MikroTik Router OS V3.0 User Manual

							 
 
 
 # 	  	 
	
 8  4
 
	


 


	 

 
 	  	

 
 	
 	
   &	
 
 

	 
 
 *



  
	5

/ip firewall nat add action=masquerade out-interface=Public chain=srcnat
	 	
 

 	

 	
	

  	
 	
 	
  
 
 	 
 	 	
	

 ,( 	  	
 
	

    
 
 	  

	

 

 

  
 
 

 	
  
 
 
  
 
 
 
 		
+ 	
  
 
 
 		 
 	 ( 	
 
 
 
 
  	

Page 330 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							

	$

	


  	

  
 	 	
 
 	 	
 	 
	
 
 
 	

+

	 	  *$   
 
  

 	
 &
 
 
  

 1

 
 	
 

  	 	id est 
 

 	
 
	 	
 

 
 

+ 	
 	
 

 
 
(  
 
 
 
 	 #
 	 	
 	
   
  



	 

 
 
 
 &

 
 

	   	

 

	 !
 
 	
 

	
  	 	     O$9  
 + 
 	 
 	  	 	
 

	( 
 
 
 + 	
 	
 	( 
 
 
  
 
% 

	 &
 
 	 



	   	

 

	  
 	
 
  
 
 	  *
 
	 
	 	
 


 
 
  
 
% *$ 	 
 	
 
	
  
 
     	

  
 	
 

 
 
	 	
    
 
   

 


I
 /


	
Routed traffic
 
	 (  
 
% +3 	 
 
 
( 
  	 
 
 

 
	
 	
   
  
  

•
 
	   

 
 
 
 
  *$ 	
 	 

	

 	 8	 
 
 

 
% 
 *$ 	 + 	
 

 
 
 
 


 

	 8

	

	(
	


	
 	
 
  
 
 	  
	
 

  
	
 	
	

  
	 & 
   

 
 	
 
  	 3
8

 	 	
 	
 

 
 


	
 
 	
 	
 
 
 	 


	
 

	



•
 
	  
	
  
 
 *
 
 	 
 *$ 	
 	( 
  	


	 
 
  
 
% *$ 	 * 
 	  	  
 
 &
 


  
 

   	 	   
 
 
 	 
 8
 	 
 
 	
	 
	  
  
 

  
 
  	  
 
( 
 ! 	


	( 
 


	
 

 
 	 	 
 
 

 	
  	
 		



 	
  	 	
  

 	
 	( 
 


	

•
	 
	   ( 	
 
 
% +3 	 	 	
 *$ 	 

  	
 

 
% 
 	 	
 
 

	

 	
  
 
 
 

 
	  	
 

 

	$	


	

•

	 
	   ( 	
 
 
% +3 	 	 	
 *$ 	 

  	

 
 
% 
 	 
 
 

	

 	
 

  
 
 
 

 
	  	

 
 

	
 
 
 

 


 	

   (	 
 	
 	 8

	 	 
 	 	
 
 	  
 	
	
  	
  
 	 	  
 	
 
 

  
  		Exempli gratia 
	 	
 	


	
 
 	
  	 	 
 
 
  8
  
 

	 	
 
	  9+   
 	
 
	
 
 
  
	


9
 
	
 	
 (
 	
 	
  
 
 
  


	$

	

Bridged Traffic
Page 331 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							*
 	 
 

 
	 
 
   & 

 
 
 
 
 
	 
 
 
 


	 	
 
 
% 
 +3 	 	
 
 	 	 
 
	 
  
 



 
  	
 *$ 
	  

 +
 
	
 *$ 
	  
 

	$	



	
  

7*$ 
	 	 	 *$ 	  	
  
 
 
 

	
8 )
 
  
	 ( 
 
  
   	 	
 	
	 	  



Connection Tracking
Home menu level:/ip firewall connection
Description
3



 
	
  
 
 	
 
 	

	
 
 
	
 
	

 	
 



  	 
	
 

	

 *$ 	 	
 
 	 



 
	
 
 
 	
 

 #	 
	
 




 
	
 	 

 	 H
	
H 	
 	 


   
	
 
   
 
H
	
H 	
 

state 	 	
	 



  


 	

 
	
 
 	
  	
  		


 



$	

 
	
 
 	
 
	
