Packet Flow in RouterOS

While i was studying ip tables i wanted to dive deeper into how exatly routers work since iptables could techinically act as a firewall and a router

  • There are 4 boxes in the center of the diagram:

    • Bridging

    • Routing

    • Mpls decisions

    • local router processes.

  • if the packet needs to be routed over the router, a packet will flow as illustrated in the image below

  • if the packet's destination is a router

  • the in-interface receives ICMP (ping) packet, its destination is the router itself, so the packet will go for local-in processing

  • After the packet is processed ICMP (ping) reply is generated inside the router (local-out processing) and will be sent out over the out-interface

  • explanation of each box before we go further with examples:

    • physical in-interface - the starting point of the packet received by the router;

    • logical in-interface - the starting point of the decapsulated packet (from tunnels, IPsec, etc);

    • local in - the last point of a packet destined to router itself;

    • interface HTB (Hierarchical Token Bucket) - interface queue;

    • physical out-interface - last point of the packet before it is actually sent out;

    • logical out-interface - last point of the packet before encapsulation (to tunnels, IPsec, etc);

    • local out - the starting point of a packet generated by the router;

Chains

  • The PREROUTING chain:

    • Rules in this chain apply to packets as they just arrive on the network interface. This chain is present in the nat, mangle and raw tables.

  • The INPUT chain:

    • Rules in this chain apply to packets just before they’re given to a local process. This chain is present in the mangle and filter tables.

  • The OUTPUT chain:

    • The rules here apply to packets just after they’ve been produced by a process. This chain is present in the raw, mangle, nat, and filter tables.

  • The FORWARD chain:

    • The rules here apply to any packets that are routed through the current host. This chain is only present in the mangle and filter tables.

  • The POSTROUTING chain:

    • The rules in this chain apply to packets as they just leave the network interface. This chain is present in the nat and mangle tables.

Flow of Routed Packet

Forward

  • The packet enters prerouting processing:

    • check if there is a hotspot and modify the packet for hotspot use

    • process packet through RAW prerouting chain;

    • send the packet through connection tracking;

    • process packet through Mangle prerouting chain;

    • process packet through NATs dst-nat chain;

  • Run packet through routing table to make routing decision;

    • The packet enters the forward process;

    • check TTL value;

    • process packet through Mangle forward chain;

    • process packet through the Filter forward chain;

    • send the packet to accounting processes;

  • A packet enters postrouting process;

    • process packet through Mangle postrouting chain;

    • process packet through NATs src-nat chain;

    • if there is a hotspot undo any modifications made in hotspot-in;

    • process packet through queue tree (HTB Global);

    • process packet through simple queues;

  • Check if there is IPsec and then process through IPsec policies;

Input

  • similar process happens when a packet's destination is a router

    • check if there is a hotspot and modify the packet for hotspot use

    • process packet through RAW prerouting chain

    • send a packet through connection tracking

    • process packet through Mangle prerouting chain

    • process packet through NATs dst-nat chain

  • Run packet through routing table to make routing decision

  • enters the input process

    • process packet through Mangle input chain

    • process packet through Filter input chain

    • process packet through queue tree (HTB Global)

    • process packet through simple queues

  • Check if there is IPsec and then process through IPsec policies.

Output

  • The packet is originated from the router itself

    • process packet through Mangle postrouting chain

    • process packet through NATs src-nat chain

    • if there is a hotspot undo any modifications made in hotspot-in

    • process packet through queue tree (HTB Global)

    • process packet through simple queues

  • Check if there is IPsec and then process through IPsec policy

References

  • https://help.mikrotik.com/docs/spaces/ROS/pages/328227/Packet+Flow+in+RouterOS

Last updated