RouterOS src-nat an masquerade rules on same device

deerefanatic · January 11, 2017, 7:42pm

Hello all, I am a small ISP that is doing NAT to my customers due to limited number of IPv4 that I have. I’ve been using the standard default masquerade rule up to now, but I want to use port-address mapping so that if I have customers that perform illegal activities (pirated movies/software/etc) and I receive a complaint email, i can use the originating port number to identify the offending party.

I made a rule that applies to my office subnet, but using the lookup tool at IPchicken.com, it still shows all sorts of random ports. Can a src-nat and masquerade rule not co-exist? I didn’t want to cause interruption to my customers while I experiment with this.

FWIW, the src-nat rule for my subnet comes before the masquerade rule in rule order.

pe1chl · January 11, 2017, 7:56pm

Masquerade is nothing more than src-nat with automatic selection of the new address based on the outgoing interface.
It can co-exist, of course you need to have the proper selectors in each rule to select it.

deerefanatic · January 11, 2017, 8:01pm

Here are the rules I have with my public IP redacted:

0 chain=srcnat action=src-nat to-addresses=xxx.xxx.xxx.xxx to-ports=5000-6000
protocol=tcp src-address=10.0.3.0/24 out-interface=ether1 log=no

1 ;;; Outgoing NAT
chain=srcnat action=masquerade out-interface=ether1 log=no
log-prefix=“”

Does that look right? I know it will only do Tcp as written, but that’s what I’m trying to test now.

pe1chl · January 12, 2017, 9:42am

No it is not OK because your second rule has not selector so it always matches.
A match with action src-nat or masquerade does NOT end rule processing like an accept or drop in the filter rule table does.
You can insert rules with action accept between the src-nat/masquerade rules to make sure only a single one is applied.

Sob · January 12, 2017, 3:34pm

I think you might be thinking about mangle. Mini test:

/ip firewall nat
add action=src-nat chain=srcnat log=yes log-prefix=1 src-address=192.168.80.10 to-addresses=192.168.240.11
add action=masquerade chain=srcnat log=yes log-prefix=2
add action=log chain=srcnat log-prefix=3

Log for ping from 192.168.80.10:

16:27:31 firewall,info 1 srcnat: in:(none) out:public, src-mac xx:xx:xx:xx:xx:xx, proto ICMP (type 8, code 0), 192.168.80.10->192.168.240.99, len 60

Log for ping from 192.168.80.2:

16:28:33 firewall,info 2 srcnat: in:(none) out:public, src-mac yy:yy:yy:yy:yy:yy, proto ICMP (type 8, code 0), 192.168.80.2->192.168.240.99, len 60

Only one srcnat rule is applied in both cases.