 	 
 



  
 
 	 



 
	
	 

 
 	
 
 
 

 

	

 
	
 
 	
 
	
 	 
 



 
 
		
 
 	
 

 



  	 #$ 	
	 
	
  *3$  	 	
 
	


	

 
	
 
 	
  

 
 
 	
 

 



 	
 	
 
 	 
  


 	 (	 
 




3



 
	
  
 
 

	
  


	
  	 
	
 	

+

 


  



 
	
  	


  (
	
  
	
 
  
  9+ E
  		 
	
 
 9+ 	
   
  	( 



 
	
 
	 
 	
	  - 
 


 3



 
	
 	 	 *$ 	
  	

 

 

 	 
  



 

 	
$ 

	
 
	 	
 

	
  

 

 	

  	  

 
 
 

$	 
 
	
  
  8 
 

 	

  	  
  	
 	





Property Description
assured(read-only: true|false) - shows whether replay was seen for the last packet matching this
entry
connection-mark(read-only: text) - Connection mark set in mangle
dst-address(read-only: IP addressport) - the destination address and port the connection is
established to
icmp-id(read-only: integer) - contains the ICMP ID. Each ICMP packet gets an ID set to it when it
is sent, and when the receiver gets the ICMP message, it sets the same ID within the new ICMP
message so that the sender will recognize the reply and will be able to connect it with the
appropriate ICMP request
Page 332 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							icmp-option(read-only: integer) - the ICMP type and code fields
p2p(read-only: text) - peer to peer protocol
protocol(read-only: text) - IP protocol name or number
reply-dst-address(read-only: IP addressport) - the destination address and port the reply
connection is established to
reply-icmp-id(read-only: integer) - contains the ICMP ID of received packet
reply-icmp-option(read-only: integer) - the ICMP type and code fields of received packet
reply-src-address(read-only: IP addressport) - the source address and port the reply connection is
established from
src-address(read-only: IP addressport) - the source address and port the connection is established
from
tcp-state(read-only: text) - the state of TCP connection
timeout(read-only: time) - the amount of time until the connection will be timed out
unreplied(read-only: true|false) - shows whether the request was unreplied
Connection Timeouts
Home menu level:/ip firewall connection tracking
Description
3



 
	
 ( (	 

 6
 	
	 

  
 	
 

 
(  
 



 
	
 
	  
 		 
 
	 3$ 





	

 	
 

	

 	
 
 

 
	
 
	 	 
 
 
Property Description
enable(yes|no; default:yes) - whether to allow or disallow connection tracking
generic-timeout(time; default:10m) - maximal amount of time connection state table entry that
Page 333 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							keeps tracking of packets that are neither TCP nor UDP (for instance GRE) will survive after
having seen last packet matching this entry. Creating PPTP connection this value will be increased
automaticly
icmp-timeout(time; default:10s) - maximal amount of time connection tracking entry will survive
after having seen ICMP request
max-entries(read-only: integer) - the maximum number of connections the connection state table
can contain, depends on an amount of total memory
tcp-close-timeout(time; default:10s) - maximal amount of time connection tracking entry will
survive after having seen connection reset request (RST) or an acknowledgment (ACK) of the
connection termination request from connection release initiator
tcp-close-wait-timeout(time; default:10s) - maximal amount of time connection tracking entry
will survive after having seen an termination request (FIN) from responder
tcp-established-timeout(time; default:1d) - maximal amount of time connection tracking entry
will survive after having seen an acknowledgment (ACK) from connection initiator
tcp-fin-wait-timeout(time; default:10s) - maximal amount of time connection tracking entry will
survive after having seen connection termination request (FIN) from connection release initiator
tcp-syn-received-timeout(time; default:1m) - maximal amount of time connection tracking entry
will survive after having seen a matching connection request (SYN)
tcp-syn-sent-timeout(time; default:1m) - maximal amount of time connection tracking entry will
survive after having seen a connection request (SYN) from connection initiator
tcp-syncookie(yes | no; default:no) - enable TCP SYN cookies for connections destined to the
router itself (this may be useful for HotSpot and tunnels)
tcp-time-wait-timeout(time; default:10s) - maximal amount of time connection tracking entry
will survive after having seen connection termination request (FIN) just after connection request
(SYN) or having seen another termination request (FIN) from connection release initiator
total-entries(read-only: integer) - number of connections currently recorded in the connection
state table
udp-stream-timeout(time; default:3m) - maximal amount of time connection tracking entry will
survive after replay is seen for the last packet matching this entry (connection tracking entry is
assured). It is used to increase timeout for such connections as H323, VoIP, etc.
udp-timeout(time; default:10s) - maximal amount of time connection tracking entry will survive
after having seen last packet matching this entry
Notes
 	 

