Code: Select all
/ip firewall nat add chain=srcnat action=masquerade out-interface=!lan
1. According to the packet flow diagram source NAT is done at the postrouting stage, just before a packet is about to leave the router through an interface. Can you show me where exactly at the packet flow diagram the incoming packets are deNATted?
2. What does the router do with the packets incoming from NATted interfaces for which there is no corresponding rule in the NAT table. Does it discard them silently or does it allow them to pass unchanged according to the routing rules? In other words, having the above single rule for NAT, will I have my local network protected from the outer world without any additional firewall filter rules or do I still need to add something like this:
Code: Select all
;;; Allow all outgoing traffic received from the local network
chain=forward action=accept in-interface=lan
;;; Process incoming traffic going to the local network
chain=forward action=jump jump-target=forward-in out-interface=lan
;;; Deny all other traffic (between external interfaces)
chain=forward action=drop
;;; Allow established connections
chain=forward-in action=accept connection-state=established
;;; Allow related connections
chain=forward-in action=accept connection-state=related
;;; Deny all other traffic (attempts to establish connections from the outer world)
chain=forward-in action=drop
