Community discussions

MikroTik App
 
erore2
just joined
Topic Author
Posts: 3
Joined: Fri Jan 03, 2020 3:33 pm

firewall vs nat packet flow

Fri Jan 03, 2020 3:41 pm

What is the proper way to execute firewall rules before nat? I am just a beginner but from what i found, natted packets do not enter firewall at all. But what if I want to run a set of rules on ALL traffic entering IN the device through a particular eth port regardless of what happens to it. A good example would be black list. I have seen the scripts e.g. https://github.com/pwlgrzs/Mikrotik-Blacklist or https://www.marthur.com/networking/mikr ... ewall/388/ but if it is really true that packets to be natted do not go through any of the chains, those examples are not very good one.

One option would be to do it via firewall>raw but i have never really encountered this so i don't know its downsides.

Can anyone help out (especially to solve the problem of say blacklist properly)?
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: firewall vs nat packet flow

Fri Jan 03, 2020 6:12 pm

A. "RAW" part of firewal inspects packets which enter firewall or leave it but are originated by router: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Raw

B. NAT is done before routing and firewal so you have inspect proper addresses in firewall rules e.g if you DST-NATted packet to internal device then it in it's header has pair of ORIGNALSRCIP:DSTNATTEDIP instead of ORIGINALSRCIP:ORIGINALDSTIP. If you do alse SRC-NAT then you should match SRCNATTEDIP:DSTNATTEDIP addresses

Check this: https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6
 
erore2
just joined
Topic Author
Posts: 3
Joined: Fri Jan 03, 2020 3:33 pm

Re: firewall vs nat packet flow

Fri Jan 03, 2020 6:47 pm

ad A/ I probably misunderstand everything but wiki says: "Firewall RAW ... is very useful for DOS attack mitigation" and "There are two predefined chains in RAW tables: prerouting - used to process any packet entering the router " but you say RAW is any packet originated by the router (and just to make sure by router i understand routerOS device itself not some virtual distinction router or firewall, that is those are packets that come through some physical port)

ad B/ you say "NAT is done before routing and firewal" so how can i inspect "proper addresses" in firewall if it is bypassed?

I consult those packet flow diagrams often but rarely understand them fully these days, they became too convoluted. The problem is that they completely miss nat flow.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: firewall vs nat packet flow

Fri Jan 03, 2020 7:59 pm

This one not clear ?

Image
 
erore2
just joined
Topic Author
Posts: 3
Joined: Fri Jan 03, 2020 3:33 pm

Re: firewall vs nat packet flow

Fri Jan 03, 2020 9:00 pm

Wonderful, where did you get this one? Isn't this the one they (mikrotik) originally had on their wiki?

But according to this, raw happens before nat and can be used to do blocklists. Or not?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: firewall vs nat packet flow

Sat Jan 04, 2020 4:32 pm

Perhaps the issue is the word filter? If if the word was Firewall, would that make the diagram clearer?
Raw is technically considered more efficient to discard packets but Raw has no discrimination and one can block way more than intended by mucking about in this area.

In any case as Bartoz has stated, in the general sense, NAT, ROUTE, FIREWALL. So in the case of port forwarding where one needs to translate packets........
One creates a dst-nat rule that translates the packets and then the translated packets pass by the firewall rule.

Its done a bit differently on Mikrotik compared to other products.
Mikrotik does the bulk of the work on the NAT rule, a. the translation, b. the specifics of where the traffic is heading (which server) etc. and the FIREWALL RULE is a generic, let all dst-nat packets identified in the NAT RULE go by the firewall.
On my older zyxel devices it was the opposite. The NAT rule was generic, in that it forwarded traffic coming in on the desired port and translated it and then the firewall rule ensured the traffic was allowed further and sent it to the right server.

In common, both handled NAT first and then applied the firewall rules.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: firewall vs nat packet flow

Sat Jan 04, 2020 5:56 pm

Wonderful, where did you get this one? Isn't this the one they (mikrotik) originally had on their wiki?

