Hello,
i have a question about the masquerade.
On cisco routers there is dynamic nat/interface overload, it works that when a device has to be natted to go outside WAN, the router replaces the port with a brand new port.
I checked that mikrotik router creates outbound connection using the same port of LAN device, so if two different LAN devices are creating a TCP connection using the same local port, how works the Mikrotik? Does it replace the local port of the second device ?
An example
192.168.1.3 creates connection to google.it using local port 5000
192.168.1.4 creates connection to google.it and randomly it gets local port 5000
Now the mikrotik has to create outbound connection but both have 5000 as local port.
How does this works?
I would expect the remote addresses of these two connections to differ as google.it gets resolved to multiple addresses and each client chooses another one, and therefore both connections able to use the same port at local side.
Normally it works as you describe - if the local port on the WAN IP is not yet used for a given remote socket address, the one used by the client is used, otherwise another one from a pool is chosen. If the choice of ports is restricted and there would be a conflict with an existing connection, the new connection is not created at all.
“another one from a pool is chosen” is done by mikrotik? So if two clients are using same local port, mikroitk choose random port for the last connection doing masquerade also of the port and not only the address?
Yes, if another client from the LAN side connects to the same remote socket address (IP:port) using the same source port, Mikrotik cannot preserve the source port for the new connection and uses another one. That’s a standard Linux netfilter behaviour.