beautypg.com

Allied Telesis AT-WR4500 User Manual

Page 235

background image

AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers

235

RouterOS v3 Configuration and User Guide

Packet filter rules

From /ip firewall filter print dynamic command, you can get something like this (comments follow
after each of the rules):

0 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth


Any packet that traverses the router from unauthorized client will be sent to the hs-unauth chain. The
hs-unauth implements the IP-based Walled Garden filter.

1 D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!auth


Everything that comes to clients through the router, gets redirected to another chain, called hs-unauth-
to. This chain should reject unauthorized requests to the clients

2 D chain=input action=jump jump-target=hs-input hotspot=from-client


Everything that comes from clients to the router itself, gets to another chain, called hs-input.

3 I chain=hs-input action=jump jump-target=pre-hs-input


Before proceeding with [predefined] dynamic rules, the packet gets to the administratively controlled
pre-hs-input chain, which is empty by default, hence the invalid state of the jump rule.

4 D chain=hs-input action=accept dst-port=64872 protocol=udp
5 D chain=hs-input action=accept dst-port=64872-64875 protocol=tcp


Allow client access to the local authentication and proxy services (as described earlier)

6 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth


All other traffic from unauthorized clients to the router itself will be treated the same way as the traffic
traversing the routers

7 D chain=hs-unauth protocol=icmp action=return
8 D ;;; www.alliedtelesis.com
chain=hs-unauth dst-address=159.148.147.196 protocol=tcp dst-port=80
action=return


Unlike NAT table where only TCP-protocol related Walled Garden entries were added, in the packet
filter hs-unauth chain is added everything you have set in the /ip hotspot walled-garden ip menu.
That is why although you have seen only one entry in the NAT table, there are two rules here.

9 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp
10 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited


Everything else that has not been while-listed by the Walled Garden will be rejected. Note usage of TCP
Reset for rejecting TCP connections.

11 D chain=hs-unauth-to action=return protocol=icmp
12 D ;;; www.alliedtelesis.com
chain=hs-unauth dst-address=159.148.147.196 protocol=tcp src-port=80
action=return


Same action as in rules #7 and #8 is performed for the packets destined to the clients (chain hs-unauth-
to) as well.

13 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited


Reject all packets to the clients with ICMP reject message

This manual is related to the following products:
See also other documents in the category Allied Telesis Hardware: