Community discussions

MikroTik App
 
forne
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Tue Feb 15, 2011 3:18 pm

Source NAT (masquerade) questions

Sun Sep 09, 2012 4:43 am

I have one interface to the local network ("lan") and several external interfaces to ISPs. I want to do source NAT on all the external interfaces. I have a single rule in the /ip firewall nat list for that purpose:
/ip firewall nat add chain=srcnat action=masquerade out-interface=!lan
My questions are:

1. According to the packet flow diagram source NAT is done at the postrouting stage, just before a packet is about to leave the router through an interface. Can you show me where exactly at the packet flow diagram the incoming packets are deNATted?

2. What does the router do with the packets incoming from NATted interfaces for which there is no corresponding rule in the NAT table. Does it discard them silently or does it allow them to pass unchanged according to the routing rules? In other words, having the above single rule for NAT, will I have my local network protected from the outer world without any additional firewall filter rules or do I still need to add something like this:
;;; Allow all outgoing traffic received from the local network
chain=forward action=accept in-interface=lan

;;; Process incoming traffic going to the local network
chain=forward action=jump jump-target=forward-in out-interface=lan

;;; Deny all other traffic (between external interfaces)
chain=forward action=drop

;;; Allow established connections
chain=forward-in action=accept connection-state=established

;;; Allow related connections
chain=forward-in action=accept connection-state=related

;;; Deny all other traffic (attempts to establish connections from the outer world)
chain=forward-in action=drop
 
User avatar
nickshore
Member
Member
Posts: 487
Joined: Thu Mar 03, 2005 4:14 pm
Location: Suffolk, UK.
Contact:

Re: Source NAT (masquerade) questions

Mon Sep 10, 2012 4:12 pm

Inbound packets which do not match an inbound dstnat rule, or a connection in connection tracking are discarded.

It is good practice to use both filter rules and NAT

Nick.
Nick Shore MTCNA MTCWE MTCRE MTCINE MTCTCE
LinITX.com - MultiThread Consultants
Get your MikroTik RBs and Training: http://linitx.com/brand/mikrotik
Official UK MikroTik Distributor
IRC chan: #routerboard on irc.z.je (IPv4 and IPv6)

Who is online

Users browsing this forum: Nadir16 and 80 guests