Xtra Xtra Read All About it........

RouterOS Beginner Basics
1

Well the EXTRA Tab anyway

In true beginner fashion I am exploring where I should not go…
Specifically I am trying to fathom the settings on the EXTRA tab for FILTER RULES.
To illustrate answers lets look at a simple case of filtering ALL ports on the input side…
Where, if the rule is triggered, the offending IP address is captured to an address list!

  1. Do the Extra parameters interact or have dependencies or are they all independently acting?

  2. Connections: The physical number is easy, but what is netmask doing there as an option??

  3. Limit: What is the difference between a setting of ONE “1” per second, versus ZERO “0” per second.

  4. Is there a relationship between the number of connections parameter and the Limit?
    For example if I have 100 connections and a limit of 1 per second, does the rule trigger if there are 100 connections or greater in 100 seconds?
    If so, then if I have 100 connections and a limit of 2 per second, does the rule trigger if there are 100 connections or greater in 30 seconds?

  5. How does burst figure in the LImit Rule (default is 5).
    For example does it mean that bursts are allowed but if its greater than 5 per second then trigger the rule???

  6. PSD, this is a strange one, looks like another type of connections plus limit but applied via a relative weighting scheme that really looks at short bits of time…
    From my understanding the default settings of 21, 3sec, 3, 1 means the following:
    Set an arbitrary threshold value of 21 (means nothing as its all relative).
    Set a time period for which this parameter would be assessed (measure contiguous time periods) in this case every 3 seconds.
    Set an arbitrary value to any low port that is included in the rule and in this case 3 (assumes low ports are scanned more than high ports).
    Set an arbitrary value to any high port that is included in the rule and in this case 1
    Thus if within a 3 second block the value of all ports hit by this rule exceeds 21, then capture the IP.

  7. What is the relationship between the Limit parameters and the PSD parameters. In other words, does the rule trigger for an either OR case or a both AND case???

Thanks in advance!!

2

Hmm how I am hopping mad at mikrotik designers, this TAB should be labelled DANGER DANGER and not EXTRA!

Non-standard notation or INCONSISTENT notation/methods for activating parts of a rule is burning my goat.
Apparently the mere fact of clicking on those hash arrows to see what is set as default for a parameter IS NOT A VIEWING FUNCTION
Its an effing ACTIVATE FUNCTION

What clown thought this up??
If anything then, the entries should be BLANK or greyed out until selections are put or made.
Put in an accept button or something… but to have the function TURNED ON just by looking at is as(s)inine!!

However I did figure out some stuff.
a. NONE of the rules have DEPENDENCIES on each other but I suppose you could combine them for some funky reason.
b. Connection is cool in that you can define it to one host or more by the netmask
c. Connection limit is more designed for the number of hits on specific ports by many IPs…
d. PSD is more designed for ALL ports in a really short time frame.

3

That’s what you get for going too advance. :wink: I don’t think that I myself ever used any of those options you asked about. And behaviour of those arrows is standard, I think. If you expand the section, its options become active. It’s just that these expanding sections are not very common in WinBox, so it’s possible that you lived happily until now, without ever encountering them.

4

Its not consistent and tis foolish behaviour that needs to be changed LOL. I do mean the EXTRA tab, not my using advanced features. :slight_smile:

I passed it on as a feature request… I cannot imagine a line of text will cost anything…

"NOTE: Clicking on the down arrows will enable the admin to view the parameters and automatically ACTIVATES the parameter (up arrow).