New Packet flow diagram

Fri May 17, 2013 1:21 pm

We have a new concept for the packet flow diagram, applying to RouterOS v6. Please make suggestions for more example drawings, or other comments.

UPDATED

PacketFlowDiagram_v6_page1.jpg

PacketFlowDiagram_v6_page2.jpg

PacketFlowDiagram_v6_page3.jpg

PacketFlowDiagram_v6_example1.2.jpg

PacketFlowDiagram_v6_example2.1.jpg

PacketFlowDiagram_v6_example3.1.jpg

cheeze · Fri May 17, 2013 7:08 pm

I think they're great

However, I don't know what the letters/numbers mean.

Otherwise, awesome.

rkau045 · Fri May 17, 2013 9:12 pm

The letters in the circles are jumps. So, for example, the output from mpls chart at H goes back into the main loop at H.

Sent from my XT912 using Tapatalk 2

blingblouw · Fri May 17, 2013 10:51 pm

please please please can we do something before hotspot in, maybe like pre-hotspot-in or move it after mangel pre-routing so that we don't have to count all traffic in a hotspot users sessions.

I really need to allow some sites not to be accounted for in a hotspot session!

Mon May 20, 2013 8:22 am

I think they're great

However, I don't know what the letters/numbers mean.

Otherwise, awesome.

letters are transition points from the first main diagram to more detailed ones. This way we reduced amount of information in main diagram
numbers are used to show packet path through router

Mon May 20, 2013 1:05 pm

The new diagram is really good.

It is clearer than the previous diagram.

JJCinAZ · Mon May 20, 2013 8:08 pm

Like the new diagrams. One suggestion is to add detail on the "Use MPLS?" and "Use Route?". If you compare these decisions in the flow chart to the first decision after physical input, "In-Interface Bridge Port?", it seems to me that the first decision is much more self describing than the others -- "Is the in-interface in a bridge?" vs. "Are we going to use MPLS?" If it was more clear as to the logic for "Use MPLS" or "Use Route", then it might be more useful in learning RouterOS.

gregsowell · Tue May 21, 2013 6:27 am

Looks clean guys. Nice work.

Tue May 21, 2013 10:33 am

Thanks for the suggestions. First post has been updated with new images. Please make more suggestions, what more examples would you need in the manual?

Tue May 21, 2013 11:24 am

Not quite clear where the entrance/exit points are. In my opinion, it would be better if physical interface nodes were visually "open" (not frame-bounded to each other).

Tue May 21, 2013 11:25 am

Not quite clear where the entrance/exit points are. In my opinion, it would be better if physical interface nodes were visually "open" (not frame-bounded to each other).

they are indicated by green/red color

ener · Tue May 21, 2013 12:05 pm

very nice. maybe soon i could understand hope so

omidkosari · Thu Jun 13, 2013 8:36 am

Very nice but unfortunately still no place for old feature request Umetered Content for PPP http://forum.mikrotik.com/viewtopic.php ... 50#p235456

majkel · Mon Jun 17, 2013 11:04 pm

When it will be use in 6.x ?

Chupaka · Tue Jun 18, 2013 10:24 am

When it will be use in 6.x ?

it IS, just like the previous one. it's just a look from another point. like a map VS globe - the Earth is still the same

mknnoc · Wed Jun 26, 2013 8:44 am

I am not sure if I understand it correctly. If possible, can you write some explanation under each packet flow diagram?

Wed Jun 26, 2013 9:26 am

I am not sure if I understand it correctly. If possible, can you write some explanation under each packet flow diagram?

traffic goes into the "green" physical interface. then follow the arrows and answer questions.

tomaskir · Wed Jun 26, 2013 1:49 pm

How do trunks (LACP) come into this?

Or are they "transparent" as far as the packet flow diagram is concerned?

ekkas · Wed Aug 14, 2013 10:46 pm

Please help me understand as I'm obviously missing something here...
In ROS 5 you could double-QoS by:
1)Mangle in prerouting, prioritise in Global-In HTB (all in prerouting sub-section)
2)Mark in forward/postrouting, shape in Interface HTB

Now in ROS 6 the global HTB resides in the Input chain, not the prerouting chain!?
So how do I achieve double-QoS with ROS6 then?

