PREROUTING in nat table: DNAT, REDIRECT
POSTROUTING in nat table: SNAT/MASQUERADE
PREROUTING in mangle table: alter routing (e.g. source-based routing)
FORWARD in mangle table: traffic shaping for tc (flowid)
In MikroTik RouterOS, /ip firewall nat:
srcnat chain = PREROUTING
dstnat chain = POSTROUTING
/ip firewall mangle:
prerouting chain = global-in
forward chain = global-out (support NAT traffic shaping, higher load on router)
Update: I used to think that global-in literally means global input, while global-out literally means global output. Apparently I was mistaken. The parent queues MUST be matched to the right parent, either global-in, global-out, global-total, or one of the network interfaces depending on the mangle rules. Top-most queue parent (global-in, global-out, global-total) doesn’t decide whether it’s up/down. The mangle rules do the direction decision trick, whether a packet is incoming/download or outgoing/upload. This makes perfect sense now! (doh) I kept wondering why half of my queues (download queues’ top-most parent was global-in) weren’t working, when all my mangle rules were in forward chain. Obviously they wouldn’t, because global-in marks both direction in prerouting chain.
Update 2: mangle: download rules first then upload rules. global-in, connection mark: prerouting; packet mark: prerouting. global-out, connection mark: forward, packet mark: postrouting.
This didn’t make sense until I read the URL listed below under References. Silly me! Assumption is the root of most, if not all, problems indeed.
References:
http://wiki.ispadmin.eu/index.php/Documentation/Mikrotik_guide#.22Global-in.22_vs._.22global-out.22_setup
Recent Comments