Manual:IP/Settings: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
No edit summary
 
(12 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{Versions| v6+}}
{{Versions| v6+}}
{{Warning|This manual is moved to https://help.mikrotik.com/docs/display/ROS/IP+Settings}}


__TOC__
__TOC__
Line 49: Line 51:
|type=time interval
|type=time interval
|default=30s
|default=30s
|desc=ARP timeout on all interfaces that use ARP. Can use postfix ms, s, m, h, d for milliseconds, seconds, minutes, hours or days. if no postfix is set then seconds (s) is used.
|desc=Sets Linux <b>base_reachable_time</b> (base_reachable_time_ms) on all interfaces that use ARP. Initial validity of ARP entry is picked from interval [timeout/2..3*timeout/2] (default from 15s to 45s) after neighbor was found. Can use postfix ms, s, m, h, d for milliseconds, seconds, minutes, hours or days. if no postfix is set then seconds (s) is used. Parameter <b>DOES NOT</b> represent a time when ARP entry is removed from ARP cache, ARP cache entries can be stored in the cache for up to 10minutes if reference in route cache is created.
}}
}}


Line 56: Line 58:
|type=integer [0..4294967295]
|type=integer [0..4294967295]
|default=10
|default=10
|desc=
|desc=Limit the maximum rates for sending ICMP packets whose type matches <var>icmp-rate-mask</var> to specific targets. 0 to disable any limiting, otherwise the minimum space between responses in milliseconds.
}}
}}


Line 63: Line 65:
|type=[0..FFFFFFFF]
|type=[0..FFFFFFFF]
|default=0x1818
|default=0x1818
|desc=
|desc=Mask made of ICMP types for which rates are being limited. [http://man7.org/linux/man-pages/man7/icmp.7.html More info in linux man pages]
}}
}}


Line 82: Line 84:
* loose - Loose mode as defined in RFC3704 Loose Reverse Path. Each incoming packet's source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail.
* loose - Loose mode as defined in RFC3704 Loose Reverse Path. Each incoming packet's source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail.


Current recommended practice in RFC3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing or VRRP, then loose mode is recommended.
Current recommended practice in RFC3704 is to enable strict mode to prevent IP spoofing from DDoS attacks. If using asymmetric routing or other complicated routing or VRRP, then loose mode is recommended.{{Warning | strict mode does not work with routing tables}}
}}
}}


Line 110: Line 112:
{{Mr-arg-table
{{Mr-arg-table
|arg=max-neighbor-entries
|arg=max-neighbor-entries
|type=
|type=integer [0..2147483647]
|default=no
|default=
|desc=  
|desc= Maximum number of allowed neighbors in ARP table.
}}
}}


{{Mr-arg-table-end
{{Mr-arg-table-end
|arg=oute-cache
|arg=route-cache
|type=yes {{!}} no
|default=yes
|desc= Disable or enable Linux route cache. Note that by disabling route cache, it will also disable fast path.
}}
 
==Read-Only Properties==
 
 
{{Mr-arg-table-h
|prop=Property
|desc=Description
}}
 
{{Mr-arg-ro-table
|arg=ipv4-fast-path-active
|type=yes {{!}} no
|type=yes {{!}} no
|default=no
|desc=Indicates whether fast-path is active
|desc=  
}}
 
{{Mr-arg-ro-table
|arg=ipv4-fast-path-bytes
|type=integer
|desc=Amount of fast-pathed bytes
}}
 
{{Mr-arg-ro-table
|arg=ipv4-fast-path-packets
|type=integer
|desc=Amount of fast-pathed packets
}}
 
{{Mr-arg-ro-table
|arg=ipv4-fasttrack-active
|type=yes {{!}} no
|desc= Indicates whether fasttrack is active
}}
 
{{Mr-arg-ro-table
|arg=ipv4-fasttrack-bytes
|type=integer
|desc= Amount of fasttracked bytes
}}
 
{{Mr-arg-ro-table-end
|arg=ipv4-fasttrack-packets
|type=integer
|desc= Amount of fasttracked packet.
}}
}}


{{cont}}
{{cont}}

Latest revision as of 10:05, 17 January 2022

Applies to RouterOS: v6+


Summary

Sub-menu: /ip settings


IP Settings allows to configure several IP related kernel parameters.



Properties

Property Description
accept-redirects (yes | no; Default: no) Whether to accept ICMP redirect messages. Typically should be enabled on host and disabled on routers.
accept-source-route (yes | no; Default: no) Whether to accept packets with SRR option. Typically should be enabled on router.
allow-fast-path (yes | no; Default: yes) Allows fast path
arp-timeout (time interval; Default: 30s) Sets Linux base_reachable_time (base_reachable_time_ms) on all interfaces that use ARP. Initial validity of ARP entry is picked from interval [timeout/2..3*timeout/2] (default from 15s to 45s) after neighbor was found. Can use postfix ms, s, m, h, d for milliseconds, seconds, minutes, hours or days. if no postfix is set then seconds (s) is used. Parameter DOES NOT represent a time when ARP entry is removed from ARP cache, ARP cache entries can be stored in the cache for up to 10minutes if reference in route cache is created.
icmp-rate-limit (integer [0..4294967295]; Default: 10) Limit the maximum rates for sending ICMP packets whose type matches icmp-rate-mask to specific targets. 0 to disable any limiting, otherwise the minimum space between responses in milliseconds.
icmp-rate-mask ([0..FFFFFFFF]; Default: 0x1818) Mask made of ICMP types for which rates are being limited. More info in linux man pages
ip-forward (yes | no; Default: yes) Enable/disable packet forwarding between interfaces. Resets all configuration parameters to defaults according to RFC1812 for routers.
rp-filter (loose | no | strict; Default: no) Disables enables source validation.
  • no - No source validation.
  • strict - Strict mode as defined in RFC3704 Strict Reverse Path. Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded.
  • loose - Loose mode as defined in RFC3704 Loose Reverse Path. Each incoming packet's source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail.
Current recommended practice in RFC3704 is to enable strict mode to prevent IP spoofing from DDoS attacks. If using asymmetric routing or other complicated routing or VRRP, then loose mode is recommended.

Warning: strict mode does not work with routing tables


secure-redirects (yes | no; Default: yes) Accept ICMP redirect messages only for gateways, listed in default gateway list.
send-redirects (yes | no; Default: yes) Whether to send ICMP redirects. Recommended to be enabled on routers.
tcp-syncookies (yes | no; Default: no) Send out syncookies when the syn backlog queue of a socket overflows. This is to prevent against the common 'SYN flood attack'. syncookies seriously violate TCP protocol, do not allow o use TCP extensions, can result in serious degradation of some services (f.e. SMTP relaying), visible not by you, but your clients and relays, contacting you.
max-neighbor-entries (integer [0..2147483647]; Default: ) Maximum number of allowed neighbors in ARP table.
route-cache (yes | no; Default: yes) Disable or enable Linux route cache. Note that by disabling route cache, it will also disable fast path.

Read-Only Properties

Property Description
ipv4-fast-path-active (yes | no) Indicates whether fast-path is active
ipv4-fast-path-bytes (integer) Amount of fast-pathed bytes
ipv4-fast-path-packets (integer) Amount of fast-pathed packets
ipv4-fasttrack-active (yes | no) Indicates whether fasttrack is active
ipv4-fasttrack-bytes (integer) Amount of fasttracked bytes
ipv4-fasttrack-packets (integer) Amount of fasttracked packet.


[ Top | Back to Content ]