I have a network of 6 routers, RB750 & RB2011 connected together using OSPF.
It seems to work well.
The two routers connecting me to the internet seem to need a NAT rule with a chain of SRCNAT and an action of MASQUERADE to work, the others don’t.
Is this correct? or should I have the NAT rule on every router?
regards,
David.
It sounds correct to me, since your public IP address is assumably assinged to the ISP connected routers.
I assume you are using private IP ranges in your internal network. These IP’s are not routed over the internet and outgoing traffic needs to be source-NAT’ed in order to go over the internet.
Ps. Masquerade is a special type of source-NAT’ing
You need to NAT only on your router, that is connected to the ISP.
You only have to nat on the border router (router connected to isp). Because you are using ospf and it is full implemented, you should not need nat on all the devices behind, because BR knows how too reach the other devices. I really don’t like masquerade because you really don’t know what is happening there. Try with chain=srcnat action=srcnat src-address=x.x.x.x/x to-addresses=ip which will replace the other ips. You can also add out-interface in order to be more especific.