 (	 
 
 	

  

 
 



 
	
 
	 * 	

  

 


 
	   
	

•/1/G  	 
  

 
 	 

 (	   / 	
•:1/G  	 
  

 
 	 

 (	   / 
•/1-  	 
  

 
 	 

 (	   /. 


•/:1/G  	 
  

 
 	 

 (	   / 


 

 

  		  
 

 
 
 

 	
 
 (	 
 	(
Page 334 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							* 



 
	
 

 (	   
	
 
 
	 

(	 

 
 	
	 	
 	
 &

  
 

 	
 	( 9+ 	
 
	
7	
 
 

Service Ports
Home menu level:/ip firewall service-port
Description
! 

 
 	 

 	
 
 

 	 
	
	

  	  
 
	

	 
	

 	
 
 	
	 	  
  

 
 
 	
 		   



  
 9+  	 
 
  	
 
 *$ 05$ 	
 3$ 	 

 
 
 	

# 
 
 
  
 	 



 
	
   
 
  	
  

 E 	 
	 	
 	   & 	 	

 
 	   
 
 
	
	
    	 

  
  
 

 

 9
 
	
 
	
 

 	  ( 
  4
 
	  	 
 

 

Property Description
name- protocol name
ports(integer) - port range that is used by the protocol (only some helpers need this)
General Firewall Information
Description
ICMP TYPE:CODE values
*
  
 

  
 	
 	

	 (	
 

  
 
 
 	 
  
4
 
  *3$ 
	 ,(  *3$ 	
 	 (
	 
 	

	
 

 	
  (



 (
 
  	 
  *3$ E$F3 5F (	 
 
  	
 *
  
	 
 
 	

 
  *3$ 
	
••8:0- echo request
•0:0- echo reply
$

••11:0- TTL exceeded
•3:3- Port unreachable
	
••3:4- Fragmentation-DF-Set
$	
 0 (
Page 335 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							I
	 

 
 	 *3$ 


•+ 
Y*3$ F78
 

 	
 F7 	 


•+ 
	
YA7F 	
 $
70
		 	 


•+ 	
 0Y*3$ #	

	

75#7!
 	 


•) (

 
Peer-to-Peer protocol filtering
$7
7 
 	 

 	p2p( 	
  
 

 	
	 
	
 



(	 

 
 6 
 

  	
 	

 		

 & ! 
  
	  

 
	 	
 	 


 F(
 
 
    	  - 	
	( 
 
 

 
	  	 

 	
 7	 
 !  	 
 
2 



 

 
 	 $-$ 
 	
 
  
 @ ! 
 

 
  	
  

 	
•H

&L	2		 L	2		A
 5
 L	2		 I
  # $
 	
•O
&!		2	 BAB  I
 )	!	 A6 &4	(	  $ !	
I
7I

	 &
 
	 &
 @
	 &
 A5
 +8

 &	  ! $

!	 !		2	 BB 	
•O
&&!		2	 A5
 I
  +	 	
•/

,
&5
3


 &+L+ 53?? A5
 9 5
 3


 )353??
3R53?? 
•/&5
-...   &
 !		2	 A5
 	  (

•0&! A5

•I

#
&)


 )


?? 

 !		2	 A5
 +)3 +2 )
+
	
!) )


9
 	
•I
&)
 $
•C55&6
B
•CB&6	2 + 
	

  -C/C 7 
 
 	
 
    

 

Page 336 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							Services, Protocols, and Ports
Document revision 1.1 (February 11, 2008, 4:14 GMT)
This document applies to MikroTik RouterOS V3.0
Table of Contents
TableofContents
Summary
ModifyingServiceSettings
PropertyDescription
Example
ListofServices
Description
General Information
Summary
 

 
 
 	
 
   (	  
 ! ( *
   



    
 

 
 
	
 
 	
 	
  
 
 1	 
 	 
	

 
 (

  	

 	 
 
 
	
 ( $	  
 (	

 

  
 	
	 
 	
	


Home menu level:/ip service
Modifying Service Settings
Home menu level:/ip service
Property Description
address(IP addressnetmask; default:0.0.0.0/0) - IP address(-es) from which the service is
accessible
certificate(namenone; default:none) - the name of the certificate used by particular service (absent
for the services that do not need certificates)
name- service name
port(integer: 1..65535) - the port particular service listens on
Example
 
$$$( 
 (+(!
 	  
