Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
Is the this single rule the defector standard? I have read/seen where this has been done per subnet for some reason. Is there an advantage to this other than perhaps logging? Perhaps in performing some action before the traffic is masqueraded and exits?
Code: Select all
add action=masquerade chain=srcnat comment="Masq local network" \
out-interface-list=wan src-address-list=localnetwork
add action=masquerade chain=srcnat comment="Masq guest network" \
out-interface-list=wan src-address-list=guestnetwork
For my clarity - I know the order of the rules matter, but should the srcnat rules be at the top and thus higher priority than the dstnat rules - in general terms?
Thanks all.