Community discussions

MikroTik App
 
ishchenko
just joined
Topic Author
Posts: 2
Joined: Fri Feb 12, 2021 2:30 pm

Explaining firewall packet counters

Tue Dec 07, 2021 11:39 am

Hi there

I'm trying to route some traffic via L2TP tonnel.
/ip firewall address-list
add address=ifconfig.me list=list_for_vpn
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=list_for_vpn new-routing-mark=mark_vpn passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=l2tp-out
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add distance=1 gateway=l2tp-out routing-mark=mark_vpn

It seems to work ok, but when I curl the host
curl https://ifconfig.me

Something unexpected happens with counters. Mangle rule increments by 10, and that is expected, Wireshark shows exactly 10 outgoing packets. But masquerade rule increments by 1 only. I expect it increments by 10. Why is that?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Explaining firewall packet counters

Fri Dec 10, 2021 9:44 pm

In short, masquerade rule works with connections, not packets.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Explaining firewall packet counters

Fri Dec 10, 2021 10:16 pm

From the manual, "Nat matches only the first packet of the connection, connection tracking remembers the action and performs on all other packets belonging to the same connection."

As Sob wrote it does only connections. If connection stopped or changed connection tracking has to catch up with the new situation..

https://help.mikrotik.com/docs/display/ROS/NAT
 
ishchenko
just joined
Topic Author
Posts: 2
Joined: Fri Feb 12, 2021 2:30 pm

Re: Explaining firewall packet counters

Mon Dec 13, 2021 6:02 pm

Now it's perfectly clear, thanks! I wish column was named "Connections", not "Packets, that would make more sense.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Explaining firewall packet counters

Mon Dec 13, 2021 9:00 pm

Packets is the right term here because it counts the the first the packet of a connection triggering that rule. If you use would use Connections then it will be interpreted as the number of concurrent connections.

The lower count than expected does makes one puzzle but then that happens also to rules that only are triggered by SYNC like when you mark connections in Mangle. You mark that connection, connection tracking will take care of all traffic marked once and all following traffic till the connection times out.

Who is online

Users browsing this forum: cmmike, neskiask, sjdurand, xrlls and 47 guests