Workflow of dstnat

RouterOS General
1

Hi,

I'm following those two documentation

to understand the workflow of a packet that has been "port forwarded" like

/ip firewall nat add \
chain=dstnat protocol=tcp port=3389 in-interface=ether1 \
action=dst-nat to-address=192.168.88.254

base on the above diagram, this rule is been process in 10: net (dstnat) prerouting then packet continue to

11 Routing lookup

12 dst addr=self ?

I guess the daddr has been changed thanks to action=dst-nat and the answer is now NO
then is been redirected to

13 mangle forward

14 filter forward

and HERE what is the connection-state now ?
Because I don't have a specific rule here that allow this connection.

But I do have

chain=forward action=accept connection-state=established,related,untracked

so is that mean that 10: nat (dstnat) prerouting set connection-state to established or related ???

Thanks.

2

The first packet of the connection (for example for TCP it would be the SYN packet) will have connection-state=new until it reaches #9 or #27. Which means at #14 connection-state=new still applies.

Subsequent packets, in both directions, including the packet sent in response to that first packet (for the TCP example it would be the packet with SYN ACK), and any further packets with the same pairs of addresses & ports (for UDP or TCP) as source/destination or destination/source will have connection-state=established.

3

@CGGXANNX’s explanation is correct. What’s missing but would also be helpful is that

connection-nat-state=dstnat

is set when the packet is processed by the dst-nat rule.

4

Thanks @CGGXANNX & @lurker888

:folded_hands: