MikroTik

Hello,
I can't seem to find what the "bytes" and "packets" read only properties capture in IP / Firewall under Filter NAT and Mangle.

In the manual it simply says the "Total amount of bytes matched by the rule" and "Total amount of packets matched by the rule".

Yet if I set up a flter rule to match all forward chain packets from/to a specific IP address, and I set up a simple queue as well for the same IP address, the Bytes and Packets properties in the filter rule are NOT equal to the total uploaded or downloaded bytes in the simple queue. In fact, the properties of the filter rule are orders of magnitude less than the Queue total bytes / packets. The same happens under firewall / NAT. I would expect to see the TOTAL bytes that were masqueraded, but the numbers I'm getting are way too small to reflect the total...

There's something I'm missing here ... Does the filter rule match only a subset of all packets associated with a connection?

Thanks in advance for helping me understand this.

Different packets in a connection will usually match different rules if you're using connection tracking.

Consider this list of rules in the forward chain:
1: fast-track connection-state=established,related
2: accept connection-state=established,related
3: accept in-interface=lan
4: accept protocol=tcp port=22
5: drop

The first packet of a new incoming ssh connection will not match rule 1 or rule 2 because it is in the "new" state.
This packet will be counted on rule 4's counters.

The first reply packet from the internal server will place the connection into the "established" state, and the packet will match rule 1, bumping that rule's counter by one packet and by however much data the packet's size is....

Then the "ACK" packet (completing the TCP 3-way handshake) will arrive at the router, but since the connection was fast-tracked, it will not be compared to the firewall rules anymore - all packets in this connection (incoming AND outgoing) will be added to the dummy rule's counters.

If you take fast track out of the mix, (say you disabled rule 1) then rule 2 would be getting the packet counts and byte counts - but it will get ALL traffic in BOTH directions on ALL established,related connections.

In general, a firewall like this will have the behavior that the counters on the rules which allow certain types of new connections will reflect the number of connection attempts made because each new connection will fall through to that rule, while all subsequent packets will get caught by the performance-enhancing rule which immediately accepts (or fast tracks) all established connections.

(EDIT: the above is kinda complicated. Put more simply: For each rule that allows/drops certain ports... each rule basically becomes a counter for "connection attempts" on that port.)

The documentation's wording is what you should litterally consider the rule counters to mean - they tell you exactly how many packets have matched that rule, and how many bytes of data those packets represent in total. I hope that my elaboration here has helped you understand why this is not necessarily the same thing as the amount of traffic that flows through the router.

Loud and clear, your description makes perfect sense. Thank you.