Hi all

In all the configuration examples I've seen, and even in the default configuration, I see this:

In a multi-wan setup, there is such an entry for each wan.

I've always wondered, why is it necessary to specify the "out-interface"?

We are in the source-nat chain. The packet is destined to exit the router.
We already know what interface it is heading towards.

Why can't we just have:
Would that affect traffic that is going out bridge-local or other non-wan networks?


Thanks all.

Answer to last question is yes. So if you e.g. forwarded port to your internal webserver, all requests would look like they're coming from your router's internal address.

So it will have negative impact on your local network traffic and your local devices will not know from where the connection comes even in the inner network. Therefore it is better to use masquerade on outer interfaces only.

The other reason for specifying the out interface is that the masquerade processing uses the ip address of the out interface as the replacement source ip address.

If you have a static wan ip address, you can save a miniscule amount of processing by using a src-nat rule and specifying the static ip address.