![[previous]](../../../graphics/l_arrow.gif){kind=icon}
![[next]](../../../graphics/r_arrow.gif){kind=icon}
The OfficeConnect Remote 840 provides an extensive set of data filtering capabilities. For instance, filters can accept packets only from specific addresses to provide added security, or filters can be added to reduce network traffic and improve overall performance.
This chapter contains information on the filtering capabilities for your OfficeConnect Remote 840. It is divided into the following sections:
Filters can provide added security by accepting packets only from specific addresses or they can be added to reduce network traffic and improve overall performance.
Packet filters control inter-network data transmission by accepting or rejecting the passage of specific packets through network interfaces based on packet header information. When data packets are received by a network interface such as an Ethernet LAN or WAN port, a packet filter analyzes packet header information against a set of rules you define. A filter then lets the packet pass through or discards it.
The OfficeConnect Remote 840 provides an extensive set of data filtering capabilities. The OfficeConnect Remote 840 supports the following filtering capabilities:
The OfficeConnect Remote 840 supports three filter classes:
Each filter class can be identified further by the following types:
Filters can be classified by the following types:
Data filters control network access based on the protocol, source / destination address, and port designation (e.g., TCP and UDP port designations) of the packet. The following table describes the data filters supported.
Table 12¯1 Data Filters
Advertisement filters operate on network protocol packets that contain varying information such as SAP or RIP. Filtering of these packets is performed by the specific protocol process. The following table describes the advertisement filters supported:
Table 12¯1 Advertisement Filters
Generic filters are protocol-independent and are specified by byte and offset values in a packet. Packets are filtered by comparing each packet's offset value and byte information with the values that you define in the filter. The router will accept or reject the packet based on the result.
Creating generic filters can be a complex task. Only experienced users should employ generic filters, and strictly in cases where data and advertising filters cannot provide the filtering capabilities that you require.
Filters can be set one of two ways in the OfficeConnect Remote 840:
The more flexible way of setting filters is through the Command Line Interface (CLI). Both data and advertisement filters can be set using CLI.
For more information on accessing CLI, refer to the OfficeConnect Remote 840 SDSL Router CLI User's Guide.
If you want to set up filters using the OfficeConnect Remote 840 Manager, go to the "Step-by-Step Guide to Creating Filters Using the OfficeConnect Remote 840 Manager"section.
The OfficeConnect Remote 840 Manager supports data filters only (not advertisement filters). Data filters are used to remove packets from the normal flow of data traffic. They can be applied to IP, IPX, and/or Bridge traffic.
Filters affect only those protocols which are currently active in the OfficeConnect Remote 840.
Therefore, if the unit is set up to Bridge only, only bridge filters have an effect on the data traffic; IP and IPX filters have 
no effect even if IP or IPX traffic is being bridged. Internally (for greater efficiency), filters are examined when a data packet is being processed by the protocol, not as the packet enters or exits the unit (even though when filters are set up, it looks like they take effect at the interface level). For example, when IPX traffic is bridged, it is processed by the bridge protocol in the unit, not by the IPX protocol. Therefore, a filter on IPX traffic would have to be a bridge filter in this example.
There are two sets of criteria used in determining whether a filter affects a packet.
The first is the direction/location of the packet. There are four static direction/locations on which filters can be activated: incoming LAN traffic, outgoing LAN traffic, incoming WAN traffic and outgoing WAN traffic. Additionally, there are two for each Remote Site, traffic coming from and going to each one.
The second criteria is whether the packet contains data that matches the condition(s) in the filter. Conditions are defined based on protocol specific information such as IP source address or IPX source socket number.
All filters are set up to discard packets (data filters). However, there are two ways of specifying these actions: a "negative" and a "positive" way. The negative action specifies that the packet or information is discarded if the filter criteria met. The positive action specifies that the packet or information is kept if the criteria is met. The positive way implies that all packets or information not meeting the criteria are discarded. Either method can be used for most filters. However, one or the other is almost always more logical.
For example, imagine a small office with 20 workstations on the LAN. The LAN is connected to a remote corporate office using an OfficeConnect Remote 840. Two of the LAN workstations are used by contractors who are not given access to the corporate office. To prevent traffic from the two workstations from passing through the OfficeConnect Remote 840, a filter is set up on the incoming/LAN direction/location. The most logical filter is a "negative" filter that says "discard packet if IP source address is equal to xxx.xxx.xxx.xxx or IP source address is equal to xxx.xxx.xxx.yyy". Of course you could write a "positive" filter which would say "forward packet if IP source address is equal to <list of the 18 IP addresses that are allowed to send traffic>". However, you can see that the negative filter is shorter (more efficient to apply) and easier to write and therefore the better one to use.
