Is it possible to provide dst-nat action in prerouting chain?

RouterOS Beginner Basics
1

Hello,

by Packet flow document https://help.mikrotik.com/docs/display/ROS/Packet+Flow+in+RouterOS, there is information that DST-NAT is included in PREROUTING chain and that prerouting chain is available in nat tables.

What I tried was based on layer7 protocol mark connection, based on this mark all packets and process specific dst-nat rule with marked packets
, since I found information that I can’t process dst-nat with layer7 filtering because only part of packet takes place.

However, dst-nat rules in dstnat chain are processed before prerouting rules. I don’t see any possiblity to set prerouting chain in winbox for dst-nat.
What I tried:

/ip firewall mangle add action=mark-connection chain=prerouting dst-port=80 layer7-protocol=MY_FILTER new-connection-mark=my_conn_mark passthrough=yes protocol=tcp
/ip firewall mangle add add action=mark-packet chain=prerouting connection-mark=my_conn_mark dst-port=80 new-packet-mark=my_packet_mark passthrough=no protocol=tcp
/ip firewall nat add action=dst-nat chain=prerouting dst-port=80 packet-mark=my_packet_mark protocol=tcp to-addresses=<some_internal_ip> to-ports=80

, but without success.
Note: counters for connection and packet marking were increasing, so I suppose they worked.

Any help is appreciated.
Thanks.

2

Assuming you are matching on a domain/url, I would use connection marking instead of packet marking.

This because not every packet contains that domain/url.

3

That is impossible!
Layer 7 protocol matching takes place on transported data, which is only available after the connection has been established.
But dst-nat has to be done BEFORE the connection is established, as it changes the destination of the connection.

4

hello ipavlik

What I tried was based on layer7 protocol mark connection, based on this mark all packets and process specific dst-nat rule with marked packets
, since I found information that I can’t process dst-nat with layer7 filtering because only part of packet takes place.

i think you are abusing nat function with layer 7 filters. that won’t do.

yes - you can make some packet or connection classifiers on prerouting/dst-nat - but layer 7 content matchers should have packet or connection flow through it for it to do its job.

you can make some classifiers on prerouting,
but for layer 7 or content matchers - you should put the rules at least on input chain. forward chain can be considered too late for packet inspection.

hope this helps.