Community discussions

 
RackKing
Member Candidate
Member Candidate
Topic Author
Posts: 212
Joined: Wed Oct 09, 2013 1:59 pm

NAT masq rule per src-address-list or one rule for everything?

Fri Dec 07, 2018 3:23 am

Hi - this is probably a silly question, but... I know the default NAT masq rule is:
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

Is the this single rule the defector standard? I have read/seen where this has been done per subnet for some reason. Is there an advantage to this other than perhaps logging? Perhaps in performing some action before the traffic is masqueraded and exits?
add action=masquerade chain=srcnat comment="Masq local network" \
    out-interface-list=wan src-address-list=localnetwork
add action=masquerade chain=srcnat comment="Masq guest network" \
    out-interface-list=wan src-address-list=guestnetwork

For my clarity - I know the order of the rules matter, but should the srcnat rules be at the top and thus higher priority than the dstnat rules - in general terms?

Thanks all.
 
anav
Forum Guru
Forum Guru
Posts: 1134
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: NAT masq rule per src-address-list or one rule for everything?

Fri Dec 07, 2018 6:14 am

I have multiple masquerade rules but they are for each WANIP in a failover setup so its pretty clear cut. All LAN users are affected.
However if I want to have specific users have their private IPs translated by a specific WANIP, then using source address list in the equation OR source interface list, in the rules may be required.

(masquerade for dynamic WANIPs, srcnat for static WANIPs)
 
RackKing
Member Candidate
Member Candidate
Topic Author
Posts: 212
Joined: Wed Oct 09, 2013 1:59 pm

Re: NAT masq rule per src-address-list or one rule for everything?

Fri Dec 07, 2018 7:42 am

I have multiple masquerade rules but they are for each WANIP in a failover setup so its pretty clear cut. All LAN users are affected.
However if I want to have specific users have their private IPs translated by a specific WANIP, then using source address list in the equation OR source interface list, in the rules may be required.

(masquerade for dynamic WANIPs, srcnat for static WANIPs)
Thanks anav, makes sense. So with a single wan connection it is kinda pointless? Unless you were trying to log something?
 
mkx
Forum Guru
Forum Guru
Posts: 1021
Joined: Thu Mar 03, 2016 10:23 pm

Re: NAT masq rule per src-address-list or one rule for everything?  [SOLVED]

Fri Dec 07, 2018 8:19 am

For my clarity - I know the order of the rules matter, but should the srcnat rules be at the top and thus higher priority than the dstnat rules - in general terms?
Order matters only within same chain. src-nat and dst-nat are different chains.

And yes, one src-nat rule is enough (and the most resource effective) if there's nothing else on agenda.
BR,
Metod
 
RackKing
Member Candidate
Member Candidate
Topic Author
Posts: 212
Joined: Wed Oct 09, 2013 1:59 pm

Re: NAT masq rule per src-address-list or one rule for everything?

Fri Dec 07, 2018 2:42 pm

@ mkx

"Order matters only within same chain. src-nat and dst-nat are different chains."

That makes perfect sense - thank you

Who is online

Users browsing this forum: che, webbsolution and 62 guests