Regards
Ekkas

Chupaka · Thu Aug 15, 2013 12:32 am

in v6:
1) mark in prerouting/forward/postrouting, prioritize in Global HTB in Queue Tree
2) shape in Simple Queues

ekkas · Thu Aug 15, 2013 10:14 am

Thanks for that, but what I do not understand is if the diagram shows Global HTB in Input chain, then it's not supposed to get any forwarding traffic?

According to diagrams:
A) Traffic to Router(v5):
PreRouting (ConnTrack, Mangle, DstNAT, Global HTB)
Input (Mangle, Filter)Traffic to Router(v5):

B)Traffic forwarded(v5):
PreRouting (ConnTrack, Mangle, DstNAT, Global HTB)
Forward (Mangle, Filter)

C)Traffic to Router(v6):
PreRouting (ConnTrack, Mangle, DstNAT)
Input (Mangle, Filter, Global HTB)

D)Traffic forwarded(v6):
PreRouting (ConnTrack, Mangle, DstNAT)
Forward (Mangle, Filter,?)
....

In scenario D, there is no Global HTB in prerouting, according to diagram it is now in Input chain, but Input chain is not used if it is forwarded traffic.
I'm not suggesting ROS is broken, I'm suggesting that possibly the diagram is wrong, or does ROS6 process Input chain for forwarded traffic as well now?

Regards
Ekkas

Thu Aug 15, 2013 11:31 am

the diagram shows Global HTB in Input chain

It shows it not only in Input chain, but in the Postrouting chain as well.
See above the last two blocks in postrouting.

ekkas · Thu Aug 15, 2013 11:39 am

It shows it not only in Input chain, but in the Postrouting chain as well.

I'm talking about prerouting.
Global has always been in postrouting(before Src-NAT, now after src-NAT), but seems to moved from prerouting to input, that's the point I'm trying to make.
V5:

V6:

Thu Aug 15, 2013 1:11 pm

Any kind of traffic first hits Global HTB, then Simple Tree, and it does it only once. Input traffic hits them in the Input, while Output and Forward traffic - in the Postrouting. The packet flow has changed and you will need to adopt to it.

ekkas · Thu Aug 15, 2013 2:40 pm

Any kind of traffic first hits Global HTB, then Simple Tree, and it does it only once.

Ok, that makes sense.

The packet flow has changed and you will need to adopt to it.

I need to understand before I can adapt.

Where would you want QueueTree or Simple Queues in Input chain, except for web proxy maybe? Control is outbound?
Anyways...

Let me put it this way...
For normal unbridged, routed traffic a packed would travel roughly.(#=PacketMark *=Queue)

ROS 5
1-)Prerouting
1a)Mangle Prerouting #1
1b)Dst NAT
1c)Global-In Global-Total HTB *1
2-)Forward
2a)Mangle forward #2
2b)Filter forward
3-)PostRouting
3a)Mangle Postrouting #2
3b)Global-Out Global-Total HTB *2
3c)Src-NAT
4-)Interface HTB *2

So here (if I understand it correctly), you could:
new-packet-mark @ ManglePrerouting(1a), then queue @ Global-In/Global-total(1c)
Then re-mark the packet @ MangleForward(2a) or ManglePostrouting(3a), then queue @Global-out(3b) or Interface HTB(4-)
Correct?

ROS 6:
1-)Prerouting
1a)Mangle Prerouting #1
1b)Dst NAT
2-)Forward
2a)Mangle forward
2b)Filter forward
3-)PostRouting
3a)Mangle Postrouting
3b)src-NAT
3c)Global HTB *1?
3d)Simple queues
4-)Interface HTB

Here, the first queue that you reach, is only in Global HTB(3c), after prerouting, forward, postrouting Mangles. There is no mangle opportunity after that to re-mark the packet before Interface HTB(4-)?
I guess my question is then, can a packet carry more than one mark? Otherwise, how does a packet get remarked if the sequence above is correct?

