What is the difference between :
;;; masquerade network
chain=srcnat out-interface=internet src-address=192.168.1.0/24
action=masquerade
and
chain=srcnat out-interface=internet src-address=192.168.1.0/24
action=src-nat to-addresses=xx.xx.xx.xx to-ports=0-65535
??
Masquerade is a special form of SRC-NAT, you are not able to specify ‘to-addresses’ outgoing interface address is used automatically.
Action=src-nat you need to specify outgoing ‘src-address’ for the packets.
And another example - if you have two /or more/ private networks, and want to src-nat them to different src-address:
chain=srcnat out-interface=internet src-address=192.168.1.0/24
action=src-nat to-addresses=xx.xx.xx.xx to-ports=0-65535
chain=srcnat out-interface=internet src-address=192.168.2.0/24
action=src-nat to-addresses=yy.yy.yy.yy to-ports=0-65535
With masquerade yo can do this, but only if xx.xx.xx.xx and yy.yy.yy.yy addresses are assigned to different interfaces, like this:
chain=srcnat out-interface=internet src-address=192.168.1.0/24
action=masquerade
chain=srcnat out-interface=internet1 src-address=192.168.2.0/24
action=masquerade
in your example it means i have 2 private networks and 2 public addresses ..
if i have more than 1 public IP and 1 private network ,can i seperate my private addresses like 192.168.1.100-150 src-nat to 1 public , and from 151-200 to another public ?
yes, it is possible with SRC-NAT, one group will use one public address as SRC-address for outgoing connections, second group will use another public address.
Yes, for exampe: you have a network 192.168.0.0/25
And separate it to: 192.168.0.0/26 and 192.168.0.64/26
1st public address is: 1.2.3.4, 2nd: 5.6.7.8
chain=srcnat out-interface=internet src-address=192.168.0.0/26
action=src-nat to-addresses=1.2.3.4 to-ports=0-65535
chain=srcnat out-interface=internet* src-address=192.168.0.64/26
action=src-nat to-addresses=5.6.7.8 to-ports=0-65535
* - if your second IP Address is assigned to different interface, just use it`s name here.
Hello dear all,
what i need to do?
I have a routerboard 750g (5 ethernet ports)
My ISP gave me 2 IPs (48.48.48.0/30), a peering network (47.47.47.0/29) for speciphic reasons, and i want to use a private network (10.10.0.0/24)
Router IP(48.48.48.2), gateway(48.48.48.1)
ether1 assigned 48.48.48.2, create a static route for gateway, ether2 assigned ip address (10.10.0.1/24) + a dhcp server, ether3 + ether4 are slaves to ether2, ether5 assigned (47.47.47.1/29).
If the peering network is routed directly from ISP (means that i haven’t to do NAT for that address space, right?) then what i have to do to NAT only the private network?
note: I have tried to NAT with masquarade action ( chain=srcnat out-interface=ether1 action=masquerade ) but then both subnets where NATed. I have tried to NAT with src-address option, but then nothing worked… ( chain=srcnat out-interface=ether1 src-address=10.10.0.0/24 action=masquarade)
Thank you!!
Grave digger achievement unlocked, congratulations! That was ten years old post you replied to…
Anyway, what you describe should have worked. Unless you have more than one address assigned to ether1. You can also try to specify address manually:
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 src-address=10.10.0.0/24 \
to-addresses=48.48.48.2
hello
in src-nat you should set to-address parameter in action but in masquerade you do not need set it and it is Automatically
What is the disadvantage to using masquerade over src-nat if you have a static?
Read here, Para H. → https://forum.mikrotik.com/viewtopic.php?t=191442