Hi Guys.

I've never really dealt with ppoe and single ip addresses in mikrotiks. I'm normally setting them up with subnets and such.

So yesterday I configured a Mikrotik connected to a zyxel vdsl router in bridge mode using ppoe. It all works fine.

However, the IP address obtained from the provider is put in the address list, as expected I guess. However, now all the traffic coming externally to the router is on the input chain. Normally I would be fire walling it on the forward chain.

Can someone tell me why this is, and if it's expected?

Where is the traffic terminated? On the router? Or is it being forwarded to say LAN clients via NAT & connection tracking?

Should be nat.

For example, I have a src nat for masquerade. If I block input chan port 80 dst, the lan cannot access port 80. And viceversa when incoming traffic hits the router. I thought since there is masquerade, traffic flows through the router, so it would be a forward rule.

Are you using the proxy server?

Normal WAN<>LAN NATed traffic flows through the forward chain.