  	
 	
  

 
 
 	
  
 	
 	
Page 329 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners.