Community discussions

MikroTik App
  4. RouterOS
  5. General

Where can I see outgoing packets if Mikrotik is FW/Router/NAT ?

Post Reply
 
tlamik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Fri Mar 21, 2014 11:54 am

Where can I see outgoing packets if Mikrotik is FW/Router/NAT ?

Wed Dec 20, 2023 2:46 pm

Hi,

I am trying to capture traffic from/to a public IP 1.1.1.1 connecting to my Mikrotik FW/Router/NAT to some specific port, let's say 22/TCP, on public IP address 2.2.2.2. Port 22 is forwarded to a local lan IP 192.168.1.5 with the same port.

So IP address 1.1.1.1 trying to connect to 2.2.2.2:22/TCP, Mikrotik forwards is to 192.168.1.5:22/TCP.
Everything works and all is probably sets good. I am wondering where I can capture packet ?

I can see packets in RAW Prerouting (1.1.1.1 -> 2.2.2.2:22), then Mangle Prerouting (1.1.1.1 -> 2.2.2.2:22), then DSTNAT (1.1.1.1 -> 2.2.2.2:22), then Mangle Forward (1.1.1.1 -> 192.168.1.5:22), then Filter Forward (1.1.1.1 -> 192.168.1.5:22), then way back in Mangle Forward (192.168.1.5:22 -> 1.1.1.1), Filter Forward (192.168.1.5:22 -> 1.1.1.1) and Mangle Postrouting (192.168.1.5:22 -> 1.1.1.1).

I can't find any packets from 2.2.2.2 to 1.1.1.1 or I am unable to find the right place to capture it.
I can find packets from 2.2.2.2 to 1.1.1.1 in RAW Output for example when I am pinging from 1.1.1.1 to 2.2.2.2, but that's all.
I thought I will be able to capture packets going back to 1.1.1.1 on SRCNAT, but I can't see them.
Is the Mangle Postrouting the last place where I can see outgoing packets ?
Why I cannot see any packets from 2.2.2.2:22 to 1.1.1.1 ?

Thanks a lot
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12645
Joined: Thu Mar 03, 2016 10:23 pm

Re: Where can I see outgoing packets if Mikrotik is FW/Router/NAT ?

Wed Dec 20, 2023 4:09 pm

If you're looking at different processing stages, then you likely see logs with processing output (or decision). But you can always start packet sniffer on a particular interface (e.g. whatever your WAN interface is) and there you should see packets as they arrive from (or leave for) ISP.
Top
 
aoakeley
Member Candidate
Member Candidate
Posts: 174
Joined: Mon May 21, 2012 11:45 am

Re: Where can I see outgoing packets if Mikrotik is FW/Router/NAT ?

Wed Dec 20, 2023 4:20 pm


Why I cannot see any packets from 2.2.2.2:22 to 1.1.1.1 ?

Where are you looking for them?
Also the source port for the reply may not be the same as the destination port

Suggest you do this to just sniff all traffic to/from 1.1.1.1

/tool sniffer
set file-name=1.1.1.1.pcap filter-ip-address=1.1.1.1/32
/tool sniffer start

OR

/tool sniffer
set file-name=1.1.1.1.pcap filter-ip-address=1.1.1.1/32 filter-port=ssh
/tool sniffer start
Top
 
tlamik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Fri Mar 21, 2014 11:54 am

Re: Where can I see outgoing packets if Mikrotik is FW/Router/NAT ?

Wed Dec 20, 2023 4:41 pm

I tried to looking in Filter Output, NAT srcnat and output, Mangle postrouting and output and Raw output.

When I start packet sniffer on inet port I can see traffic from 2.2.2.2:22 to 1.1.1.1, that's fine.

But I thought I can see outgoing traffic on firewall chains too.
Top
Post Reply

Who is online

Users browsing this forum: erlinden, lojzo2000, spookymulder84, tangent and 34 guests
  4. RouterOS
  5. General