Hello to all,
Recently I had an application that I needed to source NAT time server packets in order to solve ‘server-ip-missmatch’ issue, but found that thos epackets do not traverse through SRC-NAT chain. I’ve investigated a little bit and found that packets are traversing through mangle/postrouting and after that packet is like dissapear from router. So I did simple test:
/ip firewall mangle
add action=mark-packet chain=prerouting disabled=no new-packet-mark=ntp passthrough=yes protocol=udp src-port=123
/ip firewall nat
add action=passthrough chain=srcnat disabled=no packet-mark=ntp
0 packets traverse through SRC-NAT chain. Then I did even like this:
/ip firewall mangle
add action=mark-packet chain=prerouting disabled=no new-packet-mark=ntp passthrough=yes
/ip firewall nat
add action=passthrough chain=srcnat disabled=no packet-mark=ntp
Only few packets pass SRC-NAT chain and after doing logging I’ve found that only packets with broadcast destination address thraverse through SRC-NAT.
Out interface is bridged, but I’ve tried with ‘use-ip-firewall’ and without this option still same case. Most of all I can’t understand why packets traverse mangle/postrouting, but not nat/src-nat ? According to packet flow diagram, src-nat is right after mangle/postrouting in the same postrouting chain.
Could please someone give me small explanation on what’s happening ?
P.S. Everything seems to be ok when time server is external. I have this problem only when time server is Mikrotik itself.
You have passthrough=yes on the mark-routing rule. Are there any other mark-routing rules below it? If there are they could be overwriting the mark.
Hi,
Thanks for replying. No. I’ve created this rule just for testing, so its the only one rule for packet mark. I’m experiencing same issue even if mangle/postrouting rule action is just passthrough.
After some more test I see that packet traverse like this (I’ve used action ‘log’, no packet marking):
Mangle Out (bridge interface) → Filter Out (bridge interface) → Mangle Postrouting (bridge interface) → Bridge Out (eth3) → Bridge Snat (eth3)
This is completely different of what you can see in packet flow diagram. Obviously I do not get the main idea 
At last I took clean router os machine, set NTP time server there and made some tests with packet logging on every possible chain without using any bridges. Situation is the same. Packets do not traverse snat chain if I query NTP server from local computer. Same situation is with ping packets to the router. Snat chain is not traversed. When NTP or ping packets forwards router then everything s ok. Could anyone please explain this ? Maybe Mikrotik guys can answer this ? This is a little bit confusing when you look at packet flow diagram and see that packet can’t escape postrouting chain once it had entered it, but in this case mangle postrouting is traversed, but not nat snat
Ok, I’ve found an answer. Funny thing is that answer was in iptables manual 
alphalt, Im having the exact problem, may you explain me your finding from iptables manual.
Thanks.
Hi,
Read this http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#TRAVERSINGOFTABLES
Remember that ESTABLISHED packets bypass SNAT and DNAT chains. From chapter 7:
All connection tracking is handled in the PREROUTING chain, except locally generated packets which are handled in the OUTPUT chain. What this means is that iptables will do all recalculation of states and so on within the PREROUTING chain. If we send the initial packet in a stream, the state gets set to NEW within the OUTPUT chain, and when we receive a return packet, the state gets changed in the PREROUTING chain to ESTABLISHED, and so on. If the first packet is not originated by ourself, the NEW state is set within the PREROUTING chain of course. So, all state changes and calculations are done within the PREROUTING and OUTPUT chains of the nat table.
alphalt, I’m still not understanding this. Any chance you could post the code you used to make it work?