Community discussions

MikroTik App
 
User avatar
hilton
Long time Member
Long time Member
Topic Author
Posts: 635
Joined: Thu Sep 07, 2006 5:12 pm
Location: Jozi (aka Johannesburg), South Africa

Relevance of the out interface when masquerading

Fri Jul 11, 2008 10:52 am

I'm just trying to get my head around the importance or even relevance of specifying the in and out interfaces when creating a masquerade nat rule. Obviously the OUT is for src-nat and IN is for dst-nat but what happens if you just don't specify one when masquerading? It still works but I suspect that if you have more than one WAN this could get confusing?

Comments please.
Regards
Hilton
 
cmit
Forum Guru
Forum Guru
Posts: 1552
Joined: Fri May 28, 2004 12:49 pm
Location: Germany

Re: Relevance of the out interface when masquerading

Fri Jul 11, 2008 11:10 am

Possible uses of the in-/out-interface parameter could be when you do NOT want to use src-/dst-ip-addresses.

Imagine having a RouterOS machine with a pppoe-client that's getting a dynamic ip address. Now you want to configure a dst-nat rule to redirect incoming email to your mail server (for example). You cannot work with dst-address here (as it's changing all the time), but you simply say "dst-nat every connection to tcp port 25 coming in the pppoe-client-interface to my internal mailserver".

Similar for outgoing interfaces: Masquerading using just the out-interface (like pppoe-out1) as parameter will allow you to change you LAN's ip addresses without having to adjust the src-nat rule.

Just some thoughts.
And of course you're right: You do not HAVE TO use those parameters - creating rules just using src-/dst-addresses is of course valid, too!
Best regards,
Christian Meis
 
User avatar
AigarsABCD
just joined
Posts: 16
Joined: Sun May 04, 2008 5:47 pm
Location: Latvia

Re: Relevance of the out interface when masquerading

Fri Jul 11, 2008 12:15 pm

If you specify out-interface for your src-nat rule and if you also have dst-nat rules to your internal network, they might not work correctly if used from internal network. Because then your request does not go through out-interface and is not src-natted as it should. That's why in my case I prefer
chain=srcnat action=masquerade src-address=192.168.0.0/24
instead of
chain=srcnat action=masquerade out-interface=ether1
 
User avatar
hilton
Long time Member
Long time Member
Topic Author
Posts: 635
Joined: Thu Sep 07, 2006 5:12 pm
Location: Jozi (aka Johannesburg), South Africa

Re: Relevance of the out interface when masquerading

Fri Jul 11, 2008 3:26 pm

If you specify out-interface for your src-nat rule and if you also have dst-nat rules to your internal network, they might not work correctly if used from internal network. Because then your request does not go through out-interface and is not src-natted as it should. That's why in my case I prefer
chain=srcnat action=masquerade src-address=192.168.0.0/24
instead of
chain=srcnat action=masquerade out-interface=ether1
and
Possible uses of the in-/out-interface parameter could be when you do NOT want to use src-/dst-ip-addresses.

Imagine having a RouterOS machine with a pppoe-client that's getting a dynamic ip address. Now you want to configure a dst-nat rule to redirect incoming email to your mail server (for example). You cannot work with dst-address here (as it's changing all the time), but you simply say "dst-nat every connection to tcp port 25 coming in the pppoe-client-interface to my internal mailserver".
I have in fact TWO pppoe connections with dynamic IPs.

I then have a bunch of dst-nat rules for stuff like outlook web access etc and each rule specifies the in-interface. Because of the two internet links I duplicate each rule, just changing the in-interface. Is this correct?

I tried removing the out-interface on the masquerade rule, just leaving the src-address field but the internet access went very sloooooooow. What did I do wrong?
Regards
Hilton

Who is online

Users browsing this forum: ahmad201020, alber, Bing [Bot], ichihaifu, Majestic-12 [Bot] and 86 guests