I'm very new to RouterOS (although well familiar with Cisco etc.), so sorry if this is a dumb question.

Basically, I want to set up IP Masquerading such that connections directed to the public Internet (rather than to my local private network) will be masqueraded.

Trying to make the question as clear as possible, I have:

Working on Router1
Ethernet1 -> 172.20.0.1/24 (Private Backbone)
Router2 172.20.0.2
Router3 172.20.0.3
Ethernet1 -> 63.1.1.2/24 (Public Backbone)
PPPOE address 63.1.1.3 (Router1)
PPPOE address 63.1.1.4 (Router2)
Ethernet2 -> 172.20.1.1/24 (Servers)
Server1 172.20.1.2
Server2 172.20.1.3

(For the record, IP's have been changed for obvious reasons.)

I want an IP masquerading rule such that when Server1 pings Router2, the packet will appear to come from 172.20.1.2. However, at the same time, I want IP masquerading on Router1 to allow it to connect to public addresses (such as ftp sites for software updates.) It seems like the dst-address parameter should be able to do this, with something like:

/ip firewall nat add chain=srcnat action=masquerade out-interface=Public dst-address=!private-address-list

But I can't seem to figure out the right syntax or the right way to approach this.

Can anyone point me in the right direction?

Thanks,

Patrick

You're on the right track but you would need to use and, of course, you would need to have created the correct subnet definitions in the address-lists.