When a mikrotik router has multiple WAN facing IPs on the same interface what dictates the source IP when traffic leaves the router..?
Traffic generated by the router itself?
The Pref Source defined/listed under default route.
Natted traffic using masquerade?
The same as the pref source.
Natted traffic using src-nat?
The IP defined in the src-nat rule.
What about DST-NAT? IF traffic enters on one of the public IP’s that is DST-NATed to internal IP. What is the Src.IP on return packet as seen by external client?
Well source nat tells the router to provide the public IP of the specified interface vice private IP when packets leave the router out the specified interface.
Destination Nat tells the router that traffic forwarded to the router for a particular service should be sent to a particular lan IP and port.
The routes tell the router where traffic should generally go when forwarded from the LAN to the internet.
So for example If I have 3 fixed public IPs on WAN1 I would create three sourcenat rules with srcnat action to-addresses=specific public IP.
Thus any traffic going out any public IP will be given the public IP address of that interface and not the private LANIP.
One still has to ensure traffic is routed out those IPs, and thats a different matter but yes, one can use mangle rules and if necessary pref-source in the route rule as well.
I’dont think you completly understood what i wanted to ask. I will try to explain better:
I would like to understand if DST-NAT maintains a NAT connection and return packet of already established connection will obey NAT table entry or it will use the PublicIP set SRC-NAT rule?
EG:
WAN1=has 220.220.220.2 and 220.220.220.3 PUBLIC IP’s. If i publish a simple HTTP service on internal 10.10.10.10:80 port on host over DST-NAT, what would be the SRC.IP on the return packet? Would it be 220.220.220.2 (as this is the IP in src nat rule) or it will show 220.220.220.3 because it was the IP that request came in (and was set in NAT table)?
It will be 220.220.220.3, because conntrack watches all connections and makes sure that everything is set correctly, i.e. if dstnat changed destination address to internal address, reply packets for this connection will get their source changed from internal address back to original address. Srcnat rules or preferred source have no say in this.
Is this also true for the UDP “connections”?
For example if i have some kind of UDP server behind NAT, would conntrack resolve UDP “connection” and the return IP would be the 220.220.220.3?