masquerade/src-nat rule behaviour

WirelessRudy · October 14, 2010, 12:03pm

Can somebody confirm to me that the masquerade rule in firewall/NAT is catching ALL data flowing through NAT, even if a srce nat rule is in front (up) of it? (Basically disabling the earlier rules).

/ip firewall nat
add action=src-nat chain=srcnat comment=“” disabled=no src-address=192.168.50.156 to-addresses=172.25.53.152
add action=src-nat chain=srcnat comment=“” disabled=no src-address=192.168.50.0/24 to-addresses=172.25.53.177

is not the same as:

/ip firewall nat
add action=src-nat chain=srcnat comment=“” disabled=no src-address=192.168.50.156 to-addresses=172.25.53.152
add action=masquerade chain=srcnat comment=“” disabled=no src-address=192.168.50.0/24

(.177 is router’s leaving interface address.)
In the latter all traffic get IP of the interface traffic leaves router even if the first rule states different.

In the first example traffic from …50.156 get different IP (53.152) as the rest of the /24 network.

fewi · October 14, 2010, 12:52pm

Order within a chain is not dependent on action, so those should be equivalent as long as there is only one IP on the interface traffic is leaving through.

changeip · October 14, 2010, 4:35pm

it is like firewall rules however, where only 1 will fire (first one that matches). there is no passthru option for src/dst nat action.

WirelessRudy · October 14, 2010, 5:01pm

It is not true.
I agree that traffic goes from top to bottom in firewall/NAT rules.
In my first example the IP 192.168.50.156 is src natted to 172.25.53.152 where all the rest of the traffic from the 192.168.50.0/24 LAN network leaves router with IP 172.25.53.177.
The second rule is exact, and comes after the first. Traffic with IP .50.156 is already ´processed´ and is not processed again by this second rule.

In the second example all traffic from /24 network is leaving router with IP 172.25.53.177, the address of the exit interface of router. No matter that the first rule should have given different IP to that specific src IP.

In the second example the second ´masquerade´ rule is processing ALL traffic, even the traffic already processed by the first rule. Basically the first rule becomes void, the second changes ALL IP’s from that network.
Maybe the ´masquerade´ rule has a wider impact than an exact src-nat rule? Maybe because is looks to the IP of the interface traffic is leaving router, and gives that traffic the IP of the exit interface?
The strange things is also that in the second example the first rule doesn’t count traffic neither. So it doesn’t ´see´it…? While it is obviously a valid rule, it works in example 1.

fewi · October 14, 2010, 5:16pm

Then you need to open a bug report with support@mikrotik.com, because that shouldn’t be happening. Please do post back what comes of that.

Feklar · October 14, 2010, 5:42pm

In /ip routes check the preferred source for your 172.25.53.x subnet. Masquerade uses the preferred source to NAT traffic out of. It determines what is the preferred source by what IP address first becomes active, so you can change it by disabling the other IP addresses. In order to resolve this problem for ourselves I have a script that runs at start-up and disables all IP addresses that I don’t want traffic masqueraded out of.