Community discussions

MikroTik App
 
sohrabp72
just joined
Topic Author
Posts: 17
Joined: Sun Oct 06, 2019 1:37 pm

Confused about srcnat and dstnat chain in NAT [SOLVED]

Fri Jun 02, 2023 8:52 pm

Hi,
In IP>Firewall>NAT>add
There is a Chain drop-down menu with 3 pre-defined srcnat, dstnat and and the last one I din't remember. I searched alot but all the chains explained were input, output, forwarding. I just find topics which describes chains in Filter tab and mangle tab but NAT tab. Can someone link me or explain what are these exactly?
I know what exactly dstnat and srcnat are in Action drop-down menu, but I'm asking the ones in Chain drop-down menu.
Thanks in advance.
Last edited by sohrabp72 on Sat Jun 03, 2023 7:09 am, edited 3 times in total.
 
MrYan
Member Candidate
Member Candidate
Posts: 160
Joined: Sat Feb 27, 2010 6:13 pm

Re: Confused aboy srcnat and dstnat chain in NAT

Fri Jun 02, 2023 9:29 pm

 
sohrabp72
just joined
Topic Author
Posts: 17
Joined: Sun Oct 06, 2019 1:37 pm

Re: Confused aboy srcnat and dstnat chain in NAT

Fri Jun 02, 2023 10:16 pm

Thanks for your response.
I'm just confused about the Chain and Action,
Imagine a packet is received in the router from our LAN section and we want to srcnat it to have internet access.
what is the difference between the two following commands:
/ip firewall nat add chain=srcnat src-address=10.0.0.0/24 action=src-nat to-addresses=172.16.16.1
and
/ip firewall nat add chain=dstnat src-address=10.0.0.0/24 action=src-nat to-addresses=172.16.16.1
what I realized is if a packet is received, what we want to do with the packed is determined in Action, then what is the use of Chain?
sorry for my newbe question.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Confused about srcnat and dstnat chain in NAT

Fri Jun 02, 2023 10:33 pm

Documentation does seem to lack some details. It's customary to tie properties chain=dst-nat action=dstnat and chain=src-nat action=srcnat. But docs don't specify that any other combination is invalid.

If one takes a look at packet flow, then one can see that different chains get executed at different packet processing stage ... dst-nat is pretty early (e.g. before routing decissions) while src-nat is done pretty late. And for some actions this makes lots of sense. E.g. for action=masquerade (which is a special case of action=srcnat) it's vital to be done after routing decission as action uses IP address of egress interface as new value of src-address.
Another example: it's important to have dst-nat early because it makes more sense to apply firewall rules according to final destination (without dst-nat first, dst-address would still be one of router's own addresses). And it has to be done before routing decissions because without that routing decission is not even possible.

Etc.
 
sohrabp72
just joined
Topic Author
Posts: 17
Joined: Sun Oct 06, 2019 1:37 pm

Re: Confused about srcnat and dstnat chain in NAT

Sat Jun 03, 2023 12:31 am

Thanks for your reply.
So they are tied together chain=srcnat to action=srcnat and chain=dstnat to action=dstnat, so what's the benefit of having something called chain when we can take action on the packet by Action?
If one takes a look at packet flow
Which diagram exactly? Can you link the specific diagram, please?
I can't understand the diagram https://help.mikrotik.com/docs/download ... 451&api=v2
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: Confused about srcnat and dstnat chain in NAT

Sat Jun 03, 2023 2:24 am

Chain says where in the process it gets executed.
Action says what happens.

It is not exactly tied but it makes sense to do certain actions in a certain way, and not the other way. You could even say that those chains are named based on the most usual action which happens in that place.

Now, understanding packet flow is important, even though it is very complex process. RouterOS follows Linux iptables process so this practically teaches you full blown Linux networking. Try to follow some examples with highlighted red paths. Together with the written description, it should be enough to give you idea how it works.

You need to consider all diagrams. Not only one of them. But read the text as well. Compared to the past, it is now explained really well.
 
wiseroute
Member
Member
Posts: 352
Joined: Sun Feb 05, 2023 11:06 am

Re: Confused about srcnat and dstnat chain in NAT

Sat Jun 03, 2023 3:16 am

@ sohrabp72
if a packet is received, what we want to do with the packed is determined in Action, then what is the use of Chain?
well, maybe you were right.

the chain set renaming for nat context - for example:
chain prerouting to dstnat
chain postrouting to srcnat

could gave user a false sense to determine chain/classifier to action (jump target).

for easier reading - just translate those chain as classifier for the traffic you want to process. ie. from which in interface, from which subnet, what direction the traffic are, what protocols ---> these are classifiers.

and the action is what rule you want to apply to the classifiers/chain (accept, reject, srcnat, dstnat etc).

hope this helps.
 
sohrabp72
just joined
Topic Author
Posts: 17
Joined: Sun Oct 06, 2019 1:37 pm

Re: Confused about srcnat and dstnat chain in NAT[SOLVED]

Sat Jun 03, 2023 7:07 am

Thank you guys so much, now I can clear the difference and can read and understand the traffic flow diagram.

Who is online

Users browsing this forum: aoravent, donkeyKong, Google [Bot], phascogale, Soleous75 and 88 guests