Each direction/location can have up to fifteen filters. Each filter can have up to six conditions. As you create the filter, you can select whether to logically "and" or "or" conditions together. If you need a filter with more than six conditions, you can create multiple filters that will be looked at by the OfficeConnect Remote 840 as if they were one filter. The only requirement is that the basic filter information (i.e., the protocol and the action) must be the same in each of the filters. The filters will be "or"ed together when they are merged internally.
Example: To prevent seven individual PCs on the LAN from accessing a remote site, create the following two filters:
Filter for Packets: Going to Remote Site Vienna
Filter Name: Block PCs 1-6 Protocol: IP Enabled: Yes
Discard Packet if IP Source Address is Equal to 192.168.200.41
or if IP Source Address is Equal to 192.168.200.50
or if IP Source Address is Equal to 192.168.200.66
or if IP Source Address is Equal to 192.168.200.42
or if IP Source Address is Equal to 192.168.200.88
or if IP Source Address is Equal to 192.168.200.90
Filter Name: Block PC 7 Protocol: IP Enabled: Yes
Discard Packet if IP Source Address is Equal to 192.168.200.102
The filters BLOCK PCs 1-6 and BLOCK PC 7 both use the IP protocol and the same action, "Discard Packet if..."
Therefore, when they are applied, they are "or"ed together. The resultant filtering is the same as you would get if you were allowed to create a single filter that contained all seven conditions.
The OfficeConnect Remote 840 Manager (HTML) filter screens provide an easy to use menu system for specifying the direction/location of the traffic to be checked and for creating and editing filter conditions. The filter screens are set up to allow you to create sentences that describe the filter action. For example, a filter that prevents IPX packets from Jan and Bob's PCs from being sent to Remote Site Vienna would look something like this:
Filter for Packets: Going to Remote Site Vienna
Filter Name: Block Jan and Bob
Discard Packet if IPX Source Node is Equal to 00-20-69-00-23-99
or if IPX Source Node is Equal to 00-20-69-11-45-88
The sentence is built up over a number of screens. Most filters can be easily created by selecting from the provided condition sentences. Each sentence has pull down boxes for selecting condition keywords (IP Destination Address / IP Source Address, etc.) and condition operations (is Equal to / is Not Equal to, etc.) Where appropriate, the additional flexibility of generic filters is available. With generic filters, you specify an offset into the packet and the hex value to compare the packet content to. This allows you to go beyond the bounds of the "canned" condition sentences.
An overview and description of each filter screen is provided below:
You can get out of any screen by using the HTML side bar links. If you are in the process of creating a new filter when you do this, and haven't yet pressed the Save Filter button on the Filter Condition Summary screen, the new filter information is lost.
Index screen that allows you to either view the Filter Status or Filter Create/ Modify screens.
Shows which direction/locations have filters.
Prompts you to select on which direction/location you are going to setup or change a filter. Pressing the "Next" button brings up the Filter Summary page.
Shows you a summary of previously defined filters for this direction/location and whether or not the filters are active.
Pressing the Create button brings up the Filter Action screen.
Selecting a filter name and pressing the Delete/Modify button brings up the Filter Delete/Modify screen.
Prompts you to:
These screens have a common structure but differ in content. The common features include the condition number (1-6) of the condition being created and, for condition numbers 2-6, the selection via radio buttons for "And"ing and "Or"ing the condition to the previous condition.
For condition number 1, the user is prompted to select the action of the filter: "Discard Packet" or "Forward Packet". Also common is the Next button, which takes you to the Condition Summary screen.
Basic IP Condition has the following condition sentences to select from:
Table 12¯1
Basic IP Condition Destination Address
Source Address
Is Equal to
Is Not Equal to
_____IP address
Destination Network
Source Network
Is Equal to
Is Not Equal to
_____IP address
_____(Mask)
Advanced IP Condition has the following condition sentences to select from:
Table 12¯1
Advanced IP Condition
Basic IPX Condition has the following condition sentences to select from:
Table 12¯1
Basic IPX Condition
Advanced IPX Condition has the following condition sentences to select from:
Table 12¯1
Advanced IPX Condition
*whose length is 2x Length field: two mask numbers for each byte)
** whose length is not greater than 2x Length field.
This screen shows the filter conditions that have been created so far. It allows you to select any undefined condition to add, or to select any defined condition to delete (You can not modify a condition - you must delete the condition then add a new one to make changes). You do not have to add filters in consecutive order (that is, you can skip condition numbers.) And you can delete conditions from the middle. The conditions are used in the filter in order of smallest condition number to greatest condition number and unused condition numbers are simply ignored.