Thanks for your patience
Ekkas

Chupaka · Thu Aug 15, 2013 3:40 pm

There is no mangle opportunity after that to re-mark the packet before Interface HTB(4-)?

no opportunity

can a packet carry more than one mark?

it cannot

ekkas · Thu Aug 15, 2013 5:30 pm

Thanks Chupaka,
it would seem then a big downgrade from ROS5?
How can you do double-control QoS, i.e. shape by client type and QoS by traffic type on one router?

Chupaka · Fri Aug 16, 2013 1:17 am

you may use dynamic Simple Queues for shaping, one queue per user - they are speedy now

ekkas · Fri Aug 16, 2013 3:15 am

That is all fine and well, but the question is how to do it twice.
1)Per user (Throttling)
2)Total outgoing (QoS)
Where to mark and queue it second time?

Regards
Ekkas

Fri Aug 16, 2013 9:33 am

1) mark by traffic type in any mangle chain... - i suggest "forward"
2) prioritize traffic by traffic type in HTB global
3) use simple queues to apply individual user limits (use target as individual IP, or network and PCQ queue type)

infused · Mon Sep 02, 2013 2:34 am

Can anyone chuck this in a nice, printable pdf?

Toby7 · Tue Sep 03, 2013 6:39 pm

One addon from my point of view: I would like to have colours in the picture, they make the boxes much more clearer!

PDF is also a good point. Please publish a vector graphics inside the PDF so that we can enjoy a real wallpaper

Thank you!

ojsa · Tue Sep 03, 2013 11:27 pm

Is it possible to get this flow chart pictures in SVG or other vectorbased picture format?

Thu Sep 05, 2013 9:33 am

Is it possible to get this flow chart pictures in SVG or other vectorbased picture format?

The original is in Open Office, so no. You could re-draw it as vector and share

sergey · Thu Sep 05, 2013 11:43 am

Guys

Thank you very much for for the diagram. They are very useful and clear. Well done!

Questions:
1. Could you add they to official documentation (WiKi)?
2. Is it possible to get originals for personal use? I'd want to add comments to the diagrams and print.

Thank you.

Wed Sep 25, 2013 4:01 pm

Svg files for those who requested:

AlArenal · Wed Sep 25, 2013 5:05 pm

Great, thx alot!

P.S.:
This would should go into the wiki

Wed Sep 25, 2013 5:19 pm

It is already there. Images you see here are linked to wiki

Thu Sep 26, 2013 9:45 am

Yes, thanks, finally i can replace my old packet flow diagram printouts that hangs on the wall just across the workplace.

Added PDF that i will use if someone wants to do the same

arahim52 · Thu Nov 07, 2013 5:16 pm

Thanks for sharing this post to us. This is really nice information.
[url=http://www.%20marnetllc.com]IT Network Support[/url]

HaPe · Sat Nov 23, 2013 2:30 pm

What is the name of software used to create this diagrams?

ohara · Sat Nov 23, 2013 4:17 pm

MS Visio

Chupaka · Sun Nov 24, 2013 10:33 am

The original is in Open Office

siscom · Wed Jan 08, 2014 1:13 pm

Hi,

In the wiki the following files seem to be missing from the page titled 'Manual:Packet Flow v6' -

http://wiki.mikrotik.com/index.php?titl ... ples_b.gif

http://wiki.mikrotik.com/index.php?titl ... ples_c.gif

Rgds,
Mark.

mleducxit · Thu Jan 23, 2014 7:23 pm

HI all,

I've read many things on this forum and I've track carefully the packet flow, but one thing are still missing. The physical interface rules. Probably it's on the hardware, but try to figure out how can I bridge 5 interfaces on a CCR-1036 6.7, setup a DHCP Server attached to the bridge and control the HTB using the etherX entry. Refering to the scenario PacketFlowDiagram_v6_example1.2.jpg, I've put somes traces (packet log) following the decisions:

There is my config, it's a vanilla one


/interface bridge
add l2mtu=1590 name=BR_TEST
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/interface bridge filter
add action=mark-packet chain=input in-interface=ether1 new-packet-mark=PACKET_ETH1_UPLOAD
add action=mark-packet chain=output new-packet-mark=PACKET_ETH1_DOWNLOAD out-interface=ether1
/interface bridge port
add bridge=BR_TEST interface=ether1
add bridge=BR_TEST interface=ether3
add bridge=BR_TEST interface=ether4
add bridge=BR_TEST interface=ether5
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=yes
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=BR_TEST network=192.168.88.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether2
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=log chain=forward log-prefix=FILTER
/ip firewall mangle
add action=log chain=forward log-prefix=PREROUTING
/ip firewall nat
add action=masquerade chain=srcnat

So quickly, I've add a Bridge interface name BR_TEST, with eth1,3,4 and 5, eth2 are my dhcp client into my personal network and I masquerade anything trough this interface.

