Packet flow, NAT, filter...confused !

RouterOS General
1

I got one situation that makes me confused. I’m using RouterOS 5.24
According to Traffic flow diagram on Mikrotik Wiki packet destined to MT goes first into INPUT chain (Mangle Input → Filter Input) then into Prerouting chain if interface is not bridged. Here is the simplified example of the conflict situation:

I got this rule in Filter Input chain:

chain=input action=drop protocol=tcp dst-address=1.1.1.1 dst-port=22

where 1.1.1.1 is “public” address on my interface.

If input interface is not bridged packet goes to Prerouting interface, then in Destination NAT chain where I got this rule:

chain=dstnat action=dst-nat to-addresses=192.168.1.2 to-ports=22 protocol=tcp dst-address=1.1.1.1 dst-port=22

The problem is that filter rule should block every packet on port 22, because Filter Input chain is before Destination NAT. After I disable rule in Dest. NAT chain then filter rule “capture” the packet, that is, it block the packet on port 22.

Why is this happening?


mIRO

2

Packets destined for router itself go through chains in this order:

  1. Mangle, prerouting
  2. NAT, dstnat
  3. Mangle, input
  4. Filter, input

When in 2) you forward the port elsewhere, packets continue to Forward chain instead of Input.

3

You’re right.
On traffic flow diagram I’ve mixed “INPUT INTERFACE” with Input chain :frowning:

INPUT INTERFACE → no bridge → Prerouting (Mangle, Dst. NAT) → Routing Decision → Input (Mangle Input, Filter Input)


Thanks Sob :wink: