Sure it is normal. According to Packet Flow diagram ( http://wiki.mikrotik.com/wiki/Manual:Packet_Flow), Dst-NAT is before Filter Forward, that's why you're observing already NATted IPs in Firewall Filter.
-- 2013/12/17 Rory McCann <[email protected]> > Okay, so I spoke too soon. The rule still wasn't catching ANYTHING. > > Apparently, the rule was expecting to see the internal SQL server > (private) IP and not the public one. Once I changed the rule back to a > forward chain and set the IP to my internal public IP of the SQL server, it > started working as expected. > > Is this normal behavior? > > > Rory McCann > MKAP Technology Solutions > Web: www.mkap.net > > On 12/17/2013 10:46 AM, Rory McCann wrote: > >> I'm betting that's it. I didn't even think of it like that. >> >> Thanks! >> >> Rory McCann >> MKAP Technology Solutions >> Web: www.mkap.net >> >> On 12/17/2013 10:43 AM, Josh Luthman wrote: >> >>> Uh is the dst-address on the MT? That would be input, not forward. >>> >>> Josh Luthman >>> Office: 937-552-2340 >>> Direct: 937-552-2343 >>> 1100 Wayne St >>> Suite 1337 >>> Troy, OH 45373 >>> On Dec 17, 2013 11:42 AM, "Rory McCann" <[email protected]> wrote: >>> >>> No, it wasn't matching any traffic. >>>> >>>> Rory McCann >>>> MKAP Technology Solutions >>>> Web: www.mkap.net >>>> >>>> On 12/17/2013 10:40 AM, Josh Luthman wrote: >>>> >>>> Is the firewall rule counting packets? >>>>> >>>>> Josh Luthman >>>>> Office: 937-552-2340 >>>>> Direct: 937-552-2343 >>>>> 1100 Wayne St >>>>> Suite 1337 >>>>> Troy, OH 45373 >>>>> On Dec 17, 2013 11:39 AM, "Rory McCann" <[email protected]> wrote: >>>>> >>>>> Shouldn't be. I created the firewall rule before the NAT rule and >>>>> there >>>>> >>>>>> wasn't any pre-existing connections to SQL. >>>>>> >>>>>> Rory McCann >>>>>> MKAP Technology Solutions >>>>>> Web: www.mkap.net >>>>>> >>>>>> On 12/17/2013 10:33 AM, Josh Luthman wrote: >>>>>> >>>>>> Maybe using an already established connection? >>>>>> >>>>>>> Josh Luthman >>>>>>> Office: 937-552-2340 >>>>>>> Direct: 937-552-2343 >>>>>>> 1100 Wayne St >>>>>>> Suite 1337 >>>>>>> Troy, OH 45373 >>>>>>> On Dec 17, 2013 11:29 AM, "Rory McCann" <[email protected]> wrote: >>>>>>> >>>>>>> There are allow rules, but nothing that would have matched >>>>>>> anything in >>>>>>> >>>>>>> this particular rule. >>>>>>>> >>>>>>>> Rory McCann >>>>>>>> MKAP Technology Solutions >>>>>>>> Web: www.mkap.net >>>>>>>> >>>>>>>> On 12/17/2013 10:23 AM, Louis Arsenault wrote: >>>>>>>> >>>>>>>> Do you have an allow established rule before this rule? >>>>>>>> >>>>>>>> Having the allow established rule will continue to allow those bad >>>>>>>>> connections until you move the drop rule above it or restart the >>>>>>>>> router. >>>>>>>>> >>>>>>>>> -Louis >>>>>>>>> >>>>>>>>> On Tue, Dec 17, 2013 at 11:19 AM, Rory McCann <[email protected] >>>>>>>>> > >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>> Can someone explain to me why the following firewall rule isn't >>>>>>>>> >>>>>>>>> working: >>>>>>>>>> >>>>>>>>>> /add action=drop chain=forward comment="SQL Access" >>>>>>>>>> dst-address=1.2.3.4 >>>>>>>>>> dst-port=1433 protocol=tcp src-address-list=!SQL/ >>>>>>>>>> >>>>>>>>>> From what I understand, this rule should drop SQL traffic >>>>>>>>>> from any >>>>>>>>>> address >>>>>>>>>> not in the SQL address list, correct? >>>>>>>>>> >>>>>>>>>> My corresponding NAT rule is this: >>>>>>>>>> >>>>>>>>>> /add action=dst-nat chain=dstnat comment="My Farm Records - SQL >>>>>>>>>> Access" >>>>>>>>>> dst-address=1.2.3.4 dst-port=1433 protocol=tcp >>>>>>>>>> to-addresses=10.2.7.7 >>>>>>>>>> to-ports=1433/ >>>>>>>>>> >>>>>>>>>> It seems as though the NAT rule was taking precedence over the >>>>>>>>>> Firewall >>>>>>>>>> rule. My SQL server was getting hammered with invalid logins >>>>>>>>>> until I >>>>>>>>>> added a >>>>>>>>>> src-addrerss-list entry to the NAT rule as well. >>>>>>>>>> >>>>>>>>>> This is on ROS v6.7 >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Rory McCann >>>>>>>>>> MKAP Technology Solutions >>>>>>>>>> Web: www.mkap.net >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Mikrotik mailing list >>>>>>>>>> [email protected] >>>>>>>>>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>>>>>>>>> >>>>>>>>>> Visit http://blog.butchevans.com/ for tutorials related to >>>>>>>>>> Mikrotik >>>>>>>>>> RouterOS >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> >>>>>>>>>> Mikrotik mailing list >>>>>>>>> >>>>>>>> [email protected] >>>>>>>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>>>>>>> >>>>>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>>>>>>> RouterOS >>>>>>>> >>>>>>>> -------------- next part -------------- >>>>>>>> >>>>>>>> An HTML attachment was scrubbed... >>>>>>> URL: <http://mail.butchevans.com/pipermail/mikrotik/ >>>>>>> attachments/20131217/4fd1c693/attachment.html> >>>>>>> _______________________________________________ >>>>>>> Mikrotik mailing list >>>>>>> [email protected] >>>>>>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>>>>>> >>>>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>>>>>> RouterOS >>>>>>> >>>>>>> _______________________________________________ >>>>>>> >>>>>> Mikrotik mailing list >>>>>> [email protected] >>>>>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>>>>> >>>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>>>>> RouterOS >>>>>> >>>>>> -------------- next part -------------- >>>>>> >>>>> An HTML attachment was scrubbed... >>>>> URL: <http://mail.butchevans.com/pipermail/mikrotik/ >>>>> attachments/20131217/1fbe80e1/attachment.html> >>>>> _______________________________________________ >>>>> Mikrotik mailing list >>>>> [email protected] >>>>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>>>> >>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>>>> RouterOS >>>>> >>>>> _______________________________________________ >>>> Mikrotik mailing list >>>> [email protected] >>>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>>> >>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>>> RouterOS >>>> >>>> -------------- next part -------------- >>> An HTML attachment was scrubbed... >>> URL: <http://mail.butchevans.com/pipermail/mikrotik/ >>> attachments/20131217/433b5931/attachment.html> >>> _______________________________________________ >>> Mikrotik mailing list >>> [email protected] >>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>> >>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>> RouterOS >>> >> >> > _______________________________________________ > Mikrotik mailing list > [email protected] > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > RouterOS > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20131218/ae82cd6f/attachment.html> _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
