15
Ubiquiti Networks, Inc.
Chapter 3: AirOS™
AirRouter User Guide
Firewall entries can be specified by using the following
criteria:
Interface
The interface (WLAN or LAN) where filtering of
the incoming/passing-through packets are processed.
IP Type
Sets which particular L3 protocol type (IP, ICMP,
TCP, UDP) should be filtered.
Source IP/Mask
The source IP of the packet (specified
within the packet header), usually it is the IP of the host
system which sends the packets.
Src Port
The source port of the TCP/UDP packet (specified
within the packet header), usually it is the port of the host
system application which sends the packets.
Destination IP/Mask
The destination IP of the packet
(specified within the packet header), usually it is the IP of
the system which the packet is addressed to.
Dst Port
The destination port of the TCP/UDP packet
(specified within the packet header), usually it is the
port of the host system application which the packet is
addressed to.
Comment
Field used to enter a brief description of the
firewall entry.
On
Enables or disables the effect of the particular firewall
entry. All added firewall entries are saved in system
configuration file, however only the enabled firewall
entries will be active on the AirRouter.
Not
Can be used for inverting the Source IP/mask, Source
Port, Destination IP/mask and Destination Port filtering
criteria (i.e. if not is enabled for the specified Destination
Port value 443, the filtering criteria will be applied to all
the packets sent to any Destination Port except the 443
which is commonly used by HTTPS).
Click Save to save your firewall entries or click Cancel to
discard your changes.
All active firewall entries are stored in the FIREWALL chain
of the ebtables filter table, while the device is operating
in Bridge mode. Please refer to the ebtables manual for a
detailed description of the firewall functionality in Bridge
mode.
Click Change to save the changes made in the Network
tab.
Router
The role of the LAN and WLAN interface will change
depending on the Wireless Mode selected while the
AirRouter is operating in Router mode:
• The wireless interface and all connected wireless clients
are considered as part of the internal LAN and the
Ethernet interface is dedicated for the connection to
the external network while the AirRouter is operating in
Access Point or Access Point WDS mode.
• The wireless interface and all of the connected wireless
clients are considered part of the external network
and all network devices on the LAN side as well as the
Ethernet interface itself are considered as part of the
internal network when the AirRouter is operating in
Station or Station WDS mode.
Wireless/wired clients are routed from the internal
network to the external one by default. Network Address
Translation (NAT) functionality works the same way.
WLAN Network settings
IP Address
This is the IP address to be represented by
the WLAN interface which is connected to the internal
network according to the wireless operation mode
described above. This IP will be used for the routing of
the internal network (it will be the Gateway IP for all
the devices connected on the internal network). This IP
address can be used to access the management interface
of the AirRouter.
Netmask
This is used to define the device IP classification
for the chosen IP address range. 255.255.255.0 is a typical
netmask value for Class C networks, which support IP
address range 192.0.0.x to 223.255.255.x. Class C network
Netmask uses 24 bits to identify the network (alternative
notation “/24”) and 8 bits to identity the host.
Enable NAT
Network Address Translation (NAT) enables
packets to be sent from the wired network (LAN) to the
wireless interface IP address and then sub-routed to other
client devices residing on the local network while the
AirRouter is operating in Access Point or Access Point WDS
mode and in the reverse direction in Station and Station
WDS mode.
Enable NAT Protocol
While NAT is enabled, data packets
could be modified in order to allow pass-through to the
Router. To avoid packet modification of some specific
packets, like: SIP, PPTP, FTP, RTSP; uncheck the respective
checkbox.
NAT is implemented using the masquerade type firewall
rules. NAT firewall entries are stored in the iptables nat
table, while the device is operating in Router mode. Please
refer to the iptables tutorial for detailed description of the
NAT functionality in Router mode.
Содержание AirRouter
Страница 1: ......