Hello,

I have a question after reading Wiki and forum topics on "incoming-filter" and "outgoing-filter" parameters in PPP profiles. As I understand, there is no way to jump to custom filter chains other than insert filter rule with "jump" actions either in "forward" chain or "ppp" chain. In both cases we have to use at least one condition to differ connections made with different PPP profiles.

The question is: what's the use for "incoming-filter" and "outgoing-filter"? These parameters seems to affect nothing. If I use it without "jump" rules PPP traffic evades custom filter chains; if I use "jump" rules traffic passes custom filter chains regardless of these parameters.

Or maybe I misunderstand something?

Best regards,
Kirill

You must jump to the chain dynamically created by the ppp incoming filter through a default chain...
For example : I manually jump from an input chain to the Dynamic chain ppp created by the incoming filter
Then the rule will filter only what comes from the l2tp vpn interface and will jump to the test chain i made
For instance lets drop the ICMP coming through the l2tp interface
Not needed here but anyways...

Not working well. Jumping "all ppp" interface to ppp chain means all new connections from other ppp connections that are not using filter will jump too to ppp chain.
Adding return would fix this problem but ... any new dynamically added jump-target=test will be added as a last rule in the list, always under the return rule and so will never work.
Am I missing something?

The incoming/outgoing filter options have been present in RouterOS for some time, and do have limitations. The newer interface list or address list options may be more suitable - when set in a PPP profile these add the interface name or address respectively to a list which can be used as desired in existing or new firewall chains.

Am I missing something?

While @tdw is right as usually, you may be missing one point - that the "jump" actually always means "call", i.e. if you use action=jump jump-target=called in chain=calling and no rule in chain=called matches the packet, the processing continues by the next rule in chain=calling even if you don't use any action=return rule in chain=called. The purpose of action=return is to skip the rest of chain=called for matching packets.