214
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers
RouterOS v3 Configuration and User Guide
max-entries
(
read-only: integer
) - the maximum number of connections the connection state table can
contain, depends on an amount of total memory
tcp-close-timeout
(
time
; default:
10s
) - maximal amount of time connection tracking entry will survive
after having seen connection reset request (RST) or an acknowledgment (ACK) of the connection
termination request from connection release initiator
tcp-close-wait-timeout
(
time
; default:
10s
) - maximal amount of time connection tracking entry will
survive after having seen an termination request (FIN) from responder
tcp-established-timeout
(
time
; default:
1d
) - maximal amount of time connection tracking entry will
survive after having seen an acknowledgment (ACK) from connection initiator
tcp-fin-wait-timeout
(
time
; default:
10s
) - maximal amount of time connection tracking entry will
survive after having seen connection termination request (FIN) from connection release initiator
tcp-syn-received-timeout
(
time
; default:
1m
) - maximal amount of time connection tracking entry will
survive after having seen a matching connection request (SYN)
tcp-syn-sent-timeout
(
time
; default:
1m
) - maximal amount of time connection tracking entry will
survive after having seen a connection request (SYN) from connection initiator
tcp-syncookie
(yes | no; default:
no
) - enable TCP SYN cookies for connections destined to the router
itself (this may be useful for HotSpot and tunnels)
tcp-time-wait-timeout
(
time
; default:
10s
) - maximal amount of time connection tracking entry will
survive after having seen connection termination request (FIN) just after connection request (SYN) or
having seen another termination request (FIN) from connection release initiator
total-entries
(
read-only: integer
) - number of connections currently recorded in the connection state
table
udp-stream-timeout
(
time
; default:
3m
) - maximal amount of time connection tracking entry will
survive after replay is seen for the last packet matching this entry (connection tracking entry is assured).
It is used to increase timeout for such connections as H323, VoIP, etc.
udp-timeout
(
time
; default:
10s
) - maximal amount of time connection tracking entry will survive after
having seen last packet matching this entry
The maximum timeout value depends on amount of entries in connection state table. If amount of
entries in the table is more than:
•
1/16 of maximum number of entries the maximum timeout value will be 1 day
•
3/16 of maximum number of entries the maximum timeout value will be 1 hour
•
1/2 of maximum number of entries the maximum timeout value will be 10 minute
•
13/16 of maximum number of entries the maximum timeout value will be 1 minute
The shortest timeout will always be choden between the configured timeout and the value listed above.
If connection tracking timeout value is less than the normal interval between the data packets rate
(timeout expires before the next packet arives), NAT and statefull-firewalling stop working.
9.3.5
Service Ports
Submenu level:
/ip firewall service-port
Description
Some network protocols are not compatible with network address translation, for example due to some
additional infomation about the actual addresses or ports is present in the packet payload, which is not
known for the NAT procedures, as they only look at the IP, UDP and TCP headers, not inside the
packets. For these protocols to work correctly, a connection tracking helper is needed to work around
such design issues. You may enable and disable helpers here (you may want to disable some of them to
increase performance or if you are experiencing problems with some protocols detected incorrectly).
Note that you can not add or remove the helpers, just enable or disable the existing ones.
Property Description
name
- protocol name
ports
(
integer
) - port range that is used by the protocol (only some helpers need this)