Good afternoon. Can someone explain to me what are these 2 firewall rules (filter rules) ??? It has to do with VPN, with FASTTRACK ???

/ip firewall filter add chain=forward action=accept ipsec-policy=in,ipsec comment="FORWARD | ACEPTA ENTRADA IPSEC"
/ip firewall filter add chain=forward action=accept ipsec-policy=out,ipsec comment="FORWARD | ACEPTA SALIDA IPSEC"

Thank you very much already!!!

No one who can explain to me what these 2 rules are for ???

Thank you!!!

They probably are not default. I think MikroTik does not write comments in Spanish, but maybe they should. This could be a feature request.

I read the wiki page about the ipsec rules and I'm not 100% sure I understand it. Probably I need the context of why they need these rules in order to understand why they exist. Does someone know?

I do ipsec but only on the public address. I'm not trying to do it from a NAT or use routed networks, it's just regular old transport ipsec for me. I suspect this is for stuff under a NAT but I can't tell by reading the rules.

They probably are not default. I think MikroTik does not write comments in Spanish, but maybe they should. This could be a feature request.

I read the wiki page about the ipsec rules and I'm not 100% sure I understand it. Probably I need the context of why they need these rules in order to understand why they exist. Does someone know?

I do ipsec but only on the public address. I'm not trying to do it from a NAT or use routed networks, it's just regular old transport ipsec for me. I suspect this is for stuff under a NAT but I can't tell by reading the rules.

Thanks for your answer acruhl.
I commented that the comments in Spanish I put them, because I am from Argentina. These rules exist by default in the configuration script of the RB750GR3, but I never knew what those rules are for ...
Seeing well, in the rule of nat, also has something referred to IPSEC, which does not stop it is there either ...
The default nat rule is this:

/ ip firewall nat add chain = srcnat out-interface-list = WAN ipsec-policy = out, none action = masquerade

You can see "ipsec-policy = out" in that rule ...

Someone from mikrotik could scarnos the doubt ???

Thank you!!!

My RB750Gr3 does not have those rules. I have not done a factory reset on it recently though. I know they change firewall rules over time and they arrive after factory reset.

My RB750Gr3 does not have those rules. I have not done a factory reset on it recently though. I know they change firewall rules over time and they arrive after factory reset.

Of course, if you do not reset to factory values, you will not see it ...
You can see this configuration if you execute this command from the console:

/ system default-configuration print

There you will see the firewall rules that I mention.

Greetings.

I guess these rules allow encrypted packets ("inner" VPN stuff) to pass, and probably translate into "iptables --pol ipsec" rules under the hood

Will it have something to do with the so-called "VPN Passthrough" that comes on most routers ???

It has to do with IPSec and it's incompatibility with NAT. Have a look at https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6

IPSEC decryption is applied before prerouting / de-natting. Hence on the WAN interface you need to accept packets "not coming" from WAN.
IPSEC encryption is applied after postrouting. Hence on WAN interface you may not masquerade or IPSec will not match on defined policies and will not encrypt.

It has to do with IPSec and it's incompatibility with NAT. Have a look at https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6

IPSEC decryption is applied before prerouting / de-natting. Hence on the WAN interface you need to accept packets "not coming" from WAN.
IPSEC encryption is applied after postrouting. Hence on WAN interface you may not masquerade or IPSec will not match on defined policies and will not encrypt.

Good Morning.
So, I can delete those rules if I do not do vpn or anything that uses ipsec ??? Or these rules also impact on other things, such as navigation, etc ???

To be on safe-side, disable first. If no side-effects delete

To be on safe-side, disable first. If no side-effects delete

Thanks!!!