Hello all
Please help me to understand the packet flow scenario in case of NAT.
local host 192.168.0.10/24
router LAN is 192.168.0.1/24
router WAN 100.100.100.100/30
router has the NAT rule “chain=srcnat in-interface-list=LAN src-action=src-nat to-addresses=100.100.100.100 out-interface=WAN”
host attempting to access remote host 200.200.200.200
As i see it by packet flow diagram (https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6)
- First packet from host going to I point, then in prerouting chain this new connection obtain some internall connection ID at conntrack facility. Packet src address = 192.168.0.10 and dst-address = 200.200.200.200;
- Dst-nat facility of prerouting changes src-address to 100.100.100.100 and put connection ID to some internal nat table (to determine that it’s need snat on back way). Packet becomes src-address=100.100.100.100 and dst-address=200.200.200.200;
- Packet comes to routing decision and passing to FORWARD chain, because it has no src or dst-addresses of this router. After that postrouting and leaves the router;
- Reply packet comes to router from WAN. src-address is 200.200.200.200 and dst-address is 100.100.100.100. In the same way it goes to I point, prerouting;
- Conntrack facility found that it is the same connection as first packet, put in to the same connection ID;
- Dst-nat facility found this conntrack ID and now this packet should be src-nated.
Is it happens at dst-nat facility, then packet goes to OUTPUT chain, or somehow (how) it goes to FORWARD chain and get’s SNAT in src-nat chain of postrouting? Or some other order?