Filter
Top Products
82 AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers
RouterOS v3 Configuration and User Guide
There are three bridge filter tables:
• filter - bridge firewall with three predefined chains:
• input - filters packets, which destination is the bridge (including those packets that will be routed, as
they are anyway destined to the bridge MAC address)
• output - filters packets, which come from the bridge (including those packets that has been routed
normally)
• forward - filters packets, which are to be bridged (note: this chain is not applied to the packets that
should be routed through the router, just to those that are traversing between the ports of the same
bridge)
• nat - bridge network address translation provides ways for changing source/destination MAC
addresses of the packets traversing a bridge. Has two built-in chains:
• scnat - used for "hiding" a host or a network behind a different MAC address. This chain is applied to
the packets leaving the router through a bridged interface
• dstnat - used for redirecting some pakets to another destinations
• broute - makes bridge a brouter - router that performs routing on some of the packets, and bridging
- on others. Has one predefined chain: brouting, which is traversed right after a packet enters an
enslaved interface (before "Bridging Decision")
The bridge destination NAT is executed before bridging decision.
You can put packet marks in bridge firewall (filter, broute and NAT), which are the same as the packet
marks in IP firewall put by mangle. So packet marks put by bridge firewall can be used in IP firewall, and
vice versa
General bridge firewall properties are described in this section. Some parameters that differ between nat,
broute and filter rules are described in further sections.
Property Description
802.3-sap (integer) - DSAP (Destination Service Access Point) and SSAP (Source Service Access Point)
are 2 one byte fields, which identify the network protocol entities which use the link layer service. These
bytes are always equal. Two hexadecimal digits may be specified here to match an SAP byte
802.3-type (integer) - Ethernet protocol type, placed after the IEEE 802.2 frame header. Works only if
802.3-sap is 0xAA (SNAP - Sub-Network Attachment Point header). For example, AppleTalk can be
indicated by SAP code of 0xAA followed by a SNAP type code of 0x809B
arp-dst-address (IP address; default: 0.0.0.0/0) - ARP destination address
arp-dst-mac-address (MAC address; default: 00:00:00:00:00:00) - ARP destination MAC address
arp-hardware-type (integer; default: 1) - ARP hardware type. This normally Ethernet (Type 1)
arp-opcode (arp-nak | drarp-error | drarp-reply | drarp-request | inarp-request | reply | reply-reverse |
request | request-reverse) - ARP opcode (packet type)
arp-nak - negative ARP reply (rarely used, mostly in ATM networks)
drarp-error - Dynamic RARP error code, saying that an IP address for the given MAC address can not be
allocated
drarp-reply - Dynamic RARP reply, with a temporaty IP address assignment for a host
drarp-request - Dynamic RARP request to assign a temporary IP address for the given MAC address
inarp-request -
reply - standard ARP reply with a MAC address
reply-reverse - reverse ARP (RARP) reply with an IP address assigned
request - standard ARP request to a known IP address to find out unknown MAC address
request-reverse - reverse ARP (RARP) request to a known MAC address to find out unknown IP address
(intended to be used by hosts to find out their own IP address, similarly to DHCP service)
arp-packet-type (integer) -
arp-src-address (IP address; default: 0.0.0.0/0) - ARP source IP address
arp-src-mac-address (MAC address; default: 00:00:00:00:00:00) - ARP source MAC address
chain (text) - bridge firewall chain, which the filter is functioning in (either a built-in one, or a user
defined)