MikroTik

I have touched Mikrotik for several months,but now,frankly,I have still always been haunting with these some basic but very important concepts like input,forward,output etc. I deeply believe that if these concepts I can thoroughly understand, I can't get even further.

Like the picture shown below,there is a crossroad after "prerouting", router had to make a decision that some packets sent to "input" chain,and the others go through the "forward" chain...
Question one:which kind of packets should go to "input" chain? In my view,every packets should go into the "input" chain to be processed in the router and then flow out the router.
Question two:What prcesses would take in the "local process-in" and "local process-out"?Give me some examples please.

http://wiki.mikrotik.com/wiki/Firewall_filter

There are three predefined chains, which cannot be deleted:

* input - used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router's addresses. Packets passing through the router are not processed against the rules of the input chain
* forward - used to process packets passing through the router
* output - used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain

http://wiki.mikrotik.com/wiki/Packet_Flow

"Local Process IN" - last point in packets way to router itself, after this packet is discarded
"Local Process OUT" - starting point for packets generated by router itself

"local process-in" and "local process-out"?Give me some examples please.

examples: ospf sessions, routeros web server (webbox), winbox server, proxy, etc

"local process-in" and "local process-out"?Give me some examples please.

examples: ospf sessions, routeros web server (webbox), winbox server, proxy, etc

After I read your reply,I consider that "local process-in" only deal with the processes which about the management of the router, am I right? in other words, when I manipulate the issues of load balancing,speed limitation etc, it's none business of the input or output chain,right?
But why I saw the link http://wiki.mikrotik.com/wiki/ECMP_load ... masquerade, it use "input" and "output" chain to deal with the "ECMP" load balancing? I excerpt the sippet as follow:
"/ ip firewall mangle
add chain=input in-interface=wlan1 action=mark-connection new-connection-mark=wlan1_conn
add chain=input in-interface=wlan2 action=mark-connection new-connection-mark=wlan2_conn
add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wla1
add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wla2 ....."
Doesn't the forward packets traverse through "input" and "output" chain?

these lines are for router management via uplinks - you to be able to connect to the router from the Internet

also, if you use load-balancing and webproxy, you should deal with output chain to balance proxy requests

these lines are for router management via uplinks - you to be able to connect to the router from the Internet

also, if you use load-balancing and webproxy, you should deal with output chain to balance proxy requests

I can't catch your substances indeed.First,load balancing is deal with the forward packets and not involving with the "input" or "output" chain at all in my view, it needn't to use "these lines are for router management via uplinks - you to be able to connect to the router from the Internet", like other load balancing e.g "NTH",why "NTH" needn't using "these lines for router management via uplinks......"? Do you mean that if lack of these sentences,the router can't get on internet? I have tried that I set "input" and "output" chain to "drop" in "firewall-filter rules" menu,it can get on internet also.
But I found that "PCC" also use "input" and "output" chain to configure load balancing just now,puzzling........can you explain for me in detail? Thanks.

these lines are for router management via uplinks - you to be able to connect to the router from the Internet

If you have multiple lines and want to manage the router from the internet, you need to work with the output/input chains to make sure that traffic leaves via the same line as it came in on.

also, if you use load-balancing and webproxy, you should deal with output chain to balance proxy requests

When you use the proxy feature, traffic from the client goes directly to the router (input) and the router's proxy goes out and fetches the content (output). The site responds to the router (input), which forwards the traffic back to the client (output).
If you use the transparent proxy, traffic from the client goes directly to the server (forward) but while flowing through the router gets redirected to the router (input), which then fetches the content for the client from the site (output). The site talks back to the router (input), which rewrites the IP header to make it look like it came from the site directly and sends it to the client (output).