How does Mikrotik distinguish input/forward from the external network?

D

DVoropaev2020-06-24 11:43:43

Mikrotik

DVoropaev, 2020-06-24 11:43:43

Let's say I created a firewall rule in which I prohibit all input traffic to Mikrotik from the external network. But at the same time, NAT is enabled on my microtoic, and I decided to forward port 22 to remotely connect to one of their hosts on the local network.
How will Mikrotik react to a packet from an external network? I suggested two options, and I do not know which one is correct?
1) First, NAT will work, recognize this packet as forward , and then the firewall will let it through.
2) First, the packet will be processed by the firewall, it will see that destination is the external address of the router, and not the local host, it will recognize the packet as input and will not let it pass

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

D

Drill, 2020-06-24
@DVoropaev

Simplified packet flow diagram.

T

Talyan, 2020-06-24
@flapflapjack

https://ittricks.ru/administrirovanie/linux/531/ip... here the sequence of steps is described in great detail.
The very essence is in the last paragraph right after the diagram. Who will be the first to process the packet depends on the rules themselves. For example, nat works before INPUT and will definitely decide whether to send the packet to INPUT or route the packet according to the routing table.
But as far as I remember, if you registered SNAT and did not change --to-source in the incoming packet, and the sender address is explicitly set in INPUT as DROP, then the packet will drop.

D

Dmitry, 2020-06-24
@dtmse

First option. If the ip-packet is addressed to the local address of the router, and there are no DNAT rules that will redirect it to some external ip-address, then the input chain will be checked, otherwise - forward.