Connection Tracking - MikroTik RouterOS v2.9 Reference Manual

a packet to leave the processing pipeline. A packet can leave through the one of the router's
interfaces (in this case the interface is referred as output interface) or it can end up in the local
process. In general, traffic can be destined to one of the router's IP addresses, it can originate from
the router or simply should be passed through. To further complicate things the traffic can be
bridged or routed one, which is determined during the Bridge Decision stage.
Routed traffic
The traffic received for the router's MAC address on the respective port, is passed to the routing
procedures and can be of one of these four types:
• the traffic which is destined to the router itself. The IP packets has destination address equal to
one of the router's IP addresses. A packet enters the router through the input interface,
sequentially traverses prerouting and input chains and ends up in the local process.
Consequently, a packet can be filtered in the input chain filter and mangled in two places: the
input and the prerouting chain filters.
• the traffic is originated from the router. In this case the IP packets have their source addresses
identical to one of the router's IP addresses. Such packets travel through the output chain, then
they are passed to the routing facility where an appropriate routing path for each packet is
determined and leave through the postrouting chain.
• routable traffic, which is received at the router's MAC address, has an IP address different
from any of the router's own addresses, and its destination can be found in the routing tables.
These packets go through the prerouting, forward and postrouting chains.
• unroutable traffic, which is received at the router's MAC address, has an IP address different
from any of the router's own addresses, but its destination can not be found in the routing
tables. These packets go through the prerouting and stop in the routing recision.
The actions imposed by various router facilities are sequentially applied to a packet in each of the
default chains. The exact order they are applied is pictured in the bottom of the flow diagram.
Exempli gratia, for a packet passing postrouting chain the mangle rules are applied first, two types
of queuing come in second place and finally source NAT is performed on packets that need to be
natted.
Note, that any given packet can come through only one of the input, forward or output chains.
Bridged Traffic
In case the incoming traffic needs to be bridged (do not confuse it with the traffic coming to the
bridge interface at the router's own MAC address and, thus, classified as routed traffic) it is first
determined whether it is an IP traffic or not. After that, IP traffic goes through the prerouting,
forward and postrouting chains, while non-IP traffic bypasses all IP firewall rules and goes
directly to the interface queue. Both types of traffic, however, undergo the full set of bridge firewall
chains anyway, regardless of the protocol.

Connection Tracking

Home menu level: /ip firewall connection
Description
Page 468 of 695
Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.