Explaining firewall packet counters

Hi there

I’m trying to route some traffic via L2TP tonnel.

/ip firewall address-list
add address=ifconfig.me list=list_for_vpn
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=list_for_vpn new-routing-mark=mark_vpn passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=l2tp-out
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add distance=1 gateway=l2tp-out routing-mark=mark_vpn

It seems to work ok, but when I curl the host

curl https://ifconfig.me

Something unexpected happens with counters. Mangle rule increments by 10, and that is expected, Wireshark shows exactly 10 outgoing packets. But masquerade rule increments by 1 only. I expect it increments by 10. Why is that?

In short, masquerade rule works with connections, not packets.

From the manual, “Nat matches only the first packet of the connection, connection tracking remembers the action and performs on all other packets belonging to the same connection.”

As Sob wrote it does only connections. If connection stopped or changed connection tracking has to catch up with the new situation..

https://help.mikrotik.com/docs/display/ROS/NAT

Now it’s perfectly clear, thanks! I wish column was named “Connections”, not "Packets, that would make more sense.

Packets is the right term here because it counts the the first the packet of a connection triggering that rule. If you use would use Connections then it will be interpreted as the number of concurrent connections.

The lower count than expected does makes one puzzle but then that happens also to rules that only are triggered by SYNC like when you mark connections in Mangle. You mark that connection, connection tracking will take care of all traffic marked once and all following traffic till the connection times out.