Community discussions

MikroTik App
 
User avatar
azurtem
Trainer
Trainer
Topic Author
Posts: 217
Joined: Mon May 16, 2011 5:35 pm
Location: Nice, France
Contact:

monitoring incoming packets

Thu Jan 21, 2016 12:42 pm

Hi

I'm currently monitoring the responses received by my CCR1009 (v6.32.2) router from a remote device

I set up two rules, one filter to simply log incoming packets and a second to dstNAT the incoming packet toward a local server.
/ip firewall filter
add chain=forward dst-port=50013 log=yes log-prefix=QoS-2 protocol=udp \
    src-address=213.XXX.XXX.XXX
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=50013 log=yes protocol=udp \
    src-address=213.XXX.XXX.XXX to-addresses=192.168.XXX.13 to-ports=50013
The first rule is currently at 11000 packets and the second at 23 !

I don't understand the origin of this discrepancy; shouldn't the two rules handle an equal amount of packets ?

I even created a prerouting mangle rule to log these incoming packets:
/ip firewall mangle
add action=log chain=prerouting dst-port=50013 log=yes log-prefix=QoS-2.1 \
    protocol=udp src-address=213.XXX.XXX.XXX
Again this shows numerous incoming packets from the remote host

When I look at the logged packets I see the following:
Jan 21 11:57:20 ROUTER QoS-2.1 prerouting: in:ether1 out:(none), src-mac 00:XX:XX:XX:XX:2b, proto UDP, 213.XXX.XXX.XXX:3586->94.XXX.XXX.XXX:50013, NAT 213.XXX.XXX.XXX:3586->(94.XXX.XXX.XXX:50013->192.168.XXX.13:50013), len 200
If I disable the dstNAT rule I obtain the following:
Jan 21 12:01:46 ROUTER QoS-2.1 prerouting: in:ether1 out:(none), src-mac 00:XX:XX:XX:XX:2b, proto UDP, 213.XXX.XXX.XXX:3615->94.XXX.XXX.XXX:50013, len 200
Any ideas ?
thanks
yann
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: monitoring incoming packets

Thu Jan 21, 2016 8:02 pm

NAT uses the connection state tracking table before it checks the srcnat/dstnat chains. If a packet comes along which matches an existing entry in the table, then it simply grinds the addresses per the table entry, and doesn't parse the chains anymore.

So in practice, this means that your packet match counter is a count of how many connections have been made via this rule. (Like - how many trains passed through the station, not how many train cars)
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
azurtem
Trainer
Trainer
Topic Author
Posts: 217
Joined: Mon May 16, 2011 5:35 pm
Location: Nice, France
Contact:

Re: monitoring incoming packets

Fri Jan 22, 2016 10:13 am

thanks

Who is online

Users browsing this forum: codered1983, Majestic-12 [Bot] and 84 guests