Packet Flow in RouterOS

Last updated 5 months ago

While i was studying ip tables i wanted to dive deeper into how exatly routers work since iptables could techinically act as a firewall and a router

There are 4 boxes in the center of the diagram:
- Bridging
- Routing
- Mpls decisions
- local router processes.
if the packet needs to be routed over the router, a packet will flow as illustrated in the image below

if the packet's destination is a router
the in-interface receives ICMP (ping) packet, its destination is the router itself, so the packet will go for local-in processing
After the packet is processed ICMP (ping) reply is generated inside the router (local-out processing) and will be sent out over the out-interface
explanation of each box before we go further with examples:
- physical in-interface - the starting point of the packet received by the router;
- logical in-interface - the starting point of the decapsulated packet (from tunnels, IPsec, etc);
- local in - the last point of a packet destined to router itself;
- interface HTB (Hierarchical Token Bucket) - interface queue;
- physical out-interface - last point of the packet before it is actually sent out;
- logical out-interface - last point of the packet before encapsulation (to tunnels, IPsec, etc);
- local out - the starting point of a packet generated by the router;

The PREROUTING chain:
- Rules in this chain apply to packets as they just arrive on the network interface. This chain is present in the nat, mangle and raw tables.
The INPUT chain:
- Rules in this chain apply to packets just before they’re given to a local process. This chain is present in the mangle and filter tables.
The OUTPUT chain:
- The rules here apply to packets just after they’ve been produced by a process. This chain is present in the raw, mangle, nat, and filter tables.
The FORWARD chain:
- The rules here apply to any packets that are routed through the current host. This chain is only present in the mangle and filter tables.
The POSTROUTING chain:
- The rules in this chain apply to packets as they just leave the network interface. This chain is present in the nat and mangle tables.

similar process happens when a packet's destination is a router
- check if there is a hotspot and modify the packet for hotspot use
- process packet through RAW prerouting chain
- send a packet through connection tracking
- process packet through Mangle prerouting chain
- process packet through NATs dst-nat chain
Run packet through routing table to make routing decision
enters the input process
- process packet through Mangle input chain
- process packet through Filter input chain
- process packet through queue tree (HTB Global)
- process packet through simple queues
Check if there is IPsec and then process through IPsec policies.

References

Last updated 5 months ago