Firewall Mangle
Firewall mangle is used to mark IP packet. These marks are used by other router facilities like routing, firewall filter and bandwidth management to identified the packets. Moreover it also used to modify some fields in the IP header, like TOS (DSCP) and TTL fields. There are 5 default chain in firewall mangle.
INPUT
Packet that come into router will check with input chain. It is used to process packets entering the router. For example If we want to filter packet that telnet or ssh to router we need to use input chain in firewall filter.– Used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router addresses. Chain input is useful for limiting the configuration access to Mikrotik Router.
or
– The connection that occurs from local to router and ends in router
example: use of the internal proxy (internal proxy right in the router)
PREROUTING
Prerouting is looked at before the router makes a routing decision. It’s happen before input chain. The packet that forward passthrough the router will match prerouting first.Pre-routing means that the connection will enter the router (no matter from where / depends on the settings mangle in interface later) . this connection will be in the process inside the router, can the process of bending to the external proxy, can filtering port, can anything, anyway there is a process, prerouting it marks the connection before the process occurs.
FORWARD
After prerouting, packet that passthrough router will process by forward chain. Used to process packets passing through the router. Example we want to block users to open facebook. We will use firewall forward chain to do it.– Used to process data packets through routers, connections that occur from the public to local
or
– The connection that occurs from local to public
with the provision that there is no process inside the router, it means that the connection is direct and only passing in the router does not happen a process inside the router.
POSTROUTING
Postrouting is a connection that will exit the router after a process occurs inside the router. It’s happen after forward. Postrouting is looked at after the router makes a routing decision.
OUTPUT
OUTPUT is used to process packets that originated from the router. Normally we rarely use this chain. Example we ping from router to Internet that’s output traffic.
or to process data packets originating from the router and left through one of the interfaces, connections that occur from the router to the public. It is used to process packets that originated from the router
============================================================================
Firewall Filter
Most of the time we use it for filter traffic simply say to protect our network from unauthorized user or bad guy. There are three default chain in firewall filter. It’s input, output and forward.
Does it matter where you mark?
Yes, because sometimes you might overmark and sometimes you might undermark. Choose the right place for the right classification/marking
Conn/PKT markign TIPS from fewi Mikrotik Expert:
Connection marks are based on the connection tracking facility. That is mandatory for doing any NAT, so if you do NAT you get connection marks for free.
If you have a complicated way of assigning connection marks (you check a lot of parameters, such as protocol, source address, destination port, TTL and time of day) then it’s best to do that once, and above that rule mark packets based on connection mark (based on just one comparison – the connection mark – and hence much cheaper than checking lots of parameters) and setting passthrough to ‘no’. Alternatively, you could add additional parameters on the rule that sets the connection mark and either check for ‘connection-mark=no-mark’ (this connection hasn’t been marked before) or ‘connection-state=new’ (this is a new connection and couldn’t have a mark) so that not each packet is checked against the expensive rule as well – after all you might just as well just mark the packet directly in that case.
Overall, though, unless you’re hitting over 50% CPU utilization at all times and are worried about router performance it is probably best not to optimize your mangle/filter rulesets for performance. You should rather write them in a way that makes sense to you and is easy to understand and troubleshoot so that you can take care of issues quickly when they arise. Who cares if your router is running at 20% utilization but could be running at 10%? But people do care when it takes 2 hours to figure out what’s wrong rather than the 10 minutes it might if you immediately could see what was going on.
Syed Jahanzaib - Personal Blog to Share Knowledge ! 