{"id":47,"date":"2014-03-31T01:14:03","date_gmt":"2014-03-31T01:14:03","guid":{"rendered":"http:\/\/www.mtin.net\/blog\/?p=47"},"modified":"2014-03-31T01:14:03","modified_gmt":"2014-03-31T01:14:03","slug":"mikrotik-chains-explained","status":"publish","type":"post","link":"http:\/\/www.mtin.net\/blog\/mikrotik-chains-explained\/","title":{"rendered":"Mikrotik Chains Explained"},"content":{"rendered":"<p>What the wiki says:<\/p>\n<ul>\n<li><b>input<\/b>\u00a0&#8211; used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router&#8217;s addresses. Packets passing through the router are not processed against the rules of the input chain (DST address of the router)<\/li>\n<li><b>forward<\/b>\u00a0&#8211; used to process packets passing through the router\u00a0(SRC and DST is not on the router)<\/li>\n<li><b>output<\/b>\u00a0&#8211; used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>What the wiki says: input\u00a0&#8211; used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router&#8217;s addresses. Packets passing through the router are not processed against the rules of the input chain (DST address of the router) forward\u00a0&#8211; used to process packets passing [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[24,17],"tags":[26,27,25],"jetpack_publicize_connections":[],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6VLMf-L","jetpack-related-posts":[{"id":305,"url":"http:\/\/www.mtin.net\/blog\/mirkotik-router-os-6-29-released\/","url_meta":{"origin":47,"position":0},"title":"Mikrotik Router OS 6.29 released","author":"j2sw","date":"May 28, 2015","format":false,"excerpt":"The fastTrack improvements are a big improvement for those of you doing such things. What's new in 6.29 (2015-May-27 11:19): *) ssh server - use custom generated DH primes when possible; *) ipsec - allow to specify custom IP address for my_id parameter; *) ovpn server - use subnet topology\u2026","rel":"","context":"In \"crs\"","block_context":{"text":"crs","link":"http:\/\/www.mtin.net\/blog\/tag\/crs\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":297,"url":"http:\/\/www.mtin.net\/blog\/protecting-your-mikrotik-from-dns-amplification\/","url_meta":{"origin":47,"position":1},"title":"Protecting your Mikrotik from DNS Amplification","author":"j2sw","date":"May 8, 2015","format":false,"excerpt":"There are several reasons and benefits to using your Mikrotik as a DNS caching server. \u00a0Queries to the client are just a tad faster, which makes the overall user experience seem snappier. \u00a0It also allows you to quickly change upstream DNS servers in the even of an outage, attack, etc.\u2026","rel":"","context":"In \"amplification\"","block_context":{"text":"amplification","link":"http:\/\/www.mtin.net\/blog\/tag\/amplification\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2250,"url":"http:\/\/www.mtin.net\/blog\/mikrotik-destination-nat\/","url_meta":{"origin":47,"position":2},"title":"Mikrotik Destination Nat","author":"j2sw","date":"May 1, 2018","format":false,"excerpt":"Scenario You have a customer with a Mikrotik router that needs a port forwarded to an internal IP address. In our case, a customer has a camera that communicates on port 80 with a static IP add of 192.168.21.49 on their internal LAN. Solution add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=192.168.21.49\u2026","rel":"","context":"In &quot;Mikrotik&quot;","block_context":{"text":"Mikrotik","link":"http:\/\/www.mtin.net\/blog\/category\/mikrotik\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1379,"url":"http:\/\/www.mtin.net\/blog\/simple-shut-off-scripting\/","url_meta":{"origin":47,"position":3},"title":"Simple shut-off scripting","author":"j2sw","date":"September 15, 2016","format":false,"excerpt":"I had a client today who is doing some manual things as they are using Quickbooks for billing and such. \u00a0One thing they kind of struggle with is turning off people for non-payment and such. \u00a0Their current method is adding a que and throttling someone to a low-speed to make\u2026","rel":"","context":"In &quot;Mikrotik&quot;","block_context":{"text":"Mikrotik","link":"http:\/\/www.mtin.net\/blog\/category\/mikrotik\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2755,"url":"http:\/\/www.mtin.net\/blog\/basic-ipv6-mikrotik-firewall\/","url_meta":{"origin":47,"position":4},"title":"Basic IPV6 Mikrotik Firewall","author":"j2sw","date":"January 24, 2019","format":false,"excerpt":"Below is a basic IPV6 firewall fillter for your Mikrotik CPE devices.\u00a0 This is a good start for customer-facing CPE. \u00a0 \/ipv6 firewall filter add chain=forward comment=\"allow forwarding established, related\" connection state=established,related add chain=forward comment=\"allow forward lan->wan\" in-interface=lan out-interface=wan add chain=forward comment=\"allow ICMPv6 forwarding\" in-interface=wan protocol=icmpv6 add action=reject chain=forward comment=\"reject\u2026","rel":"","context":"In &quot;IPV6&quot;","block_context":{"text":"IPV6","link":"http:\/\/www.mtin.net\/blog\/category\/networking\/ipv6\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2165,"url":"http:\/\/www.mtin.net\/blog\/ipv6-firewall-rules-for-mikrotik\/","url_meta":{"origin":47,"position":5},"title":"IPV6 Firewall rules for Mikrotik","author":"j2sw","date":"March 23, 2018","format":false,"excerpt":"Some basic IPV6 Firewall Rules for Mikrotik. Replace in-interface=\"\" with your appropriate interface. \/ipv6 firewall filter add chain=input protocol=icmpv6 add chain=input connection-state=established,related add chain=input dst-port=546 in-interface=ether1-wan protocol=udp src-port=547 add action=drop chain=input connection-state=invalid add action=drop chain=input connection-state=new in-interface=ether1-wan add chain=forward protocol=icmpv6 add chain=forward connection-state=established,related add chain=forward connection-state=new in-interface=!ether1-wan add action=drop chain=forward\u2026","rel":"","context":"In &quot;Mikrotik&quot;","block_context":{"text":"Mikrotik","link":"http:\/\/www.mtin.net\/blog\/category\/mikrotik\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/47"}],"collection":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/comments?post=47"}],"version-history":[{"count":0,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/47\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/media?parent=47"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/categories?post=47"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/tags?post=47"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}