Allied Telesis AT-WR4500 User Manual
206
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers
RouterOS v3 Configuration and User Guide
chain (forward | input | output | postrouting | prerouting) - specify the chain to put a particular rule into.
As the different traffic is passed through different chains, always be careful in choosing the right chain for
a new rule. If the input does not match the name of an already defined chain, a new chain will be created
comment (text) - free form textual comment for the rule. A comment can be used to refer the
particular rule from scripts
connection-bytes (integer-integer) - match packets only if a given amount of bytes has been transfered
through the particular connection
0 - means infinity, exempli gratia: connection-bytes=2000000-0 means that the rule matches if more
than 2MB has been transfered through the relevant connection
connection-limit (integer,netmask) - restrict connection limit per address or address block
connection-mark (name) - match packets marked via mangle facility with particular connection mark
connection-state (estabilished | invalid | new | related) - interprets the connection tracking analysis data
for a particular packet
estabilished - a packet which belongs to an existing connection, exempli gratia a reply packet or a packet
which belongs to already replied connection
invalid - a packet which could not be identified for some reason. This includes out of memory condition
and ICMP errors which do not correspond to any known connection. It is generally advised to drop these
packets
new - a packet which begins a new TCP connection
related - a packet which is related to, but not part of an existing connection, such as ICMP errors or a
packet which begins FTP data connection (the later requires enabled FTP connection tracking helper
under /ip firewall service-port)
connection-type (ftp | gre | h323 | irc | mms | pptp | quake3 | tftp) - match packets from related
connections based on information from their connection tracking helpers. A relevant connection helper
must be enabled under /ip firewall service-port
content (text) - the text packets should contain in order to match the rule
dscp (integer: 0..63) - DSCP (ex-ToS) IP header field value
dst-address (IP address/netmask | IP address-IP address) - specify the address range an IP packet is
destined to. Note that console converts entered address/netmask value to a valid network address,
i.e.:1.1.1.1/24 is converted to 1.1.1.0/24
dst-address-list (name) - match destination address of a packet against user-defined address list
dst-address-type (unicast | local | broadcast | multicast) - match destination address type of the IP
packet, one of the:
unicast - IP addresses used for one point to another point transmission. There is only one sender and
one receiver in this case
local - match addresses assigned to router's interfaces
broadcast - the IP packet is sent from one point to all other points in the IP subnetwork
multicast - this type of IP addressing is responsible for transmission from one or more points to a set of
other points
dst-limit (integer/time{0,1},integer,dst-address | dst-port | src-address{+},time{0,1}) - limit the packet per
second (pps) rate on a per destination IP or per destination port base. As opposed to the limit match,
every destination IP address / destination port has it's own limit. The options are as follows (in order of
appearance):
count - maximum average packet rate, measured in packets per second (pps), unless followed by time
option
time - specifies the time interval over which the packet rate is measured
burst - number of packets to match in a burst
mode - the classifier(-s) for packet rate limiting
expire - specifies interval after which recorded IP addresses / ports will be deleted
dst-port (integer: 0..65535-integer: 0..65535{*}) - destination port number or range
fragment (yes | no) - whether the packet is a fragment of an IP packet. Starting packet (i.e., first
fragment) does not count. Note that is the connection tracking is enabled, there will be no fragments as
the system automatically assembles every packet
hotspot (multiple choice: auth | from-client | http | local-dst | to-client) - matches packets received from
clients against various HotSpot conditions. All values can be negated
auth - true, if a packet comes from an authenticted HotSpotclient
from-client - true, if a packet comes from any HotSpot client
http - true, if a HotSpot client sends a packet to the address and port previously detected as his proxy
server (Universal Proxy technique) or if the destination port is 80 and transparent proxying is enabled for
As the different traffic is passed through different chains, always be careful in choosing the right chain for
a new rule. If the input does not match the name of an already defined chain, a new chain will be created
comment (text) - free form textual comment for the rule. A comment can be used to refer the
particular rule from scripts
connection-bytes (integer-integer) - match packets only if a given amount of bytes has been transfered
through the particular connection
0 - means infinity, exempli gratia: connection-bytes=2000000-0 means that the rule matches if more
than 2MB has been transfered through the relevant connection
connection-limit (integer,netmask) - restrict connection limit per address or address block
connection-mark (name) - match packets marked via mangle facility with particular connection mark
connection-state (estabilished | invalid | new | related) - interprets the connection tracking analysis data
for a particular packet
estabilished - a packet which belongs to an existing connection, exempli gratia a reply packet or a packet
which belongs to already replied connection
invalid - a packet which could not be identified for some reason. This includes out of memory condition
and ICMP errors which do not correspond to any known connection. It is generally advised to drop these
packets
new - a packet which begins a new TCP connection
related - a packet which is related to, but not part of an existing connection, such as ICMP errors or a
packet which begins FTP data connection (the later requires enabled FTP connection tracking helper
under /ip firewall service-port)
connection-type (ftp | gre | h323 | irc | mms | pptp | quake3 | tftp) - match packets from related
connections based on information from their connection tracking helpers. A relevant connection helper
must be enabled under /ip firewall service-port
content (text) - the text packets should contain in order to match the rule
dscp (integer: 0..63) - DSCP (ex-ToS) IP header field value
dst-address (IP address/netmask | IP address-IP address) - specify the address range an IP packet is
destined to. Note that console converts entered address/netmask value to a valid network address,
i.e.:1.1.1.1/24 is converted to 1.1.1.0/24
dst-address-list (name) - match destination address of a packet against user-defined address list
dst-address-type (unicast | local | broadcast | multicast) - match destination address type of the IP
packet, one of the:
unicast - IP addresses used for one point to another point transmission. There is only one sender and
one receiver in this case
local - match addresses assigned to router's interfaces
broadcast - the IP packet is sent from one point to all other points in the IP subnetwork
multicast - this type of IP addressing is responsible for transmission from one or more points to a set of
other points
dst-limit (integer/time{0,1},integer,dst-address | dst-port | src-address{+},time{0,1}) - limit the packet per
second (pps) rate on a per destination IP or per destination port base. As opposed to the limit match,
every destination IP address / destination port has it's own limit. The options are as follows (in order of
appearance):
count - maximum average packet rate, measured in packets per second (pps), unless followed by time
option
time - specifies the time interval over which the packet rate is measured
burst - number of packets to match in a burst
mode - the classifier(-s) for packet rate limiting
expire - specifies interval after which recorded IP addresses / ports will be deleted
dst-port (integer: 0..65535-integer: 0..65535{*}) - destination port number or range
fragment (yes | no) - whether the packet is a fragment of an IP packet. Starting packet (i.e., first
fragment) does not count. Note that is the connection tracking is enabled, there will be no fragments as
the system automatically assembles every packet
hotspot (multiple choice: auth | from-client | http | local-dst | to-client) - matches packets received from
clients against various HotSpot conditions. All values can be negated
auth - true, if a packet comes from an authenticted HotSpotclient
from-client - true, if a packet comes from any HotSpot client
http - true, if a HotSpot client sends a packet to the address and port previously detected as his proxy
server (Universal Proxy technique) or if the destination port is 80 and transparent proxying is enabled for