I've disabled the fast path for the bridge and enabled the IP Firewall options to enter into the ip mangle table and grab somes packets log output, log that I have seen into the LOG window.

I've just realized that the represented interface are the bridge interface BR_TEST and not ether2...

I mean, the traffic are still handled by the physical port, not really, but mabe, the virtual BR_TEST port.

Question #1: It is the chipset who do this?

Always referring the chart, I've add two filter rules into the bridge management and now I can track my interface management.

So I've mark my packets, add it on seperated HTB rules and my download queue dont work...

What I'Ve missing?

Fri Jan 31, 2014 12:17 pm

HI all,

...

So quickly, I've add a Bridge interface name BR_TEST, with eth1,3,4 and 5, eth2 are my dhcp client into my personal network and I masquerade anything trough this interface.

I've disabled the fast path for the bridge and enabled the IP Firewall options to enter into the ip mangle table and grab somes packets log output, log that I have seen into the LOG window.

I've just realized that the represented interface are the bridge interface BR_TEST and not ether2...

I mean, the traffic are still handled by the physical port, not really, but mabe, the virtual BR_TEST port.

Question #1: It is the chipset who do this?

Always referring the chart, I've add two filter rules into the bridge management and now I can track my interface management.

So I've mark my packets, add it on seperated HTB rules and my download queue dont work...

What I'Ve missing?

There are two perspectivs when use-ip-firewall is used.

1) layer-2 perspective - when traffic comes via one bridge port and leaves via other port of the same bridge - in this case in and out interfaces will be physical interfaces that are in the bridges

2) layer-3 perspective - when packet is routed to bridge - in all configuration packet will leave via bridge interface cause routing doesn't know anything about bridge ports. for this traffic out interface will be bridge interface and only bridge forwarding table will know what actual physical port it goes out.

This is done with one single reason - so that enabling use-ip-firewall will not break your layer-3 configuration that you might have.

Thu Feb 27, 2014 11:25 am

The "IPsec Encryption" and "IPsec Decryption" blocks seem to be mixed up on the Routing diagram.

noviy · Fri Mar 28, 2014 12:05 am

I propose to consider another option

efaden · Fri Mar 28, 2014 12:16 am

I propose to consider another option

I like this.

Sent from my SCH-I545 using Tapatalk

tomaskir · Fri Mar 28, 2014 12:53 am

I propose to consider another option

Great work there!

I like as well - but, is there any way to make it horizontal instad of vertical?
If it was horizontal, it would fit on a widescreen monitor much better.

Also, there is bunch of spelling errors, and on the right side, it should say Encapsulation (currently says Decapsulation).

But great work otherwise!

Could you please please please upload an editable version?

Fri Mar 28, 2014 11:14 am

I propose to consider another option

Awesome!
What diagramming tool did you use?

noviy · Fri Mar 28, 2014 12:53 pm

Fixed small bug

noviy · Fri Mar 28, 2014 1:49 pm

For preview:

Packet Flow Diagram r20140328.jpg

efaden · Fri Mar 28, 2014 2:37 pm

For preview:
Packet Flow Diagram r20140328.jpg

Nice... PDF or SVG or some sort of vector image would be ideal. Looks great though.

noviy · Fri Mar 28, 2014 3:25 pm

Nice... PDF or SVG or some sort of vector image would be ideal. Looks great though.

See my previous post.

tomaskir · Fri Mar 28, 2014 3:42 pm

Nice... PDF or SVG or some sort of vector image would be ideal. Looks great though.
See my previous post.

Any chance for an editable version?

Thanks!

efaden · Fri Mar 28, 2014 4:13 pm

Nice... PDF or SVG or some sort of vector image would be ideal. Looks great though.
See my previous post.
Any chance for an editable version?