!+%!+%!+%+&1


[admin@MikroTik] ip service> printFlags: X - disabled, I - invalid# NAME PORT ADDRESS CERTIFICATE0 telnet 23 0.0.0.0/01 ftp 21 0.0.0.0/02 www 80 0.0.0.0/03 ssh 22 0.0.0.0/04 www-ssl 443 0.0.0.0/0 none
Page 337 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							[admin@MikroTik] ip service> set www port=8081 address=10.10.10.0/24[admin@MikroTik] ip service> printFlags: X - disabled, I - invalid# NAME PORT ADDRESS CERTIFICATE0 telnet 23 0.0.0.0/01 ftp 21 0.0.0.0/02 www 8081 10.10.10.0/243 ssh 22 0.0.0.0/04 www-ssl 443 0.0.0.0/0 none[admin@MikroTik] ip service>
List of Services
Description
)  
 
  
 	
 
    
 ! ( ! ( 8 	

	
		 
  

	 	  	 
  
	  	

	
exempli gratia	

 (
Port/ProtocolDescription
20/tcpFile Transfer Protocol FTP [Data
Connection]
21/tcpFile Transfer Protocol FTP [Control
Connection]
22/tcpSecure Shell SSH remote Login Protocol
(Only with security package)
23/tcpTelnet protocol
53/tcpDomain Name Server DNS
53/udpDomain Name Server DNS
67/udpBootstrap Protocol or DHCP Server (only
with dhcp package)
68/udpBootstrap Protocol or DHCP Client (only
with dhcp package)
80/tcpWorld Wide Web HTTP
123/udpNetwork Time Protocol NTP (Only with ntp
package)
161/udpSimple Network Menagment Protocol SNMP
(Only with snmp package)
443/tcpSecure Socket Layer SSL encrypted
HTTP(Only with hotspot package)
500/udpInternet Key Exchange IKE protocol (Only
with ipsec package)
520/udpRouting Information Protocol RIP (Only
with routing package)
521/udpRouting Information Protocol RIP (Only
with routing package)
Page 338 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners. 
						

							179/tcpBorder Gateway Protocol BGP (Only with
routing package)
1080/tcpSOCKS proxy protocol
1701/udpLayer 2 Tunnel Protocol L2TP (Only with
ppp package)
1718/udpH.323 Gatekeeper Discovery (Only with
telephony package)
1719/tcpH.323 Gatekeeper RAS (Only with telephony
package)
1720/tcpH.323 Call Setup (Only with telephony
package)
1723/tcpPoint-to-Point Tuneling Protocol PPTP (Only
with ppp package)
1731/tcpH.323 Audio Call Control (Only with
telephony package)
1900/udpUniversal Plug and Play uPnP
2828/tcpUniversal Plug and Play uPnP
2000/tcpBandwidth-test server
3986/tcpProxy for winbox
3987/tcpSSL proxy for secure winbox (Only with
security package)
5678/udpMikroTik Neighbor Discovery Protocol
8080/tcpHTTP Web proxy (Only with web-proxy
package)
8291/tcpWinbox
20561/udpMAC winbox
5000+/udpH.323 RTP Audio Streem (Only with
telephony package)
/1ICMP - Internet Control Message Protocol
/4IP - IP in IP (encapsulation)
/47GRE - General Routing Encapsulation (Only
for PPTP and EoIP)
/50ESP - Encapsulating Security Payload for
IPv4 (Only with security package)
/51AH - Authentication Header for IPv4 (Only
with security package)
/89OSPFIGP - OSPF Interior Gateway Protocol
/112VRRP - Virtual Router Redundancy Protocol
Page 339 of 480Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.Other trademarks and registred trademarks mentioned herein are properties of their respective owners.