DEAR ALL

I WANT TO KNOW THAT THROUGH IP FIREWALL HOW CAN WE REJECT ANY NATED PACKET COMING ON USER INTERFACE?
MEANS IF ANY USER IS USING NATING AT HIS END, HOW CN MIKROTIK IDENTIFIES AND REJECT THAT PACKETS ?

THANKS

SATISH

well, there's no precise ways to define whether the packet was natted or not. you can see TTL Matcher in Firewall Filter. for example, Windows' default TTL is 128, and after a router it becomes 127. for Linux, default is 64, etc.

And if what you're trying to do is keep customers from deploying routers try setting the TTL for packets into the customer (not from the customer) to 1 in firewall mangle. Unless the customer has the knowledge and hardware to rewrite the TTL themselves that will expire packets on the next hop - if that is a computer it will accept the packet, if it's a router it will discard it.

Thanks for reply

We are unable to identify NAT packets, because in case of routers, TTL is change & brand specific and also unable to check if there is any ICS on windows machine.
ICS is also a NAT

So please help me

Thanks

Satish

Thanks for reply

We are unable to identify NAT packets, because in case of routers, TTL is change & brand specific and also unable to check if there is any ICS on windows machine.
ICS is also a NAT

So please help me

Thanks

Satish

If Windows ICS forwards a packet the TTL should still be reduced by one. TTL is "always" decreased by one even if it's traversing NAT. Change outgoing TTL for client traffic to 1.

but TTL is not changed for proxied requests...

Thanks it is working fine with DSL and ICS but can you also suggest me if any client is using Linux based router or proxy
because i am unable to block that Proxies

Thanks

Satish Bharadia