Hi Guys,
So I am filtering on the firewall. I have an internal ip, say 172.18.1.1 that I am dst-natting web traffic to from 202.20.1.1
If I create a firewall rule blocking traffic to destination 202.20.1.1, nothing happens. When I change this to the nat address of 172.18.1.1 it works. Does that mean that everything is getting dst-natted first? If so, how can I ensure it goes through the firewall first?
Have a look at this:
http://wiki.mikrotik.com/wiki/Manual:Packet_Flow
The DST NAT occurs before the forwarding chain filters are applied.
Yep, saw that. Wouldn’t that do extra routing that’s possibly not needed though?
I don’t really follow the question. The diagram shows how the packets flow. If you are using NAT in IP firewall you are using layer 3 functions including routing. Yes - DST NAT occurs before the forward chain filters.
Which firewall chain are you using to block traffic to the NAT destination?