Thanks!

+1

noviy · Sun Mar 30, 2014 12:31 pm

Some changes, for a better understanding of travel of packets.
Fixes:
2014.04.05
- Corrected position 'IPSec Decryption' and 'IPSec Encryption' boxes in ROUTING (gratitude: macgaiver);
- Fixed form blocks 'Bridge Decision' in 'Forward' and 'Output' Chain.
2014.04.10
- Added "Configurable Facilities": Menu items of RouterOS corresponding function blocks;
- Corrected name of block "Decapsulation  (TE, VPLS, VLAN, Tunnel)" to "Encapsulation (TE, VPLS, VLAN, Tunnel)" in "OUT-INTERFACE  LOGICAL" line;
- Corrected name of block "Bridge Adjustm." to "Routing Adjustm." in "Output" chain (gratitude: greek);
- Corrected bloks in "Input" and "Postrouting" chains: "Global HTB" > "HTB Global | Queue tree", added "Simple Queues" (gratitude: greek);

Packet Flow Diagram r20140410.png

P.S. I am also willing to listen to any comments and additions.

Fri Apr 04, 2014 2:38 pm

Nice one - very informative. Just "IPSec Decryption and Encryption boxes need to be swapped - traffic comes to router and in case it is IPSec it will have policy and will be decrypted, not encrypted
and when leaving if there is IPSec policy it will be encrypted - this fix was also done on the wiki:
http://wiki.mikrotik.com/wiki/File:Pack ... m_v6_b.svg

noviy · Sat Apr 05, 2014 7:21 pm

Nice one - very informative. Just "IPSec Decryption and Encryption boxes need to be swapped

Thank you, fixed - see updated my post.

greek · Tue Apr 08, 2014 9:59 pm

Thank you, fixed - see updated my post.

Why last block in output chain is "Bridge Adjustm"?
In original scheme it's "Routing Adj."

And why "Simple queues" blocks is absent in "Input" and "Postrouting" chains ?

noviy · Thu Apr 10, 2014 2:01 pm

Why last block in output chain is "Bridge Adjustm"?
In original scheme it's "Routing Adj."

And why "Simple queues" blocks is absent in "Input" and "Postrouting" chains ?

Fixed - see updated my post
Thank you!

normalcy · Sat Apr 12, 2014 10:46 am

This is fantastic. Thanks for the effort as I think this layout helps you connect the layers together better than the original separated diagrams. Hopefully it becomes the official one.

noviy · Mon Apr 14, 2014 12:25 pm

To me the first version of diagrams is easier to consume. Second version is a little bit noise. There is too many arrows. Main content is hidden in the web of transitions! Arrows that define logical layers is too big, it's not the main content.

You can download the source in Microsoft Visio 2010 and disable the extra layers, making it easier diagrams at its discretion.

Thu Jun 19, 2014 2:33 pm

noviy, can we use it in the MikroTik Wiki manual ?

greek · Fri Jun 20, 2014 12:42 am

Why first and last figures in output chain are not a parallelepiped as in original scheme?

As i know, parallelepiped has concretic mining in flowchart http://en.wikipedia.org/wiki/Flowchart

noviy · Sun Jun 22, 2014 1:56 pm

noviy, can we use it in the MikroTik Wiki manual ?

Yes, of course! I'll be glad if it will be useful for Mikrotik project.

avenn · Fri Jun 27, 2014 11:44 am

Excellent thank you for this diagram. I have just got back from a MTCRE course in sunny England and it was causing a positive buzz! Loving it!

Regards

Aidan Venn

qwertysqwerty · Sun Jun 29, 2014 7:17 pm

Excellent work. Very useful indeed!

Thank you.

Tue Jul 15, 2014 1:18 pm

noviy - can you get in touch with us as we would like to print these professionally as posters?

Email me at shop (at) linitx.com

dendlet · Tue Dec 02, 2014 11:22 am

The new diagram is really good.

It is clearer than the previous diagram.

Buster2 · Fri Dec 26, 2014 4:51 am

Nice comprehensive graphics!

