WAN Failover using src-nat - How to dynamic IP?

davidon · January 27, 2023, 11:16pm

There is a short tutorial which explains how to setup a failover:
https://wiki.mikrotik.com/wiki/Manual:Failover_with_firewall_marking

The tutorial has a step which defines the NAT configs, as follows:

/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 to-address=10.1.101.18/24
add action=src-nat chain=srcnat out-interface=ether2 to-address=10.1.200.18/24

These NAT configs use hardcoded IP addresses in the “to-address” field.

But often WAN addresses are dynamic (they may be changed arbitrarily).

So how do I modify the command in the tutorial to be compatible with dynamic IP addresses?

bpwl · January 27, 2023, 11:32pm

Use action “masquerade” instead of “src-nat”. Masquerade will use the dynamic/changing IP address of the interface as SRC for NAT.
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Masquerade

davidon · January 28, 2023, 12:33am

The tutorial is intentionally using “src-nat” instead of “Masquerade” to avoid its disadvantages:

Instead of masquerade, we will use src-nat for our local networks, because we do not want to purge connections which is one of masquarades main features when a primary link fails. We will restrict them with a firewall rules (later in this example)

If I change the value of the “action” field as you wrote, then:

I assume that all of Masquerade disadvantages would be applied to my setup.
Would I still need to follow the tutorial with the rest of the commands?

I’d rather to avoid Masquerade, if there is some other technique possible in this case.

bpwl · January 28, 2023, 12:08pm

Please see: http://forum.mikrotik.com/t/dual-wan-fail-over-fail-back-not-working/126748/8