In the Firewall/NAT tab I saw two chains. Input and Output. I read up on Mikrotik’s website to see what it was all about, but their explanation is vague to me. So I decided to ask here. Please someone to explain with an example for both Input and Output. Where are these two chains used? Thanks, and sorry if this topic has been covered before, but I couldn’t find anything.
The common three chains are:
Input: Packets that are destined to the router itself. For example your packets to a Winbox or terminal session; or someone pinging you.
Output: Packets that originate from the router itself. For example the packets that Winbox generates back to you; or responses to the pings mentioned above.
Forward: Packets that pass through the router, but are going to some other device. For example, packets to and from your PC while surfing the Internet.
Note that in many configurations, there is no Output chain rules (usually not needed). Also note that they may be other chains that are added for use with Jump commands.
[quote=wfburton post_id=1044419 time=1703609268 user_id=215408]
If you don’t need anything pacific you can just use action, input , accept to allow everything.
[/quote]
Actually, at the end of any chain in the router, there is an implied accept. In other words, if there are no rules in a chain, that chain will accept every packet.
One general rule of thumb is to specify what you want to accept and then add a drop everything rule at the end of every chain. For example:
[code]
add action=drop chain=input comment=
“Drop all Input chain packets that make it this far”
and
add action=drop chain=forward comment=
“Drop any forward packets that get this far”
[/code]
I am not talking about Filter Rules. Please see attachment.
[quote=wfburton post_id=1044419 time=1703609268 user_id=215408]
If you don’t need anything pacific you can just use action, input , accept to allow everything.
[/quote]
Very bad advice… just saying shut it…
To be specific, allowing all connections from the internet to your device is reckless.
Mikrotik provides a safe default setup that is basically plug into ether1 for your WAN Connection and any devices into ports 3-5 etc… and you will have internet access and be all on the same internal LAN.
Once as the useful post above by k6cccc stated, you start making changes to the config its better to go from a concept of allow everything and block a few things (minimal security) to drop everything at the end and prior to that only allow the traffic required ( keeping most of the default rules in place).
Output chain is rarely used and typically it would be for a case where you need traffic to the router on a particular WAN to go out the same WAN ( a multi-wan scenario where that specific WAN is not the primary WAN for outgoing internet traffic and mangling is involved )
I dont assume anything and took what you said at face value.
If you don’t need anything pacific you can just use action, input , accept to allow everything.
As for services, you wont find anyone on this forum that leaves all those services open and running, at least the unsecure ones anyway.
its nice to add that you are actually behind another router (not the MT) after the fact but that is being disingenuous in terms of giving bad advice so freely and still a piss poor security practice.
Good thing, but sometimes people then make the mistake of putting their own router in DMZ which is then wide open, hopefully not the case here.
we know the theory behind of input/output give us e.g. for that, so we can see it
Read post #2. I gave examples of each.
I guess the quedtion is about NAT chains in particular, new NAT manual says about them the following:
Since RouterOS v7 the firewall NAT has two new INPUT and OUTPUT chains which are traversed for packets delivered to and sent from applications running on the local machine:
input - used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router’s addresses. Packets passing through the router are not processed against the rules of the input chain.
output - used to process packets that originated from the router and leave it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain.
Without further explanation we can guess about what are they good for. My guess is that they are useful if router can’t determine correct WAN IP for its own traffic (e.g. because upstream routes whole subnet towards a router using router’s address as gateway … and the routed subnet is then used for NAT purposes (for downstream clients)). These two NAT chains allow router itself to use some configured address for own use without actually setting that address to some (loopback?) interface.
Thanks for the very clear distinction/clarification of the topic, I had no idea! Yes, some practical uses of these new non chain flows would be quite interesting.
It’s for doing src/dstnat with router’s own traffic. It wasn’t available in old versions. When it’s forwarded traffic, you have:
prerouting/dstnat → forward → postrouting/srcnat
But for router’s own traffic (to/from router) you have:
prerouting/dstnat → input
output → postrouting/srcnat
So you couldn’t do dstnat for outgoing connections (send it somewhere else) or srcnat for incoming connections (set different source). With these two chains you can.
Some examples: http://forum.mikrotik.com/t/dstnat-in-output-chain/104694/16
Thanks @Sob
beautiful example.much more clear