May I suggest to stick with english grammar rules for questions: auxiliary verb, then subject, then verb

Decapsulation is needed? -> Is decapsulation needed?
Encapsulation is needed? -> Is encapsulation needed?
It's IP Traffic? -> Is it IP traffic? ("It is IP Traffic" is a statement, not a question)

These changes would give decisions a consistent wording.

noviy · Sun Dec 28, 2014 9:54 am

Nice comprehensive graphics!

May I suggest to stick with english grammar rules for questions: auxiliary verb, then subject, then verb

Decapsulation is needed? -> Is decapsulation needed?
Encapsulation is needed? -> Is encapsulation needed?
It's IP Traffic? -> Is it IP traffic? ("It is IP Traffic" is a statement, not a question)

These changes would give decisions a consistent wording.

Thank you for your comments! In the near future I will try to fix it.

b1863515 · Fri Jan 09, 2015 10:48 pm

I guess you pros can understand the packet flow but I don't

. Is there a book or a link that would explain what is actually happening in the individuals steps?

Chupaka · Sat Jan 10, 2015 10:21 am

I guess you pros can understand the packet flow but I don't . Is there a book or a link that would explain what is actually happening in the individuals steps?

check http://wiki.mikrotik.com/wiki/Manual:Packet_Flow

b1863515 · Sat Jan 10, 2015 2:09 pm

I guess you pros can understand the packet flow but I don't . Is there a book or a link that would explain what is actually happening in the individuals steps?
check http://wiki.mikrotik.com/wiki/Manual:Packet_Flow

Thanks!

yxudous · Wed Mar 16, 2016 5:24 pm

Trying to implement your double qos suggestions for hotel. I want to proritize traffic in queue tree and limit per user with dynamic simple queues. I can generate the simple queues in dhcp lease but what happens if a customer sets his own static ip? How can I generate his queue so that he does not bypass the limits?

Chupaka · Fri Mar 18, 2016 2:22 pm

How can I generate his queue so that he does not bypass the limits?

1) authorization
2) just create a queue for 'everyone else' (10.0.0.0/16) with hard limits

alexkhokhlov · Fri Mar 25, 2016 12:37 pm

I have a clarification question regarding the order of mangle and routing processing of the "output" chain.

I want a script on my router to connect to a fixed-ip website via a predefined WAN connection (in order to get my external ip on that connection).
The set-up is the following:

mikrotik 951G-2HnD v6.34.3
two WAN connections on ethernet ports: first is a default (higher priority in routing), second is a failover (lower priority in routing)
my ip-firewall-mangle rules section contain a rule on "output" chain to mark a non-marked connection to a fixed-ip destination
my ip-firewall-mangle also contain a rule to place a routing mark on all marked connections to a failover WAN (via routing table)

All is working perfectly as planned.

However, according to http://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6 the output chain does not go through a "routing decision" block (K->L flow). The absolutely fantastic new diagram in this thread also shows that local "output" block with "mangle-output" is located after the "routing decision" block (also K->L flow).

My setup clearly shows that mange-output is before "routing decision" block since routing mark changes the flow to a failover WAN connection (non-default in routing table). Without my mange rules connection goes to a default WAN connection.

And my questions are:

Is it really correct on the diagrams that "output" block from local output is placed after a "routing decision" block in the flow?
Is there a single-mangle-rule solution to mark all traffic (local and forwarded) going to a fixed-ip with a connection/routing mark? [I now have two identical mange rules: one for "output" and one for "prerouting"]

EDIT: is it a "routing adjustment" that actually works in my set-up? Is it not better simply to have a "routing decision" after the "output" block? Why this design decision was made?

NicolBolas · Mon Apr 25, 2016 1:11 pm

Hello,

Is there any detailed diagram to show how VRFs are processed ? I'm missing something here to fix my inter-VRF tunneling setup.

Thanks !

greek · Fri Sep 23, 2016 10:06 pm

Where is placed "IP - Firewall - Raw" menu ?

Chupaka · Mon Oct 24, 2016 2:31 pm

Where is placed "IP - Firewall - Raw" menu ?

Guys?..

Mon Oct 24, 2016 3:12 pm

Where is placed "IP - Firewall - Raw" menu ?

Exactly where MikroTik said they put it. Just here...

