JUMP TO DNAT FROM PREROUTING

homerwsmith · December 2, 2013, 11:28pm

Dear sirs,

I am trying to convert firewall rules from a working CentOS hotspot server (not related to
Mikrotik’s hotspots). I have many years of experience with firewall rules, linux and sys administration
but clearly I am not as bright as I think I am.

I am running a small RB750 in default setup, version 5.6

As an example only, I have one chain under NAT called DNAT with one rule that says to dnat anything that comes
to that rule destined for port 80 to be redirected to 64.57.176.23 port 80.

Then under mangle I have one rule in chain prerouting that says to jump to chain DNAT for any packet with src:0.0.0.0/0 and dst:0.0.0.0/0 with proto tcp and dst port 80.

This second rule remains in red, telling me there is an error. It would be useful if error
messages were available that were explicit. The DNAT rule was created first, and the prerouting
rule created second.

Anyhow, any help would be appreciated.

Homer W. Smith
CEO Lightlink.com

andriys · December 3, 2013, 11:24am

Filter, NAT and Mangle are tree distinct facilities of /ip firewall.
You can not jump from chain in Mangle to chain outside of Mangle.

janisk · December 3, 2013, 12:22pm

as andriys writes - you cannot jump from one facility chain to another facility.

You can check packet flow diagram to see where packets have to go to reach your intended destination. Meanwhile you have to process them where they are (add mark or something) that you know that these are special packets when reaching NAT facility.

homerwsmith · December 3, 2013, 5:06pm

http://www.mikrotik.com/testdocs/ros/2.9/ip/flow.php

OK, the above packet flow diagram shows that mangle exists under both prerouting and postrouting.

How then do I create a rule under prerouting (where I wanted it in the first place) without using
mangle to get to prerouting?

I need a rule in prerouting to target a unique DNAT rule, linux iptables can do this, so
I presume that Mikrotik can also.

For example:

"If src=10.0.0.0/0:80 then jump to DNAT 64.57.176.23:80

How do I do this?
Thanks for your time.

Homer W. Smith
CEO Lightlink Internet

andriys · December 3, 2013, 6:22pm

This might be a bit outdated. You’ve wrote you use 5.6 at the moment, so please refer to the following diagram:http://wiki.mikrotik.com/wiki/Manual:Packet_Flow. And if you decide to upgrade to 6.x, use the following diagram as a reference: http://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6.

“Destination NAT” is a part of Prerouting. It is the next functional block that packets enter after the “Mangle Prerouting”. I think what you need is to create your JUMP rule in “/ip firewall nat”.