# Packet Flow in RouterOS

While i was studying ip tables i wanted to dive deeper into how exatly routers work since iptables could techinically act as a firewall and a router

<figure><img src="https://556493038-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxMLCiQqJJztvsDM2LNoE%2Fuploads%2Fgit-blob-12f26c9cf9adc6da61a096bdbee0f1b932ada955%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

* There are 4 boxes in the center of the diagram:
  * Bridging
  * Routing
  * Mpls decisions
  * local router processes.
* if the packet needs to be routed over the router, a packet will flow as illustrated in the image below
*

```
<figure><img src="https://556493038-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxMLCiQqJJztvsDM2LNoE%2Fuploads%2Fgit-blob-b694b194b044b4f6819ad7421c3e7f77ece258d6%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>
```

* if the packet's destination is a router
* &#x20;the in-interface receives ICMP (ping) packet, its destination is the router itself, so the packet will go for *local-in* processing
* After the packet is processed ICMP (ping) reply is generated inside the router *(local-out* processing) and will be sent out over the out-interface
*

```
<figure><img src="https://556493038-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxMLCiQqJJztvsDM2LNoE%2Fuploads%2Fgit-blob-722e9ecc42359626499a9c964e28dbe2bc1972f7%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>
```

* explanation of each box before we go further with examples:
  * **physical in-interface** - the starting point of the packet received by the router;
  * **logical in-interface** - the starting point of the decapsulated packet (from tunnels, IPsec, etc);
  * **local in** - the last point of a packet destined to router itself;
  * **interface HTB (Hierarchical Token Bucket)** - interface queue;
  * **physical out-interface** - last point of the packet before it is actually sent out;
  * **logical out-interface** - last point of the packet before encapsulation (to tunnels, IPsec, etc);
  * **local out** - the starting point of a packet generated by the router;

### Chains

* The **PREROUTING** chain:
  * Rules in this chain apply to packets as they just arrive on the network interface. This chain is present in the *nat*, *mangle* and *raw* tables.
* The **INPUT** chain:
  * Rules in this chain apply to packets just before they’re given to a local process. This chain is present in the *mangle* and *filter* tables.
* The **OUTPUT** chain:
  * The rules here apply to packets just after they’ve been produced by a process. This chain is present in the *raw*, *mangle*, nat, and *filter* tables.
* The **FORWARD** chain:
  * The rules here apply to any packets that are routed through the current host. This chain is only present in the *mangle* and *filter* tables.
* The **POSTROUTING** chain:
  * The rules in this chain apply to packets as they just leave the network interface. This chain is present in the *nat* and *mangle* tables.

<figure><img src="https://556493038-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxMLCiQqJJztvsDM2LNoE%2Fuploads%2Fgit-blob-5bb27d1f903a037ee108a7409ceba98ace8c0cf3%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

### Flow of Routed Packet

#### Forward

<figure><img src="https://556493038-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxMLCiQqJJztvsDM2LNoE%2Fuploads%2Fgit-blob-8a81f5f4b652d4b3d11eda171552552de9ef6af8%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

<figure><img src="https://556493038-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxMLCiQqJJztvsDM2LNoE%2Fuploads%2Fgit-blob-3c67cfaa997275a6b51cc271c49d2d06ddf1f012%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

* The packet enters prerouting processing:
  * check if there is a hotspot and modify the packet for hotspot use
  * process packet through RAW prerouting chain;
  * send the packet through connection tracking;
  * process packet through Mangle prerouting chain;
  * &#x20;process packet through NATs dst-nat chain;
* Run packet through routing table to make routing decision;
  * The packet enters the forward process;
  * check TTL value;
  * process packet through Mangle forward chain;
  * process packet through the Filter forward chain;
  * send the packet to accounting processes;
* A packet enters postrouting process;
  * process packet through Mangle postrouting chain;
  * process packet through NATs src-nat chain;
  * if there is a hotspot undo any modifications made in hotspot-in;
  * process packet through queue tree (HTB Global);
  * process packet through simple queues;
* Check if there is IPsec and then process through IPsec policies;

#### Input

<figure><img src="broken-reference" alt=""><figcaption></figcaption></figure>

<figure><img src="https://556493038-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxMLCiQqJJztvsDM2LNoE%2Fuploads%2Fgit-blob-54d9fe6ec15ee76907961be2b0bd262953a9442b%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

* similar process happens when a packet's destination is a router
  * check if there is a hotspot and modify the packet for hotspot use
  * process packet through RAW prerouting chain
  * send a packet through connection tracking
  * process packet through Mangle prerouting chain
  * process packet through NATs dst-nat chain
* Run packet through routing table to make routing decision
* enters the input process
  * process packet through Mangle input chain
  * process packet through Filter input chain
  * process packet through queue tree (HTB Global)
  * &#x20;process packet through simple queues
* Check if there is IPsec and then process through IPsec policies.

#### Output

<figure><img src="https://556493038-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxMLCiQqJJztvsDM2LNoE%2Fuploads%2Fgit-blob-9116d05d114c085902df2afce155ec3cfd6115a5%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

<figure><img src="https://556493038-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxMLCiQqJJztvsDM2LNoE%2Fuploads%2Fgit-blob-f65f807c970e0d93f23ea13a771fd2fdf1826173%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

* The packet is originated from the router itself
  * process packet through Mangle postrouting chain
  * process packet through NATs src-nat chain
  * if there is a hotspot undo any modifications made in hotspot-in
  * process packet through queue tree (HTB Global)
  * process packet through simple queues
* Check if there is IPsec and then process through IPsec policy

## References

* <https://help.mikrotik.com/docs/spaces/ROS/pages/328227/Packet+Flow+in+RouterOS>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.wehost.co.in/blog/packet-flow-in-routeros.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.