masquerade or src-nat to-addresses

maddogslo · February 5, 2021, 9:14am

Hi,

I have question about masquerade or src-nat usage.
I have static IP address and my lan 192.168.5.0/24

can I use src-nat instead masquerade ?
Is masquerade needed if I use src-nat ?

add action=src-nat chain=srcnat comment=“default: lan → wan” src-address=192.168.5.0/24 to-addresses=public.ip
or
add action=masquerade chain=srcnat out-interface-list=WAN

thanks ?

16again · February 7, 2021, 10:20pm

masquerade is a special case of source-nat, which is handy if WAN IP address can change and isn’t known at forehand.

There are those who suggest to use src-nat whenever you can:
https://mum.mikrotik.com/presentations/EU17/presentation_4058_1490948376.pdf

maddogslo · February 9, 2021, 8:18am

Ok, If I understand, it is better to use src-nat instead masquerade if we can get static wan ip ?

rgonzalez · January 19, 2022, 5:14am

Sorry, this might be a dumb question but if i use src-nat to-address can i assign a /31 to it?

sindy · January 20, 2022, 8:44pm

The to-addresses can be any prefix (/32 which means a single address, /31 which means two addresses, /24 which means 256 addresses) or a range like 11.22.33.27-11.22.33.45. In either case, it specifies a pool from which a single new source address will be chosen for each connection. Does that answer your question?

nichky · January 20, 2022, 9:41pm

usually we are using masquerade in case of you have dynamic ip-add.
In case if you have static ip-add fill free to go with src-nat

anav · January 20, 2022, 10:37pm

Correct,
both options will work for fixed WANIP.
According to the WIKI the fixed WANIP has a more technically correct solution

However the format you chose is not the most obvious.

(1) Default rule on routers which is geared to cover both cases…
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN

(2) Assuming one has a fixed WAN IP of 24.34.234.5, and a standard IP DHCP Client scenario on ether1
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=24.34.234.5 (or whatever name has been given to ether1)

Note: There is no need for any source nat address in the basic configuration schema for both types!
Note: If the WAN connection is more complex, then use the active name ex. if via PPPOE, then use the PPPOE name, vice ether1
Note: if the WAN connection is more complex, then use the active name ex. with a vlan or pppoe with a vlan, then use the vlan name, vice ether1