Community discussions

MikroTik App
 
User avatar
diego73
newbie
Topic Author
Posts: 26
Joined: Tue Feb 12, 2019 8:22 pm
Location: ciudad de buenos aires, argentina

ip fireall nat and filter question

Tue Jun 22, 2021 8:45 pm

I have 2 concept questions

1.- What does ipsec-policy=out,none and what happen if delete it? It affect VPN connections that use ipsec?
the line in question is:
/ip firewall nat action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN

2.- The rules in ip firewall filter are processed in the orden that they appear or first by chain? for example:
/ip firewall filter
1. add action=accept chain=input comment="rbMT" connection-state=established,related,untracked
2. add action=accept chain=forward comment="rbMT" ipsec-policy=out,ipsec
3. add action=drop chain=input comment="rbMT" connection-state=invalid
are processed 1,2,3 or 1,3,2?

Thanks
Last edited by diego73 on Wed Jun 23, 2021 11:31 pm, edited 1 time in total.
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: ip fireall nat and filter question  [SOLVED]

Tue Jun 22, 2021 9:30 pm

1. It will make a difference only if you use plain ipsec with policies that involve not only the routers own addresses.

2. By chain. However single packet can't be processed by both input and forward chain, so it will be either 1,3 or 2, but not 1,3,2.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ip fireall nat and filter question

Tue Jun 22, 2021 10:07 pm

You can mix rules (not mandatory that all input chain rules are listed together etc.) but any IT person would recommend
that you do put like rules together as it makes it much easier to read, configure and troubleshoot.
The standard appears to be list all input chain rules first then forward chain rules.

Rule order within a chain is critical in terms of how the router will process the packets.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: ip fireall nat and filter question

Tue Jun 22, 2021 10:16 pm

And on last line, drop all...
 
User avatar
diego73
newbie
Topic Author
Posts: 26
Joined: Tue Feb 12, 2019 8:22 pm
Location: ciudad de buenos aires, argentina

Re: ip fireall nat and filter question

Tue Jun 22, 2021 10:43 pm

may be some relation with this and the problem exposed here?

viewtopic.php?f=13&t=176098
 
User avatar
diego73
newbie
Topic Author
Posts: 26
Joined: Tue Feb 12, 2019 8:22 pm
Location: ciudad de buenos aires, argentina

Re: ip fireall nat and filter question

Wed Jun 23, 2021 11:32 pm

1. It will make a difference only if you use plain ipsec with policies that involve not only the routers own addresses.
do you refer to police routing and mangle? and what that difference?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ip fireall nat and filter question

Wed Jun 23, 2021 11:53 pm

There is never a "better way" unless its my way of course!
Seriously, one is better off clearly stating the set of requirements based on use cases (what you want or dont want the users/devices to be able to do), without discussing the config details.
Then it will become crystal clear what set or mix of capabilities within the router need to be employed for an efficient design.

Who is online

Users browsing this forum: No registered users and 67 guests