Masquerade Methods

RouterOS Beginner Basics
1

I recently came across this bit of advice…
NAT - we have to masquerade our LAN network to default route(0.0.0.0/0) - thats how i prefer doing it:
/ip firewall nat
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=
192.168.1.0/24

My rule is different
/ip firewall nat
add action=masquerade chain=srcnat comment=“SCR_NAT for LAN Users”
ipsec-policy=out,none out-interface-list=WAN

Two areas to discuss:

  1. The destination address which I dont use.
    Why is the chap recommending a destination address of 0.0.0.0/0
    I thought any sense of routing should be done by an IP Route rule???

  2. Source Address vs Interface
    My reasoning was that what I wanted srcnated or masqueraded was all traffic leaving my wan interface.
    This covers off all LANs or VLANS etc…
    Not sure why the chap suggested a source address???

2

It’s those options again, many possible scenarios, …

  1. The dst-address=0.0.0.0/0 is useless, it matches any destination address, you might as well omit it completely and you get the same result. But in some cases it might be useful to limit dstnat rule only to selected destinations. Some examples:

  • WAN interface doesn’t have to be connected directly to ISP in all cases. There might be some network(s) connected to same port where you don’t want to use srcnat, when you’re connecting to devices in them. So you can have masquerade with e.g. dst-address=!192.168.50.0/24, and it will exempt this destination from masquerade and keep original source addresses used in your LAN.

  • If you happen to have misconfigured device in some remote LAN with missing gateway and you need to connect to it from VPN client (which is impossible by default, because the device won’t know where to send replies), you can add masquerade rule to remote router with dst-address=, it will make all connections to this device look like they are from router’s address, which is in same subnet, and you’ll be able to connect.

It doesn’t have to do anything with routing. Well, maybe just a little, for returning packets.

  1. You might want that for your setup, but it’s not always the case. Simple example might be setup with multiple LANs and multiple public addresses on WAN. If you’d want different LANs use different public addresses, your srcnat rules would need src-address option. Also action=src-nat instead of action=masquerade for at least some rules.