Forwarding and established connections

RouterOS General
1

What is the expected behavior under the following conditions:

Port 1234 from wan is forwarded to first machine on the lan, same port.

Some second lan client sends some UDP or UDP to a WAN server,
WAN server responds to second client’s request with TCP or UDP, destination port 1234.

Does the ‘established’ state ensure that the return traffic gets to the second lan client, or
does forwarding rule take precedence?

Whatever the behavior should be, is this ‘defined’ anywhere by say IETF, or is it a crap shoot
depending on the router?

Thanks

2

For anything that has a state table (RouterOS does), the state table trumps anything else. I don’t think there’s an RFC on that, but it’s just the sensible thing to do.

3

That’s what I thought, agreed, it makes sense, just wondered about Mikrotik in particular, and if anyone had ‘defined’ the desired behavior. Thanks for the reply!

4

NAT works only with new connections. if connection is already ‘established’ - it won’t be affected by NAT rules. so if the router saw packet from client2 to server - packets returning from server and having the same ports won’t be NATted

5

Depends on the order of your firewall rules.

6

?.. (O_o)

7

If the drop is before accept established/related.

Or, if you were only allowing new connections on one port and related connections on another port from specific hosts, etc, etc.

So order does matter in complex situations.

8

c’mon, wake up! the topic is about NAT, not Filter =)

9

OIC!

:smiley:

10

the easiest way to remember it is to always think of a connection as 4 components: a src-ip, src-port, dst-ip, dst-port. No two separate connections will ever have the same components.

Besides this, in RouterOS (and other stateful router/firewalls), the router assumes that a packet with swapped src-*** and dst-*** is a return packet, and treats it as part of the original connection.