This started as a discussion in another thread that got very off-topic so I start a new topic about it instead.
That’s interesting. I thought RouterOS was using netfilter/iptables internally todo packet filtering and thous should be traversing chains the same way. So that is not true then? Has Mikrotik written their own packet filtering engine?
On linux all DNAT:ing is done in the PREROUTING chain BEFORE the routing decision is done, and SNAT:ing is done AFTER the routing decision has been done and therefor is never make any difference whether you add SNAT or DNAT rules first.
When and how is SNAT and DNAT beeing done on ROS then if you are saying that is accually DO matter on ROS.
Can you give me an example of a config that gives different results depending on the whether you have the SNAT or the DNAT rules on the top of the NAT rules list?
Each chain is traversed independently from top to bottom. DNAT is done in the prerouting chain which is processed before the any routing decision is made, while SNAT is done in the postrouting chain. So the order you add rules in are only significant for a specific chain. If you add the SNAT rules first and then the DNAT rules, or you first add all DNAT rules and then the SNAT rules really shouldn’t matter.
The DNAT rules will always be processed first anyway as they are processed by the prerouting chain.
The above IS correct. It does not matter which order you put DNAT / SNAT rules in to MT, what matters is the order in which the rules are WITHIN each chain.
I suspect that mudasir put rules in his MT in a specific order (the DNAT / SNAT) and experienced the lag between when the rules were put in and when the MT box actually implemented them… I have a few thousand MT RBs and it does not matter the order of putting in DNAT / SNAT only the order within the chain (DNAT / SNAT).
Do you know also whether ROS is accually using the Linux kernel build-in netfilter code todo the packet filtering/NAT:ing or if they have implemented their own engine?