A newbie Question about Masquerade

LaZyLion · September 20, 2015, 9:19pm

Hi all

In all the configuration examples I’ve seen, and even in the default configuration, I see this:

/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1

In a multi-wan setup, there is such an entry for each wan.

I’ve always wondered, why is it necessary to specify the “out-interface”?

We are in the source-nat chain. The packet is destined to exit the router.
We already know what interface it is heading towards.

Why can’t we just have:

/ip firewall nat add action=masquerade chain=srcnat

Would that affect traffic that is going out bridge-local or other non-wan networks?

Thanks all.

Sob · September 20, 2015, 9:25pm

Answer to last question is yes. So if you e.g. forwarded port to your internal webserver, all requests would look like they’re coming from your router’s internal address.

jarda · September 21, 2015, 4:36pm

So it will have negative impact on your local network traffic and your local devices will not know from where the connection comes even in the inner network. Therefore it is better to use masquerade on outer interfaces only.

gtj · September 21, 2015, 7:08pm

The other reason for specifying the out interface is that the masquerade processing uses the ip address of the out interface as the replacement source ip address.

If you have a static wan ip address, you can save a miniscule amount of processing by using a src-nat rule and specifying the static ip address.