I'm just trying to get my head around the importance or even relevance of specifying the in and out interfaces when creating a masquerade nat rule. Obviously the OUT is for src-nat and IN is for dst-nat but what happens if you just don't specify one when masquerading? It still works but I suspect that if you have more than one WAN this could get confusing?

Comments please.

Possible uses of the in-/out-interface parameter could be when you do NOT want to use src-/dst-ip-addresses.

Imagine having a RouterOS machine with a pppoe-client that's getting a dynamic ip address. Now you want to configure a dst-nat rule to redirect incoming email to your mail server (for example). You cannot work with dst-address here (as it's changing all the time), but you simply say "dst-nat every connection to tcp port 25 coming in the pppoe-client-interface to my internal mailserver".

Similar for outgoing interfaces: Masquerading using just the out-interface (like pppoe-out1) as parameter will allow you to change you LAN's ip addresses without having to adjust the src-nat rule.

Just some thoughts.
And of course you're right: You do not HAVE TO use those parameters - creating rules just using src-/dst-addresses is of course valid, too!

If you specify out-interface for your src-nat rule and if you also have dst-nat rules to your internal network, they might not work correctly if used from internal network. Because then your request does not go through out-interface and is not src-natted as it should. That's why in my case I prefer
chain=srcnat action=masquerade src-address=192.168.0.0/24
instead of
chain=srcnat action=masquerade out-interface=ether1

If you specify out-interface for your src-nat rule and if you also have dst-nat rules to your internal network, they might not work correctly if used from internal network. Because then your request does not go through out-interface and is not src-natted as it should. That's why in my case I prefer
chain=srcnat action=masquerade src-address=192.168.0.0/24
instead of
chain=srcnat action=masquerade out-interface=ether1

and

Possible uses of the in-/out-interface parameter could be when you do NOT want to use src-/dst-ip-addresses.

Imagine having a RouterOS machine with a pppoe-client that's getting a dynamic ip address. Now you want to configure a dst-nat rule to redirect incoming email to your mail server (for example). You cannot work with dst-address here (as it's changing all the time), but you simply say "dst-nat every connection to tcp port 25 coming in the pppoe-client-interface to my internal mailserver".

I have in fact TWO pppoe connections with dynamic IPs.

I then have a bunch of dst-nat rules for stuff like outlook web access etc and each rule specifies the in-interface. Because of the two internet links I duplicate each rule, just changing the in-interface. Is this correct?

I tried removing the out-interface on the masquerade rule, just leaving the src-address field but the internet access went very sloooooooow. What did I do wrong?