Firawall and NAT counter

David1234 · November 1, 2017, 2:31pm

Hello ,
I want to understand soemthing -
I need to NAT port 9998.
this is what I did -

so I did this :

/ip firewall filter
add action=add-src-to-address-list address-list="FilterForward(UDP)" \
    address-list-timeout=0s chain=forward disabled=yes dst-port=9998 \
    in-interface=ppp-out1 log-prefix="" protocol=udp
add action=accept chain=forward dst-port=9998 in-interface=ppp-out1 \
    log-prefix="" protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat log-prefix=""
add action=dst-nat chain=dstnat dst-port=9998 in-interface=ppp-out1 \
    log-prefix="" protocol=udp to-addresses=10.0.0.120 to-ports=9998

this is working

but if I look at the counter:
The filter counter is increase every 1 sec (which is accordinf to the data beeing send) .
The NAT counter is not increase at all

how could it be ? and the rule is working because the computer 10.0.0.120 is getting the data …

Thanks ,

Anumrak · November 1, 2017, 2:41pm

In th last rule try to add the dst-address as your global.

David1234 · November 1, 2017, 3:10pm

sorry?
I didn’t understand you
what do you mean add as global?

Anumrak · November 1, 2017, 5:47pm

I mean, in this rule:

add action=dst-nat chain=dstnat dst-port=9998 in-interface=ppp-out1
log-prefix=“” protocol=udp to-addresses=10.0.0.120 to-ports=9998

add this:

dst-address=“your globally routable address”

Feklar · November 2, 2017, 6:48pm

NAT rules counters only fire on a new connection. Once a new connection is established it’s part of the connection table and it doesn’t need to lookup the NAT rule anymore.

If that’s all you have in your firewall filter table, that means each packet needs to be processed individually against those rules. If it’s a small install that is generally OK, as long as you have a default drop all, but the more efficient method is to use a stateful firewall setup with accept established and related at the top of the rule chain so packets get processed as fast as possible.