Hello people,
I have bought the latest device RB4011iGS-5HacQ-2HnD-In which is really great! This is a second RB device in my hand.
When I been configuring it for my personal SOHO I looked into DefConfig first and noticed some things. I have looked through wiki page and could not find explanations for couple things.
1. The default firewall rules include two rules:
/ip firewall filter
add action=accept chain=forward comment="defconf:Accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf:Accept out ipsec policy" ipsec-policy=out,ipsec
Question. What are they for? What do they do?

2. The "masquerade" action for NAT.
The wiki page for Masquerade (https://wiki.mikrotik.com/wiki/Manual:I ... squerade_2) says NAT rule is following
/ip firewall nat add chain=srcnat action=masquerade out-interface=Public
but "DefConfig" rule from manufacturer differs from that. The "DefConfig" rule is:
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
Question. What does "ipsec-policy=out,none" parameter do?

Many thanks for Your answers.

1.
What ipsec-policy parameter do is described in the firewall manual:
https://wiki.mikrotik.com/wiki/Manual:I ... Properties


2.
Now that you know what ipsec-policy means, read here why packets matching ipsec policy must not be NATed
https://wiki.mikrotik.com/wiki/Manual:I ... ack_Bypass

Thanks,
How I caught idea the rules turn forwarding on the chains matching IPSec policy that will be used decapsulation or encapsulation.
The "ipsec-policy=out,none" parameter in masquerade rule enables NAT for chains which match ipsec policy.
If I will need some VPN tunnel I have add two mentioned rules into the firewall and masquerade rule must contain option "ipsec-policy=out,none".
Is it right?

ipsec-policy=out,none menas that rule will NAT only those connections that are not matched by any ipsec policy.

Many thanks!