Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
D
D
DVoropaev2020-06-24 11:43:43
Mikrotik
DVoropaev, 2020-06-24 11:43:43

How does Mikrotik distinguish input/forward from the external network?

Let's say I created a firewall rule in which I prohibit all input traffic to Mikrotik from the external network. But at the same time, NAT is enabled on my microtoic, and I decided to forward port 22 to remotely connect to one of their hosts on the local network.
How will Mikrotik react to a packet from an external network? I suggested two options, and I do not know which one is correct?
1) First, NAT will work, recognize this packet as forward , and then the firewall will let it through.
2) First, the packet will be processed by the firewall, it will see that destination is the external address of the router, and not the local host, it will recognize the packet as input and will not let it pass

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
D
Drill, 2020-06-24
@DVoropaev

Simplified packet flow diagram.
5ef31a1dd03d6228754831.jpeg

Report
T
Talyan, 2020-06-24
@flapflapjack

https://ittricks.ru/administrirovanie/linux/531/ip... here the sequence of steps is described in great detail.
The very essence is in the last paragraph right after the diagram. Who will be the first to process the packet depends on the rules themselves. For example, nat works before INPUT and will definitely decide whether to send the packet to INPUT or route the packet according to the routing table.
But as far as I remember, if you registered SNAT and did not change --to-source in the incoming packet, and the sender address is explicitly set in INPUT as DROP, then the packet will drop.

Report
D
Dmitry, 2020-06-24
@dtmse

First option. If the ip-packet is addressed to the local address of the router, and there are no DNAT rules that will redirect it to some external ip-address, then the input chain will be checked, otherwise - forward.

Similar questions
K
Kurusgimeru2016-05-05 13:37:49
How to forward ssh through mikrotik? 2Reply
S
Superdsa2021-12-08 22:43:53
How to forward mikrotik port? 1Reply
A
assokolov2021-12-09 12:45:41
Mikrotik static routing from a network of addresses to a bridge not accessing vpn network addresses, where to dig? 1Reply
F
fotonboxx2014-03-12 21:58:07
Mikrotik\RouterOS, VPN tunnel between two offices, each with two links - how to set it up? 8Reply
F
fotonboxx2014-03-17 21:49:11
RouterOS - non-existent routes when changing the link, VOIP does not work, how to solve the problem? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question