What is the proper way to execute firewall rules before nat? I am just a beginner but from what i found, natted packets do not enter firewall at all. But what if I want to run a set of rules on ALL traffic entering IN the device through a particular eth port regardless of what happens to it. A good example would be black list. I have seen the scripts e.g. https://github.com/pwlgrzs/Mikrotik-Blacklist or https://www.marthur.com/networking/mikr ... ewall/388/ but if it is really true that packets to be natted do not go through any of the chains, those examples are not very good one.
One option would be to do it via firewall>raw but i have never really encountered this so i don't know its downsides.
Can anyone help out (especially to solve the problem of say blacklist properly)?