Hi Guys,
So I am filtering on the firewall. I have an internal ip, say 172.18.1.1 that I am dst-natting web traffic to from 202.20.1.1
If I create a firewall rule blocking traffic to destination 202.20.1.1, nothing happens. When I change this to the nat address of 172.18.1.1 it works. Does that mean that everything is getting dst-natted first? If so, how can I ensure it goes through the firewall first?
-
-
CelticComms
Forum Guru
- Posts: 1765
- Joined:
Re: Confused about the firewall
Have a look at this:
http://wiki.mikrotik.com/wiki/Manual:Packet_Flow
The DST NAT occurs before the forwarding chain filters are applied.
http://wiki.mikrotik.com/wiki/Manual:Packet_Flow
The DST NAT occurs before the forwarding chain filters are applied.
Re: Confused about the firewall
Yep, saw that. Wouldn't that do extra routing that's possibly not needed though?
-
-
CelticComms
Forum Guru
- Posts: 1765
- Joined:
Re: Confused about the firewall
I don't really follow the question. The diagram shows how the packets flow. If you are using NAT in IP firewall you are using layer 3 functions including routing. Yes - DST NAT occurs before the forward chain filters.Yep, saw that. Wouldn't that do extra routing that's possibly not needed though?
Last edited by CelticComms on Wed May 01, 2013 3:26 am, edited 1 time in total.
Re: Confused about the firewall
Which firewall chain are you using to block traffic to the NAT destination?
Who is online
Users browsing this forum: FurfangosFrigyes, moorezilla and 27 guests