When you have a filter that contains "And"ed and "Or"ed conditions together, the summary may display extra blank lines between conditions. This is to help you understand exactly what the filter means.
Look at this filter (without the extra separator):
Discard packet if IP Destination Address is Equal to 30.0.0.1
and IP Protocol is Equal to TCP
or IP Protocol is Equal to UDP.
This can be misinterpreted to mean:
- discard any TCP packet whose destination address is 30.0.0.1
- and
- discard any UDP packet whose destination address is 30.0.0.1.
Now look at the filter with the extra separator:
Discard packet if IP Destination Address is Equal to 30.0.0.1
and IP Protocol is Equal to TCP
or IP Protocol is Equal to UDP.
It clarifies the meaning as:
- discard any TCP packet whose destination address is 30.0.0.1
- and
- discard all UDP packets
You get to this screen after deleting the last condition in a filter. You have the choice of deleting the filter or of adding a condition. To delete it, press the Delete Filter button (which takes you to the Filter Summary screen.) To add condition number 1, press the Add Condition button to bring up the appropriate condition screen (i.e. Basic IP, Advanced IP, etc.).
You reach this screen from the Filter Summary screen if you wish to modify an existing filter. This screen allows you to change the filter name and it's enabled/disabled status. From this screen, select Delete to delete the displayed filter and return to the Filter Summary screen. Select Modify to save any changes you made on this screen to the Filter Name or Enabled/Disabled status. Or select the Add/Delete Conditions button to go to the Condition Summary screen, where you can add or delete conditions as needed.
Filters can be tricky to define so spend time before accessing the screens thinking about what you want the filter to do.
First determine which direction and location of the data path you want to apply the filter to: for example, do you want to filter packets as they enter from the Ethernet ports, or as they go to all of the Remote Sites, or as they exit to go to a specific Remote Site?
Next, think about the desired results of the filtering, that is, which data packets are to be removed from the traffic (ex: if bridging, perhaps all IPX packets, or if routing IP, maybe all packets from a specific machine or group of machines.)
For more information on designing filters, see "Filtering Overview".
1 . Go to Configuration > Global > Filters. Select Create/Modify Filters. On the Create/Modify screen, select the direction/location of the data traffic where the filter will be activated. Press the Next button to bring up the Filter Summary screen for this direction/location.
2 . On the Filter Summary screen, press the Create button to bring up the Filter Action screen.
3 . On the Filter Action screen, enter a name for the filter and select the desired protocol. Then press the Next button to bring up the appropriate protocol condition screen.
4 . On the protocol condition screen, select the action of the filter (discard or forward packet) and the first condition sentence for your filter.
5 . Use the pull down boxes as needed to create your filter by selecting keywords (such as IP Destination Address / IP Source Address) and operations (is Equal to / is Not Equal to).
6 . Then enter the value to be filtered against, that is, the IP address, Port number, etc. that finishes the condition information needed for the filter. Then press the Next button to see the Condition Summary screen.
7 . When you are satisfied that this filter is complete, press Save Filter on the Condition Summary screen. This causes the OfficeConnect Remote 840 to write the filter to file and activates the filter. You are returned to the Filter Summary screen. Now you can add another filter if you want.
1 . Go to Configuration > Global > Filters.
2 . Select Create/Modify Filters. On the Create/Modify screen, select the direction/location of the data traffic where the filter is activate.
3 . Press the Next button to bring up the Filter Summary screen for this direction/location.
4 . To delete or modify the filter, select the filter from the pull down box and press Delete/Modify. This brings up the Filter Delete/Modify screen. You can delete the filter, modify the name, the enable/disable status and/or edit the conditions from this screen.
1 . Go to Configuration > Global > Filters.
2 . Select Create/Modify Filters. On the Create/Modify screen, select the direction/location of the data traffic where the filter is active.
3 . Press the Next button to bring up the Filter Summary screen for this direction/location.
4 . To turn off an individual filter, select that filter in the pull down box and press the Delete/Modify button. On the Filter Modify screen, disable the filter by unchecking the Enable Filter checkbox and pressing Modify. Return to the summary screen by pressing < Prev.