NAT masq rule per src-address-list or one rule for everything?

RackKing · December 7, 2018, 1:23am

Hi - this is probably a silly question, but… I know the default NAT masq rule is:

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

Is the this single rule the defector standard? I have read/seen where this has been done per subnet for some reason. Is there an advantage to this other than perhaps logging? Perhaps in performing some action before the traffic is masqueraded and exits?

add action=masquerade chain=srcnat comment="Masq local network" \
    out-interface-list=wan src-address-list=localnetwork
add action=masquerade chain=srcnat comment="Masq guest network" \
    out-interface-list=wan src-address-list=guestnetwork

For my clarity - I know the order of the rules matter, but should the srcnat rules be at the top and thus higher priority than the dstnat rules - in general terms?

Thanks all.

anav · December 7, 2018, 4:14am

I have multiple masquerade rules but they are for each WANIP in a failover setup so its pretty clear cut. All LAN users are affected.
However if I want to have specific users have their private IPs translated by a specific WANIP, then using source address list in the equation OR source interface list, in the rules may be required.

(masquerade for dynamic WANIPs, srcnat for static WANIPs)

RackKing · December 7, 2018, 5:42am

Thanks anav, makes sense. So with a single wan connection it is kinda pointless? Unless you were trying to log something?

mkx · December 7, 2018, 6:19am

Order matters only within same chain. src-nat and dst-nat are different chains.

And yes, one src-nat rule is enough (and the most resource effective) if there’s nothing else on agenda.

RackKing · December 7, 2018, 12:42pm

@ mkx

“Order matters only within same chain. src-nat and dst-nat are different chains.”

That makes perfect sense - thank you