Community discussions

MikroTik App
 
RackKing
Member
Member
Topic Author
Posts: 380
Joined: Wed Oct 09, 2013 1:59 pm

NAT masq rule per src-address-list or one rule for everything?

Fri Dec 07, 2018 3:23 am

Hi - this is probably a silly question, but... I know the default NAT masq rule is:
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

Is the this single rule the defector standard? I have read/seen where this has been done per subnet for some reason. Is there an advantage to this other than perhaps logging? Perhaps in performing some action before the traffic is masqueraded and exits?
add action=masquerade chain=srcnat comment="Masq local network" \
    out-interface-list=wan src-address-list=localnetwork
add action=masquerade chain=srcnat comment="Masq guest network" \
    out-interface-list=wan src-address-list=guestnetwork

For my clarity - I know the order of the rules matter, but should the srcnat rules be at the top and thus higher priority than the dstnat rules - in general terms?

Thanks all.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19251
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NAT masq rule per src-address-list or one rule for everything?

Fri Dec 07, 2018 6:14 am

I have multiple masquerade rules but they are for each WANIP in a failover setup so its pretty clear cut. All LAN users are affected.
However if I want to have specific users have their private IPs translated by a specific WANIP, then using source address list in the equation OR source interface list, in the rules may be required.

(masquerade for dynamic WANIPs, srcnat for static WANIPs)
 
RackKing
Member
Member
Topic Author
Posts: 380
Joined: Wed Oct 09, 2013 1:59 pm

Re: NAT masq rule per src-address-list or one rule for everything?

Fri Dec 07, 2018 7:42 am

I have multiple masquerade rules but they are for each WANIP in a failover setup so its pretty clear cut. All LAN users are affected.
However if I want to have specific users have their private IPs translated by a specific WANIP, then using source address list in the equation OR source interface list, in the rules may be required.

(masquerade for dynamic WANIPs, srcnat for static WANIPs)
Thanks anav, makes sense. So with a single wan connection it is kinda pointless? Unless you were trying to log something?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11534
Joined: Thu Mar 03, 2016 10:23 pm

Re: NAT masq rule per src-address-list or one rule for everything?  [SOLVED]

Fri Dec 07, 2018 8:19 am

For my clarity - I know the order of the rules matter, but should the srcnat rules be at the top and thus higher priority than the dstnat rules - in general terms?
Order matters only within same chain. src-nat and dst-nat are different chains.

And yes, one src-nat rule is enough (and the most resource effective) if there's nothing else on agenda.
 
RackKing
Member
Member
Topic Author
Posts: 380
Joined: Wed Oct 09, 2013 1:59 pm

Re: NAT masq rule per src-address-list or one rule for everything?

Fri Dec 07, 2018 2:42 pm

@ mkx

"Order matters only within same chain. src-nat and dst-nat are different chains."

That makes perfect sense - thank you

Who is online

Users browsing this forum: Amazon [Bot], Gitarex, Google [Bot], Mahesh and 49 guests