Page 1 of 1

Firewall filter effecting nated public IP?

Posted: Fri May 03, 2013 6:55 pm
by sjwrick
I have filters that block 25 to my input chain.

If I have a public ip dst-nated to an internal private ip, does to filter to my input effect that traffic?

ie

On my router:

/ip address
add address=x.x.x.x/24 comment="Public IP - for cust" interface=WAN
add address=y.y.y.1/30 comment="Private IP for cust" interface=LAN1

/ip firewall nat
add action=dst-nat chain=dstnat comment="Nat pub to priv" dst-address=x.x.x.x to-addresses=y.y.y.2
add action=src-nat chain=srcnat comment="Nat priv to Pub" out-interface=WAN src-address=y.y.y.2 to-addresses=x.x.x.x

/ip firewall filter
add action=drop chain=input comment="block port 25" dst-port=25 protocol=tcp

Re: Firewall filter effecting nated public IP?

Posted: Fri May 03, 2013 10:13 pm
by cbrown
Look at this to understand the packet flow in RouterOS.

http://wiki.mikrotik.com/wiki/Manual:Packet_Flow

Re: Firewall filter effecting nated public IP?

Posted: Fri May 03, 2013 10:44 pm
by CelticComms
If I have a public ip dst-nated to an internal private ip, does to filter to my input effect that traffic?
No. The input chain affects traffic to the router. The traffic you describe will be affected by the forward chain and the DST NAT occurs before the forward chain is entered.