WAN to bridge packet flow explanation

haj3s29a · July 20, 2020, 7:49pm

Hi,

I am trying to understand packet flow in my Chateau LTE12 router with RouterOS v7 beta8.

lte1 is WAN connection
bridge is (ether + wifi) but only one eth1 port is active…everything else is switched off.

Firewall for bridge is switched off.

From packet flow diagram, I am not sure how exactly works WAN <> bridge packet flow.

What I understand so far

Internet > PREROUTING (lte1) > INPUT (lte1) > FORWARD (lte1) > bridge DST-NAT > bridge FORWARD > bridge SRC-NAT > PREROUTING (eth1) > INPUT (eth1)

eth1 > FORWARD (eth1) > bridge OUTPUT > bridge SRC-NAT > PREROUTING (lte1) > INPUT (lte1) > OUTPUT (lte1) > Internet

Could someone confirm/explain for me whether I understood packet flow correctly or not, please?

Regards

Hajes

Sob · July 20, 2020, 8:25pm

You did find the right documentation, but that’s about it, the rest didn’t go well. If you’re interested in routing between interfaces, trick is to skip the big scary diagram at the beginning and go directly to much simpler diagram for routing:

https://wiki.mikrotik.com/wiki/Manual:Packet_Flow#Routing_Diagram

Starting point for incoming traffic is (I).

And don’t worry about bridge, in this case it’s just another interface and doesn’t do anything special. For routing, it’s just bridge as interface, it “hides” its ports, so even though eth1 is used as physical port, routing doesn’t see it.

haj3s29a · July 20, 2020, 9:49pm

Thanks for reply.

Looking at routing diagram mentioned above by. Packets should flow as follows:

Internet > PREROUTING (lte1) > FORWARD (lte1)> POSTROUTING (lte1) > PREROUTING (eth1) > FORWARD (eth1) > my PC

my PC > PREROUTING (eth1) > FORWARD (eth1) > POSTROUTING (eth1) > PREROUTING (lte1) > FORWARD (lte1) > POSTROUTING (lte1) > Internet

did I get it finally, please?

Sob · July 20, 2020, 11:05pm

You’re getting closer, but prerouting->forward->postrouting happens only once. In more detail:

your PC sends packet to router
router receives packet on eth1 (but because it’s part of bridge, routing sees bridge as incoming interface)
packet is processed in prerouting (in-interface=bridge, out-interface=unknown)
if it’s first packet of connection, you can use dstnat to change destination address (you probably won’t be doing it for this direction)
router desides where to send the packet based on destination address
it it’s for router itself, it goes to input
if not, it goes to forward (in-interface=bridge, out-interface=lte1)
last is postrouting (in-interface=bridge, out-interface=lte1)
if it’s first packet of connection, you can use srcnat to change source address (for this direction you’ll use it for main NAT)
router sends packet out via lte1

The other directions is same, just swap interfaces.

haj3s29a · July 21, 2020, 4:37pm

thanks guys

I noticed in documentation about routing cache aka FIB/RIB.

Does that mean only first packet goes full route (as mentioned above by) and RELATED, ESTABLISHED packets go as following:

Internet > RIB/FIB cache > forward