With the protocol filter you can influence the handling of certain protocols during transfer from the WLAN to the LAN. The use of appropriate rules allows the definition of which data packets should be inspected, interfaces for which the filter applies and which action should be performed on the data packets.
LANconfig: Wireless LAN / Security / Protocols
WEBconfig: LCOS menu tree / Setup / LAN bridge / Protocol table
Similar to a firewall rule, a protocol filter consists of two parts:
- The packet conditions defines the conditions that must be satisfied in order for the filter to be applied to a packet.
- The action defines what happens to the packet if the condition is met.
A packet filter is described by the following parameters:
- Name: A name of your choice for the filter entry
- Protocol: The protocol that this filter is valid for. If '0' is entered as the protocol, the filter applies to all packets.
- Subtype: The sub-protocol for which this filter is valid. If '0' is entered as the sub-protocol, the filter applies to all packets of the protocol entered.
- Start port and end port: The port range that this filter is to be valid for.
If '0' is entered as the start port, this filter will be applied to all ports of the
corresponding protocol/sub-protocol. If '0' is entered as the end port, the start port
becomes an end port.Note: Lists of the official protocol and port numbers are available in the Internet under www.iana.org.
- Destination MAC address: The MAC address of the client to which the packet is to be sent. If no destination MAC address is entered, the filter is applied to all packets.
- DHCP source MAC: Enabling of DHCP address tracking.
- Yes: The rule applies if the source MAC address of the packet is listed in the table under Status > LAN Bridge Statistics > DHCP Table as an address which obtained an IP address using DHCP.
- No: The rule applies if this is not the case.
- Irrelevant: The source MAC address is not considered.
Note: If DHCP address tracking is enabled, any IP addresses usually entered are disregarded. Please refer to for further information. - IP network and IP netmask: The IP address of the network mask to which this filter applies. Only those IP packets whose source and destination IP addresses lie within this network are captured by the rule. If no network is entered, the filter applies to all packets.
- Interface list: List of the interfaces to which the filter applies. All of the
LAN interfaces, DMZ interfaces, logical WLAN networks and point-to-point connections in
the WLAN may be entered as interfaces.
The following examples illustrate how
interfaces are specified: 'LAN-1' for the first LAN interface, 'WLAN-2-3' for the third
logical WLAN network on the second physical WLAN interface, 'P2P-1-2' for the second
point-to-point connection on the first physical WLAN interface.
Groups of interfaces
may be specified in the form 'WLAN-1~WLAN-1-6' (logical WLANs 1 to 6 on the first physical
WLAN interface) or with a wildcard as 'P2P-1-*' (all P2P connections on the first physical
interface).
Note: Only filter rules with valid entries in the interface list are active. A rule with no specification of the interfaces does not apply to all of them - it is ignored instead.
- Action: Action performed for the data packets captured using this rule:
- Redirect IP address: Destination IP address for the "Redirect" action On
redirection, the destination IP address of the packets is replaced by the Redirect IP
address entered here. Furthermore, the destination MAC address is replaced by the MAC
address determined using ARP for the Redirect IP address.
Note: If ARP was unable to determine the destination MAC address, the packet is dropped rather than redirected.
Example:
Name | DHCP source MAC: | Destination MAC address. | Prot. | IP address | IP network: | Subtype | Start port | End port | Interface list | Action | Redirect IP address |
---|---|---|---|---|---|---|---|---|---|---|---|
ARP | irrelevant | 000000000000 | 0806 | 0.0.0.0 | 0.0.0.0 | 0 | 0 | 0 | WLAN-1-2 | Pass | 0.0.0.0 |
DHCP | irrelevant | 000000000000 | 0800 | 0.0.0.0 | 0.0.0.0 | 17 | 67 | 68 | WLAN 1-2 | Pass | 0.0.0.0 |
TELNET | irrelevant | 000000000000 | 0800 | 0.0.0.0 | 0.0.0.0 | 6 | 23 | 23 | WLAN 1-2 | Redirect | 192.168.11.5 |
ICMP | irrelevant | 000000000000 | 0800 | 0.0.0.0 | 0.0.0.0 | 1 | 0 | 0 | WLAN 1-2 | Pass | 0.0.0.0 |
HTTP | irrelevant | 000000000000 | 0800 | 0.0.0.0 | 0.0.0.0 | 6 | 80 | 80 | WLAN 1-2 | Redirect | 192.168.11.5 |
ARP, DHCP, ICMP are allowed to pass, Telnet and HTTP are redirected to 192.168.11.5 and all other packets are rejected.