But according to this, raw happens before nat and can be used to do blocklists. Or not?
There are *a lot* of very interesting presentations that are shared during the MUM meetings. Some of then are really localized and I cannot understand, but many others are in English.
This screenshot was taken from one of them, can't recall exactly which one at the moment.

https://mum.mikrotik.com/archive

Might be interesting to browse through the hundreds of interesting PDF's etc that might shine some interesting light on a certain subject, or how other deal with it.
 
alphahawk
Member Candidate
Member Candidate
Posts: 101
Joined: Fri Mar 28, 2008 6:40 pm

Re: firewall vs nat packet flow

Thu Jan 09, 2020 9:00 pm

A. "RAW" part of firewal inspects packets which enter firewall or leave it but are originated by router: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Raw

B. NAT is done before routing and firewal so you have inspect proper addresses in firewall rules e.g if you DST-NATted packet to internal device then it in it's header has pair of ORIGNALSRCIP:DSTNATTEDIP instead of ORIGINALSRCIP:ORIGINALDSTIP. If you do alse SRC-NAT then you should match SRCNATTEDIP:DSTNATTEDIP addresses

Check this: https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6
BartoszP
If understand correct I have a port forward and want to check it against the firewall filter I would use forward as chain with dst-address as the internal address?

Thanks
Alphahawk
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: firewall vs nat packet flow

Thu Jan 09, 2020 11:39 pm

NATed traffic do go via firewall. In default config there is a rule that accepts Dst NATed packets.

If you want more control, change / remove this rule
 
PackElend
Member Candidate
Member Candidate
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

Re: firewall vs nat packet flow

Mon May 02, 2022 9:47 pm

could anyone add where Torch does listen?
It clearly says that
Traffic that appears in torch is before it has been filtered by a Firewall. This means you will be able to see packets that might get dropped by your Firewall rules.
Does it mean just after "Input Interface" or before Input-Filter, Output-Filter or Forward-Filter?

Moreover, does Torch show the translated IPs in the case of NAT?
I'm wondering what I see in the destination column for incoming traffic and not driving nuts thinking about if
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=combo1
is working correctly (by Show NAT translation table - MikroTik it looks like it does work correctly) .
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: firewall vs nat packet flow

Tue May 03, 2022 3:33 pm

@error2 Dont waste your time with youtube bloatware firewall rules.
Simply drop all traffic at end of input chain and forward chain and only add traffic that is allowed.
A clean clear firewall is optimal. If your config is complex, having a KISS firewall setup will permit adjustments and aid troubleshooting.
A messy disorganized bloated firewall will cause you grief, lost hair, unhappy customers or unhappy family members.
 
PackElend
Member Candidate
Member Candidate
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

Re: firewall vs nat packet flow

Sun May 14, 2023 10:15 am

Hi there,
it has been a while
I'm reviewing my firewall rules and have some hiccups grasping all again.

how does
add action=drop   chain=forward connection-nat-state=!dstnat connection-state=new in-interface=combo1 log=yes log-prefix=!NAT                 
works?

It simply looks up the NAT table if the source IP of an incoming packet is listed in the NAT table to translate the destination IP (which is supposed to be the incoming interface IP) to an internal IP
That's it?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: firewall vs nat packet flow

Fri May 19, 2023 7:11 pm

According to packet flow firewall entity does connection tracking magic on ingress packets early (hence forth connection-state is known). Soon after that firewall entity does DST NAT (hence forth connection-nat-state is known). And after that routing decission is made (hence forth chain is known). So when firewall entity starts to evaluate filter rules, it can use those states to match packets.

The rule you quoted matches packets which are not DST NATed (did not trigger any of DST NAT rules) and are establishing new connection (they don't belong to any of existing connections) and are ingressing via combo1 interface. Action on matched packets is to drop them (and get logged with specified custom prefix).

Who is online

Users browsing this forum: AkosGergely, Bing [Bot], GoogleOther [Bot], Marc1963, miks and 81 guests