I would like to ask network gurus for hints how to troubleshoot Mikrotik settings.
I am new to network configurations and I am used to troubleshoot applications using their logs. When configuring mikrotik I have discovered I can use packet counters and logging certain packets (using ip firewall log actions) but I am wondering whether is there any tutorial for beginners like me how can I troubleshoot settings which are not working as expected.

To give an example where to start:
For NAT settings (/ip firewall nat) is not possible to define action LOG so I would like to find the way how to get the clue what is happening with my traffic (in other words. "why is not the dst nat and hairpin working ?").

I have read many forums what needs to be set up for port forwarding and I have studied diagrams here http://wiki.mikrotik.com/wiki/Packet_Flow but it does not give me any hint where can I place some troubleshooting logging.

I have studied diagrams here http://wiki.mikrotik.com/wiki/Packet_Flow but it does not give me any hint where can I place some troubleshooting logging.

Mangle 'prerouting' is before DST-NAT and allows logging.

HTH,

Good question! Hi to all! I want to understand how packets flow via mangle, as I know packet cannot have 2 marks or no? For example I need to mark all forwarding traffic and form this want also mark only to some dst-add-list. What I must in this case? Thanks!

Good question! Hi to all! I want to understand how packets flow via mangle, as I know packet cannot have 2 marks or no? For example I need to mark all forwarding traffic and form this want also mark only to some dst-add-list. What I must in this case? Thanks!

I have studied diagrams here http://wiki.mikrotik.com/wiki/Packet_Flow but it does not give me any hint where can I place some troubleshooting logging.

Mangle 'prerouting' is before DST-NAT and allows logging.

HTH,

Thank you for your hint. I am very new to Mikrotik so I need get a little bit more specific hint. I have checked the mangle I understand you suggest that it helps me to LOG every packet before it enters any rules defined by NAT. I have not figured how to log what happens with each packet in terms of processing by Mikrotik. I am used from "server application world" that I can set up "debug logging" and I can trace each event in the server application step by step and helps to find out why server application did "something". In the networking world I would like to be able to have debug log to identify on specific packets (identified e.g. by source IP address ) following:
1. which firewall-filter rule applied to such packet and what was the result (drop, ....)
2. which firewall-NAT rule applied to such packet and what happened witch such packet

It might be very naive question but I would like to be able to see in my log each step of NATting (for example of hairpin) and what happens with the packet (how src and dst IP addresses and ports are altered etc.). In the following article http://wiki.mikrotik.com/wiki/Hairpin_NAT is described very nicely how hairpin works but I would like to be able to trace each step (in the article Steps1-4) in order to troubleshoot my settings.

Thank you for your hint. I am very new to Mikrotik so I need get a little bit more specific hint. I have checked the mangle I understand you suggest that it helps me to LOG every packet before it enters any rules defined by NAT. I have not figured how to log what happens with each packet in terms of processing by Mikrotik. I am used from "server application world" that I can set up "debug logging" and I can trace each event in the server application step by step and helps to find out why server application did "something". In the networking world I would like to be able to have debug log to identify on specific packets (identified e.g. by source IP address ) following:
1. which firewall-filter rule applied to such packet and what was the result (drop, ....)
2. which firewall-NAT rule applied to such packet and what happened witch such packet

It might be very naive question but I would like to be able to see in my log each step of NATting (for example of hairpin) and what happens with the packet (how src and dst IP addresses and ports are altered etc.). In the following article http://wiki.mikrotik.com/wiki/Hairpin_NAT is described very nicely how hairpin works but I would like to be able to trace each step (in the article Steps1-4) in order to troubleshoot my settings.

Thanks for the link on Hairpin NAT. All the other NAT articles I found weren't helping me to access my web server from my local LAN through my public DNS registration pointing to my WAN IP. Problem solved!

I am happy that my question helped to solve your problem.

But I am still searching for debugging NAT settings.

I have tried to use IP-Firewall-Magle to determine what is happening with my traffic. As a first step I mark my Connection as "Surname_test" determined by source IP address and that I do
1. prerouting - log traffic with connection Mark "Surname_test"
2. postrouting - log traffic with connection Mark "Surname_test"

The test is done by telnet connection to IP address 192.168.168.4
What surprises me is that in the log file I can see first postrouting and than prerouting.

94 Jan/02/2013 18:16:17 memory firewall, info prerouting: in:bridge-local out:(none), src-mac 00:26:5e:30:fd:57, proto TCP (SYN), 192.168.88.246:3643->192.168.168.4:23, len 48
95 Jan/02/2013 18:16:17 memory firewall, info postrouting: in:(none) out:bridge-local, src-mac 00:26:5e:30:fd:57, proto TCP (SYN), 192.168.88.246:3643->192.168.88.4:23, len 48
93 Jan/02/2013 18:16:10 memory system, info mangle rule changed by petr


What do I miss ?