The ‘input’ chain is for packets destined for the router itself. http://wiki.mikrotik.com/wiki/Firewall_filter#Chains
Since the packets are flowing through the router and not terminated on the router itself, the ‘input’ rules do not count packets. You should be seeing packet counts increase in the ‘forward’ chain.
The NAT rule counts up when a new flow is established, afterward state is kept and the translation is performed for each packet in the flow. Since VPN tunnels use the same flow for all encapsulated packets, you’d see the rule count increase by one when a tunnel is established but not while the tunnel is up.
input - used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router’s addresses. Packets passing through the router are not processed against the rules of the input chain
forward - used to process packets passing through the router
output - used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain
Packets between networks the router connects will not be in the ‘input’ chain, they will be in the ‘forward’ chain.
Another quick question regarding IPSEC behind the router: As I said, it works fine, but it takes longer than normal for the tunnel to start working. Connected directly to the Internet connection, the VPN server starts working after a couple seconds. Going through the router, it takes about 10 seconds to start working.
Not a big deal, but I would like to find out why this happens…
Protocol 50 is being dst-nat, and it is actually being used as indicated by torch, but it always shows 0 packets in NAT. Shouldn’t it at least increment at the initial connection like udp 500 does?