- Procedure for filter test
If no filter rules are defined for an interface, all packets from and destined to it are transmitted without alteration. As soon as a filter rule has been defined for an interface, all packets to be transferred via this interface are checked prior to being processed.
- As a first step, the information required for checking is read out of the packets:
- DHCP source MAC:
- Destination MAC address of the packet:
- Protocol, e.g. IPv4, IPX, ARP
- Sub-protocol, e.g. TCP, UDP or ICMP for IPv4 packets, ARP Request or ARP Response for ARP packets
- IP address and network mask (source and destination) for IPv4 packets
- Source and destination port for IPv4 TCP or IPv4 UDP packets
- As a second step, this information is checked against the information from the filter
rules. All those rules in which the source or destination interface is included in
the interface list are considered. Checking of the rules for the individual values is as
follows:
- For DHCP source MAC, protocol and sub-protocol, the values read out of the packets are checked for consistency with the values defined in the rule.
- With IP addresses, the source and destination address of the packet are checked to see whether they lie within the range formed by the IP address and the network mask of the rule.
- Source and destination ports are checked to see whether they lie in the range between start port and end port.
Note: If rules are defined for an interface, but there is no match with one of the rules for a packet from/for this interface, the default rule for this interface is used for the packet. The default rule is pre-configured for each interface with the 'drop' action but this is not visible in the protocol table. To modify a default rule for an interface, a rule with the name 'default-drop' is defined. Besides the interface naming, this rule can only contain wildcats and the required action.Checking of MAC addresses in packets sent over the respective interface takes on a different form to that with in-coming packets.- With out-going packets, the source MAC address read out of the packet is checked against the destination MAC address entered in the rule.
- The destination MAC addresses read out of the packet are then checked to see whether they are listed as currently active DHCP clients.
- Rules with the 'Redirect' action are ignored if they apply for an interface over which the packet is to be sent.
- In the third step, the action associated with the applicable rule is carried out.
- Redirect function
- DHCP address tracking
Note: The number of clients which may be connected to an interface via DHCP can be configured in the Port table under Setup > LAN Bridge > Port Data. Setting the entry to '0' means that any number of clients can register at this interface via DHCP. If the maximum number of DHCP clients is exceeded by a further attempt to register, the oldest entry in the list is deleted.When checking data packets, IP addresses and the IP network mask defined in the rule are not used. Consequently no check is made as to whether the destination IP address of the packet lies within the range specified. Instead, a check is made as to whether the source IP address of the packet matches the IP address assigned to the client via DHCP. The connection of the two IP addresses is made based on the source MAC address. This check can be used to block clients which have received an IP address via DHCP, but which actually use a different IP address (either intentionally or inadvertently). A rule in which the DHCP Source MAC parameter is set to 'Yes' would not apply since the two addresses do not match. The packet would instead be processed either by other rules or the default rule. In order for DHCP tracking to work, at least two more rules must be set up for this interface, rules which are not dependent on DHCP tracking. This is necessary since the required DHCP information is not exchanged until the end of DHCP handshake. This is why packets due to be sent beforehand must be allowed by rules which do not use DHCP tracking. These usually included TCP/UDP packets on port 67 and 68 and ARP packets.Note: If DHCP tracking is enabled on an interface, packets received on this interface from DHCP servers are automatically dropped.