Community discussions

MikroTik App
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

what is the shortest masquerade rule possible?

Fri Jul 30, 2021 5:23 pm

Hi there,
this a split-off of NAT: Masquerade can leak private IP, why&how?

Src-IP masqueraded packet is always the IP of the interface, of course, it makes sense and you have to define the IP of an interface otherwise you don't have a route so the routing table is incomplete.
Where else is shall take it from when not defining it:
/ip address  
	add address=xxx.xxx.xxx.xxx/yy interface=....
Assuming that be correct the shortest rule for Source NAT is:
/ip firewall nat
	add chain=srcnat
That would cause the src-IP in a packet flowing in through an interface (could be even a WAN-Interface) to be replaced by the interface's IP.
If the interface has more than one IP it is probably the first IP, isn't it?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: what is the shortest masquerade rule possible?

Fri Jul 30, 2021 5:29 pm

This rule pasted on the terminal
/ip firewall nat add chain=srcnat
add a useless NAT rule.

It has no effect on the packets, because what you want to do with this packets is omitted/missing (action parameter)
then
pass the packets to the next rule on srcnat chain

On CLI is visible this detail because "/ip fire nat export" export how the rule is wroted,
but on WinBox this detail is not viewable because the field "action" can't be omitted, and each time WinBox puts "accept" because is the first value on dropdown list.

see this
viewtopic.php?f=2&t=177229&p=870212
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

Re: what is the shortest masquerade rule possible?

Fri Jul 30, 2021 10:22 pm

so the shortest (reasonable) rule is
/ip firewall nat
	add chain=srcnat out-interface=wan
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: what is the shortest masquerade rule possible?

Fri Jul 30, 2021 10:51 pm

Seems incomplete (no action) unless without direction the router provides a default action??
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: what is the shortest masquerade rule possible?

Sat Jul 31, 2021 10:57 am

Ah, I now see where the rextended's question on "useless NAT rules" came from!

The default NAT action is "accept", so that "shortest rule" will NOT do masquerading. Rather the opposite, it will exempt all traffic from NAT.
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

Re: what is the shortest masquerade rule possible?

Sat Jul 31, 2021 11:00 am

"Action", my bad, no idea why I missed that, apparently I was blind in that eye :(.
/ip firewall nat
	add action=masquerade chain=srcnat
that is the shortest rule, statement in the OP applies.
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

Re: what is the shortest masquerade rule possible?

Sat Jul 31, 2021 11:06 am

The default NAT action is "accept", so that "shortest rule" will NOT do masquerading. Rather the opposite, it will exempt all traffic from NAT.
thx for this reply, we replied simultaneously so I missed your answer.
Good hint, things like this I'm seeking for, what happens if rules are reduced to a minimum, things are get forgotten, what defaults kick in etc.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: what is the shortest masquerade rule possible?

Sat Jul 31, 2021 7:20 pm

Ah, I now see where the rextended's question on "useless NAT rules" came from!
Very thanks for notice it! :lol:

Who is online

Users browsing this forum: No registered users and 36 guests