Dear Folk, I need some clarification on how masquerade and snat work.
If I have a tik with 5 non bridged ether ports and different subnets on each port, and I create
a single firewall rule
SNAT action=masquerade,
that will masquerade all ports on the router with the IP that is on that port.
Is that right?
If instead I use src-nat
SNAT action=srcnat IP=209.150.235.121
will that src-nat ALL ports to that IP, or just
the port that has that IP on it?
Thanks Homer
SNAT action=masquerade,
that will masquerade all ports on the router with the IP that is on that port.
Is that right?
Yes… kind’a… The source IP will be translated to whatever IP is assigned to the interface the packet is forwarded to (i.e. “out-interface”), as seen in “/ip address”.
If instead I use src-nat
SNAT action=srcnat IP=209.150.235.121
will that src-nat ALL ports to that IP, or just
the port that has that IP on it?
It will src-nat all IPs passing through the router (regardless of the interface they are coming from or going to) to that IP… which can be problematic if the out-interface of the packet is not the same as the one the IP actually belongs to.
To avoid this problem, you could either use masquerade OR you could have two src-nat rules, where each rule also matches the out-interface, e.g.
/ip firewall nat
add chain=srcnat out-interface=wan1 action=src-nat to-addresses=209.150.235.121
add chain=srcnat out-interface=wan2 action=src-nat to-addresses=111.222.0.100
That later approach is mostly useful when a single interface has several IPs to it. With masquerade, the resulting IP would be whatever is specified in “/ip route” as preferred source, or a random IP (belonging to that interface) if no preferred source is specified. With src-nat, you’re forcing the use of a particular IPs in all cases that the NAT rule matches.
Yes, thanks
You get a karma point.