Counters in firewall filter

RouterOS General
1

Hello, my question is more conceptual about basics of counters in firewall filter rules. I searched through the forum and documentation, and unfortunately didn’t find an obvious answer.

In my set-up I use a “whitelist” flavour of filter rules from local net to WAN, i.e. explicitly setting permissible rules while unconditionally dropping everything else at the end.

As a sanity check, I expected whatever count is reported in ‘passthrough forward’ upon connections to WAN (e.g. streaming video) to be reflected in the aggregate count in the forward rules (accept, drop) in the above ‘closed’ setup. But, I’m seeing a much higher traffic reported in the former than is captured in the latter set.

Barring erroneous rules setup, I was wondering, is there any reason traffic counted by ‘passthrough forward’, would not appear in the counts of the forward rules in the above set up, as intuitively, it suggests the firewall is implicitly allowing something through, bypassing the rules set. Is this an expected behaviour? If so, how would it be possible to inspect firewall state wrt to such connections bypassing the filter rules?

Thank you

2

Is “passthrough forward” dynamic rule for FastTrack? If it is, those packet are not seen by other firewall rules.

3

Yes, it is, thank you. I’ve also seen MikroTik’s talk on FastPath Overview since, which explained this special dummy rule for the counter. I suppose what’s a bit counterintuitive here, is overloading of terminology: although the dummy filter rule is marked ‘passthrough’ action, its behaviour is different from the standard ‘passthrough’ semantics of the firewall filter rules. The former is more of a ‘firewall bypass’ indicator. It might be worth noting that in the manual: RouterOS->Firewall and Quality of Service->Filter, which mentions only the standard ‘passthrough’ action.

4

They are just fake rules. They chose them to represent these counters, and passthrough was probably best choice for action, if they didn’t want to add another fake one for this. But yes, it can be slightly confusing when it shows among other firewall rules, but those packets don’t actually go there.