Allied Telesis AT-WR4500 manual ConnectionTracking, Submenu level /ip firewall connection

Routed traffic

The traffic received for the router's MAC address on the respective port, is passed to the routing procedures and can be of one of these four types:

•the traffic which is destined to the router itself. The IP packets has destination address equal to one of the router's IP addresses. A packet enters the router through the input interface, sequentially traverses prerouting and input chains and ends up in the local process. Consequently, a packet can be filtered in the input chain filter and mangled in two places: the input and the prerouting chain filters.

•the traffic is originated from the router. In this case the IP packets have their source addresses identical to one of the router's IP addresses. Such packets travel through the output chain, then they are passed to the routing facility where an appropriate routing path for each packet is determined and leave through the postrouting chain.

•routable traffic, which is received at the router's MAC address, has an IP address different from any of the router's own addresses, and its destination can be found in the routing tables. These packets go through the prerouting, forward and postrouting chains.

•unroutable traffic, which is received at the router's MAC address, has an IP address different from any of the router's own addresses, but its destination can not be found in the routing tables. These packets go through the prerouting and stop in the routing recision.

The actions imposed by various router facilities are sequentially applied to a packet in each of the default chains. The exact order they are applied is pictured in the bottom of the flow diagram. Exempli gratia, for a packet passing postrouting chain the mangle rules are applied first, two types of queuing come in second place and finally source NAT is performed on packets that need to be natted.

Note, that any given packet can come through only one of the input, forward or output chains.

Bridged Traffic

In case the incoming traffic needs to be bridged (do not confuse it with the traffic coming to the bridge interface at the router's own MAC address and, thus, classified as routed traffic) it is first determined whether it is an IP traffic or not. After that, IP traffic goes through the prerouting, forward and postrouting chains, while non-IP traffic bypasses all IP firewall rules and goes directly to the interface queue. Both types of traffic, however, undergo the full set of bridge firewall chains anyway, regardless of the protocol.

9.3.3 ConnectionTracking

Submenu level: /ip firewall connection

Description

Connection tracking refers to the ability to maintain the state information about connections, such as source and destination IP address and ports pairs, connection states, protocol types and timeouts. Firewalls that do connection tracking are known as "stateful" and are inherently more secure that those who do only simple "stateless" packet processing.

The state of a particular connection could be estabilished meaning that the packet is part of already known connection, new meaning that the packet starts a new connection or belongs to a connection that has not seen packets in both directions yet, related meaning that the packet starts a new connection, but is associated with an existing connection, such as FTP data transfer or ICMP error message and, finally, invalid meaning that the packet does not belong to any known connection and, at the same time, does not open a valid new connection.

Connection tracking is done in the prerouting chain, or the output chain for locally generated packets. Another function of connection tracking which cannot be overestimated is that it is needed for NAT. You should be aware that no NAT can be performed unless you have connection tracking enabled, the same applies for p2p protocols recognition. Connection tracking also assembles IP packets from fragments before further processing.

The maximum number of connections the /ip firewall connection state table can contain is determined by the amount of physical memory present in the router.

Please ensure that your router is equipped with sufficient amount of physical memory to properly handle all connections.