Filter
Top Products
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers 219
RouterOS v3 Configuration and User Guide
dst-limit (integer/time{0,1},integer,dst-address | dst-port | src-address{+},time{0,1}) - limits the packet per
second (pps) rate on a per destination IP or per destination port base. As opposed to the limit match,
every destination IP address / destination port has it's own limit. The options are as follows (in order of
appearance):
count - maximum average packet rate, measured in packets per second (pps), unless followed by time
option
time - specifies the time interval over which the packet rate is measured
burst - number of packets to match in a burst
mode - the classifier(-s) for packet rate limiting
expire - specifies interval after which recorded IP addresses / ports will be deleted
dst-port (integer: 0..65535-integer: 0..65535{*}) - destination port number or range
fragment (yes | no) - whether the packet is a fragment of an IP packet. Starting packet (i.e., first
fragment) does not count. Note that is the connection tracking is enabled, there will be no fragments as
the system automatically assembles every packet
hotspot (multiple choice: auth | from-client | http | local-dst | to-client) - matches packets received from
clients against various HotSpot conditions. All values can be negated
auth - true, if a packet comes from an authenticted HotSpotclient
from-client - true, if a packet comes from any HotSpot client
http - true, if a HotSpot client sends a packet to the address and port previously detected as his proxy
server (Universal Proxy technique) or if the destination port is 80 and transparent proxying is enabled for
that particular client
local-dst - true, if a packet has local destination IP address
to-client - true, if a packet is sent to a client
icmp-options (integer:integer) - matches ICMP Type:Code fields
in-bridge-port (name) - actual interface the packet has entered the router through (if bridged, this
property matches the actual bridge port, while in-interface - the bridge itself)
in-interface (name) - interface the packet has entered the router through (if the interface is bridged,
then the packet will appear to come from the bridge interface itself)
ingress-priority (integer: 0..63) - INGRESS (received) priority of the packet, if set (0 otherwise). The
priority may be derived from either VLAN or WMM priority
ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no-source-routing | no-
timestamp | none | record-route | router-alert | strict-source-routing | timestamp) - match ipv4 header
options
any - match packet with at least one of the ipv4 options
loose-source-routing - match packets with loose source routing option. This option is used to route
the internet datagram based on information supplied by the source
no-record-route - match packets with no record route option. This option is used to route the
internet datagram based on information supplied by the source
no-router-alert - match packets with no router alter option
no-source-routing - match packets with no source routing option
no-timestamp - match packets with no timestamp option
record-route - match packets with record route option
router-alert - match packets with router alter option
strict-source-routing - match packets with strict source routing option
timestamp - match packets with timestamp
jump-target (dstnat | srcnatname) - name of the target chain to jump to, if the action=jump is used
layer7-protocol (name) - Layer 7 filter name as set in the /ip firewall layer7-protocol menu. Caution:
this matcher needs high computational power
limit (integer/time{0,1},integer) - restricts packet match rate to a given limit. Usefull to reduce the amount
of log messages
count - maximum average packet rate, measured in packets per second (pps), unless followed by time
option
time - specifies the time interval over which the packet rate is measured
burst - number of packets to match in a burst
log-prefix (text) - all messages written to logs will contain the prefix specified herein. Used in
conjunction with action=log
nth (integer,integer: 0..15,integer{0,1}) - match a particular Nth packet received by the rule. One of 16
available counters can be used to count packets