Recently I had an application that I needed to source NAT time server packets in order to solve 'server-ip-missmatch' issue, but found that thos epackets do not traverse through SRC-NAT chain. I've investigated a little bit and found that packets are traversing through mangle/postrouting and after that packet is like dissapear from router. So I did simple test:
Code: Select all
/ip firewall mangle
add action=mark-packet chain=prerouting disabled=no new-packet-mark=ntp passthrough=yes protocol=udp src-port=123
/ip firewall nat
add action=passthrough chain=srcnat disabled=no packet-mark=ntp
Code: Select all
/ip firewall mangle
add action=mark-packet chain=prerouting disabled=no new-packet-mark=ntp passthrough=yes
/ip firewall nat
add action=passthrough chain=srcnat disabled=no packet-mark=ntp
Out interface is bridged, but I've tried with 'use-ip-firewall' and without this option still same case. Most of all I can't understand why packets traverse mangle/postrouting, but not nat/src-nat ? According to packet flow diagram, src-nat is right after mangle/postrouting in the same postrouting chain.
Could please someone give me small explanation on what's happening ?
P.S. Everything seems to be ok when time server is external. I have this problem only when time server is Mikrotik itself.