Packet Flow in RouterOS
While i was studying ip tables i wanted to dive deeper into how exatly routers work since iptables could techinically act as a firewall and a router
There are 4 boxes in the center of the diagram:
Bridging
Routing
Mpls decisions
local router processes.
if the packet needs to be routed over the router, a packet will flow as illustrated in the image below
if the packet's destination is a router
the in-interface receives ICMP (ping) packet, its destination is the router itself, so the packet will go for local-in processing
After the packet is processed ICMP (ping) reply is generated inside the router (local-out processing) and will be sent out over the out-interface
explanation of each box before we go further with examples:
physical in-interface - the starting point of the packet received by the router;
logical in-interface - the starting point of the decapsulated packet (from tunnels, IPsec, etc);
local in - the last point of a packet destined to router itself;
interface HTB (Hierarchical Token Bucket) - interface queue;
physical out-interface - last point of the packet before it is actually sent out;
logical out-interface - last point of the packet before encapsulation (to tunnels, IPsec, etc);
local out - the starting point of a packet generated by the router;
Chains
The PREROUTING chain:
Rules in this chain apply to packets as they just arrive on the network interface. This chain is present in the nat, mangle and raw tables.
The INPUT chain:
Rules in this chain apply to packets just before they’re given to a local process. This chain is present in the mangle and filter tables.
The OUTPUT chain:
The rules here apply to packets just after they’ve been produced by a process. This chain is present in the raw, mangle, nat, and filter tables.
The FORWARD chain:
The rules here apply to any packets that are routed through the current host. This chain is only present in the mangle and filter tables.
The POSTROUTING chain:
The rules in this chain apply to packets as they just leave the network interface. This chain is present in the nat and mangle tables.
Flow of Routed Packet
Forward
The packet enters prerouting processing:
check if there is a hotspot and modify the packet for hotspot use
process packet through RAW prerouting chain;
send the packet through connection tracking;
process packet through Mangle prerouting chain;
process packet through NATs dst-nat chain;
Run packet through routing table to make routing decision;
The packet enters the forward process;
check TTL value;
process packet through Mangle forward chain;
process packet through the Filter forward chain;
send the packet to accounting processes;
A packet enters postrouting process;
process packet through Mangle postrouting chain;
process packet through NATs src-nat chain;
if there is a hotspot undo any modifications made in hotspot-in;
process packet through queue tree (HTB Global);
process packet through simple queues;
Check if there is IPsec and then process through IPsec policies;
Input
similar process happens when a packet's destination is a router
check if there is a hotspot and modify the packet for hotspot use
process packet through RAW prerouting chain
send a packet through connection tracking
process packet through Mangle prerouting chain
process packet through NATs dst-nat chain
Run packet through routing table to make routing decision
enters the input process
process packet through Mangle input chain
process packet through Filter input chain
process packet through queue tree (HTB Global)
process packet through simple queues
Check if there is IPsec and then process through IPsec policies.
Output
The packet is originated from the router itself
process packet through Mangle postrouting chain
process packet through NATs src-nat chain
if there is a hotspot undo any modifications made in hotspot-in
process packet through queue tree (HTB Global)
process packet through simple queues
Check if there is IPsec and then process through IPsec policy
References
https://help.mikrotik.com/docs/spaces/ROS/pages/328227/Packet+Flow+in+RouterOS
Last updated