Screen Shot 2016-10-24 at 13.05.02.png

Chupaka · Mon Oct 24, 2016 3:18 pm

Nice joke, thanks. But the topic is Packet flow diagram, not WinBox

Mon Oct 24, 2016 3:38 pm

It's in the wiki

Mon Oct 24, 2016 3:39 pm

Where is placed "IP - Firewall - Raw" menu ?

RAW is taking action just before two connection tracking boxes in the Packet Flow diagram.

busla · Tue Nov 08, 2016 12:56 pm

As described in the diagram RouterOS must apply dst-nat rules before filter rules. But it does not. Why?

Chupaka · Tue Nov 08, 2016 2:34 pm

it does. explain your problem in details

busla · Tue Nov 08, 2016 5:03 pm

I have service at 192.168.0.2:12345

I added the rule:

ip firewall nat add chain=forward action=dst-nat protocol=udp port=12345 to-addresses=192.168.0.2 in-interface=ether1 log=yes

but the log remains empty

Dst-NAT rule doesn't work when it isn't allow rule in input chain of filter:

ip firewall filter add action=accept chain=input in-interface=ether1 protocol=udp port=12345 place-before=3

According to the diagram packet in general can not get into the INPUT.

Wed Nov 09, 2016 8:37 pm

busla
Please create a new topic, this conversation is not in any way related to this "New packet Flow Diagram" topic. Thank you.

busla · Thu Nov 10, 2016 11:07 pm

busla
this conversation is not in any way related to this "New packet Flow Diagram"

Why?
I create rules based on packet flow. Rules don't work. Either the diagram is wrong or diagram need some comments.

Quared · Fri Nov 11, 2016 1:28 am

Hello,

@busla:
this thread about the new packet flow diagram was started 3,5 years ago and packet flow management is a central feature of routers in general

Do you really think, your problem now relates to this packet flow diagram itself ?
Please try to understand the packet flow diagram by reading appropriate information - either here in the wiki or by searching Google.

Your problem is knowledge- and config-related.
I second nest (Ron) => open up a new forum thread, thank you

greets

busla · Fri Nov 11, 2016 10:16 am

The diagram is a part of wiki. I have studied it.
My sample is a sample, not a problem. I want to know a real 'paclet flow' in RouterOS. It solve all my problems.

Chupaka · Fri Nov 11, 2016 2:55 pm

The wiki shows 'real' packet flow. Point.

nichky · Tue Dec 27, 2016 7:32 am

is there any MUM presentation about v6?

noviy · Wed Mar 15, 2017 3:15 pm

This small update with possible can someone help better understand the place of new blocks "RAW Prerouting" and "RAW Output".
download/file.php?mode=view&id=27228

Nemiroff84 · Tue Mar 21, 2017 8:56 am

[quote="noviy"][/quote]
Can you place the diagram in visio format too?

bajodel · Thu Dec 21, 2017 4:45 am

This small update with possible can someone help better understand the place of new blocks "RAW Prerouting" and "RAW Output".

@noviy
I noticed only now your 2017/03 diagram update (I know, I'm late

) .. but I want to thank you for the brilliant work!! Now with new details and raw tables is really complete.

( & "UP" ..many others may have missed it)

NoobJambon · Sat Mar 23, 2019 12:43 am

Hello guys !
I'm looking at those packet flow diagrams and the exemple scenario and I was wondering : where does the traffic originating from the router itself appears ?

For example let's say I bind a dhcp-client to a vlan interface, what would be the path of a DHCP Request packet on those diagram ?

BRMateus2 · Sat Mar 23, 2019 1:17 am

Hello guys !
I'm looking at those packet flow diagrams and the exemple scenario and I was wondering : where does the traffic originating from the router itself appears ?

For example let's say I bind a dhcp-client to a vlan interface, what would be the path of a DHCP Request packet on those diagram ?

Router originated packets are always output->postrouting.
Look at, where input are packets targeted exclusively to router (or not-NATted for example), and output are exclusively outgoing originated from router.
https://wiki.mikrotik.com/images/2/2f/Pfd.png (https://wiki.mikrotik.com/wiki/Manual:Packet_Flow)

Who is online