IP Firewall Stats

lz1dsb · July 22, 2016, 8:55am

I noticed recently that when I use the following command:

ip firewall filter print stats

it counts only the first packet (and bytes) in the session. Is that an expected behavior?
I’m running RouterOS 6.35.1

mrz · July 22, 2016, 9:03am

First packet of what? What rules you have exactly?

lz1dsb · July 22, 2016, 10:28am

/ip firewall filter
add chain=forward comment="!!!!ICMP Tests!!!!" dst-address=<dst-address> protocol=icmp src-address=<src-address>

This is the particular rule in question. I would like to count the ICMP packets through the Mikrotik router.
So I start an ICMP session with 10 pings, only 1 packet is counted and the amount of bytes are the amount of bytes of the packet.
I start another ICMP session with 10 more pings, another packet is counted and the byte counter also increases with the size of the single ICMP packet. And so on… I tested it several times.

Regards,
Boyan

pe1chl · July 22, 2016, 11:27am

It is probably not your only rule.
You likely have an “accept established/related” rule which accepts all traffic related to existing sessions (including this “ping session”).

lz1dsb · July 22, 2016, 1:19pm

Yes, that is correct.
So does that mean I have to disable all the other rules in the forward chain?
I read about IP Accounting feature in Router OS, but it seems to me it’s not very granular. I cannot set it to just count particular traffic…

ZeroByte · July 22, 2016, 1:35pm

If you want to add a rule specifically to count packets of a certain type, then you don’t need to delete other rules - just move your rule to the top of the chain (or at least before any other rule which matches the packets). If you only want to count packets without making policy decisions, use action=passthrough. Suppose you want to count dns packets, but have some rate limit rules later on, and don’t want to just accept all or drop all with your counting rule - using the passthrough action lets your rule count all packets, and passes through so that the rate limit rules still get to process the packets normally.

The key thing to remember is that technically, the firewall rules don’t count PACKETS… they count how many times the rules MATCH packets. (and how many bytes of data those packets total up to)