monitoring incoming packets

Hi

I’m currently monitoring the responses received by my CCR1009 (v6.32.2) router from a remote device

I set up two rules, one filter to simply log incoming packets and a second to dstNAT the incoming packet toward a local server.

/ip firewall filter
add chain=forward dst-port=50013 log=yes log-prefix=QoS-2 protocol=udp \
    src-address=213.XXX.XXX.XXX
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=50013 log=yes protocol=udp \
    src-address=213.XXX.XXX.XXX to-addresses=192.168.XXX.13 to-ports=50013

The first rule is currently at 11000 packets and the second at 23 !

I don’t understand the origin of this discrepancy; shouldn’t the two rules handle an equal amount of packets ?

I even created a prerouting mangle rule to log these incoming packets:

/ip firewall mangle
add action=log chain=prerouting dst-port=50013 log=yes log-prefix=QoS-2.1 \
    protocol=udp src-address=213.XXX.XXX.XXX

Again this shows numerous incoming packets from the remote host

When I look at the logged packets I see the following:

Jan 21 11:57:20 ROUTER QoS-2.1 prerouting: in:ether1 out:(none), src-mac 00:XX:XX:XX:XX:2b, proto UDP, 213.XXX.XXX.XXX:3586->94.XXX.XXX.XXX:50013, NAT 213.XXX.XXX.XXX:3586->(94.XXX.XXX.XXX:50013->192.168.XXX.13:50013), len 200

If I disable the dstNAT rule I obtain the following:

Jan 21 12:01:46 ROUTER QoS-2.1 prerouting: in:ether1 out:(none), src-mac 00:XX:XX:XX:XX:2b, proto UDP, 213.XXX.XXX.XXX:3615->94.XXX.XXX.XXX:50013, len 200

Any ideas ?
thanks
yann

NAT uses the connection state tracking table before it checks the srcnat/dstnat chains. If a packet comes along which matches an existing entry in the table, then it simply grinds the addresses per the table entry, and doesn’t parse the chains anymore.

So in practice, this means that your packet match counter is a count of how many connections have been made via this rule. (Like - how many trains passed through the station, not how many train cars)

thanks