what is mean nat/mangle action=accept?

somefood · March 25, 2016, 7:05am

Hi guys,

I study ROS with wiki site.

Then, I wonder what is mean nat/mangle action=accept?
I can understand filter rule action=accept.. But I can’t understand above action.

In mangle wiki : accept - accept the packet. Packet is not passed to next firewall rule.
nat wiki : accept the packet. Packet is not passed to next NAT rule.

Could you tell me what is mean, and when use this action?

Thanks~

andriys · March 25, 2016, 8:20am

As you wrote:

That means just what wiki says:

Do nothing (i.e. continue to process the packet without taking any special NAT or mangle actions)
Do not process further NAT/mangle rules in the current chain.

pe1chl · March 25, 2016, 8:28am

You use this to exclude some cases from NAT without having to use negated matches that are difficult to understand.

E.g. you want to NAT everything going to ether1 but not traffic to a certain network, e.g. because you use IPsec tunnels.
(unfortunately an IPsec tunnel does not create a virtual interface, so traffic sent on an IPsec tunnel over internet is classified as “to ether1”)

In this case you first put a NAT rule with dst-address that you want to access without NAT and ACCEPT, then another
NAT rule like the default (dst interface ether1 and MASQUERADE)

somefood · March 25, 2016, 8:40am

Thanks for replying.
So the NAT accept only use when ipsec tunnel? Right?

somefood · March 25, 2016, 8:43am

Thanks for replying.
I thinks you are right.
But I still confuse when this use.

pe1chl · March 25, 2016, 9:11am

In this example, yes. The traffic for the IPsec tunnel matches the ACCEPT rule so it does NOT pass to the
next line where all the other traffic matches the MASQUERADE rule and gets NATted.

So you could obtain the same thing by adding a “not this destination network” option to the MASQUERADE rule.
However, people find that less intuitive and it is also not possible when there are multiple destination networks that
you do not want to NAT. In that case you can have multiple ACCEPT rules where each matches one destination.

I agree that ACCEPT is not an intuitive name for “do not NAT” but it really does the same thing as in a normal filter
rule (accept the packet and stop processing) so that is why it was chosen.
(not so much a MikroTik decision, it is the way it operates in the Linux system that is used inside these routers)

somefood · March 28, 2016, 8:47am

pe1chl:

somefood:

So the NAT accept only use when ipsec tunnel? Right?

In this example, yes. The traffic for the IPsec tunnel matches the ACCEPT rule so it does NOT pass to the
next line where all the other traffic matches the MASQUERADE rule and gets NATted.

So you could obtain the same thing by adding a “not this destination network” option to the MASQUERADE rule.
However, people find that less intuitive and it is also not possible when there are multiple destination networks that
you do not want to NAT. In that case you can have multiple ACCEPT rules where each matches one destination.

I agree that ACCEPT is not an intuitive name for “do not NAT” but it really does the same thing as in a normal filter
rule (accept the packet and stop processing) so that is why it was chosen.
(not so much a MikroTik decision, it is the way it operates in the Linux system that is used inside these routers)

Thanks for replying!
I try to understand it.
Mikrotik ROS is so difficult but quite fun.