ppoe question firewall and input chain

infused · May 11, 2014, 5:04am

Hi Guys.

I’ve never really dealt with ppoe and single ip addresses in mikrotiks. I’m normally setting them up with subnets and such.

So yesterday I configured a Mikrotik connected to a zyxel vdsl router in bridge mode using ppoe. It all works fine.

However, the IP address obtained from the provider is put in the address list, as expected I guess. However, now all the traffic coming externally to the router is on the input chain. Normally I would be fire walling it on the forward chain.

Can someone tell me why this is, and if it’s expected?

CelticComms · May 11, 2014, 3:57pm

Where is the traffic terminated? On the router? Or is it being forwarded to say LAN clients via NAT & connection tracking?

infused · May 11, 2014, 11:46pm

Should be nat.

For example, I have a src nat for masquerade. If I block input chan port 80 dst, the lan cannot access port 80. And viceversa when incoming traffic hits the router. I thought since there is masquerade, traffic flows through the router, so it would be a forward rule.

CelticComms · May 12, 2014, 1:22am

Are you using the proxy server?

Normal WAN<>LAN NATed traffic flows through the forward chain.