MikroTik

Posted: **Sun Sep 09, 2012 4:43 am**

I have one interface to the local network ("lan") and several external interfaces to ISPs. I want to do source NAT on all the external interfaces. I have a single rule in the /ip firewall nat list for that purpose:

/ip firewall nat add chain=srcnat action=masquerade out-interface=!lan

My questions are:

1. According to the packet flow diagram source NAT is done at the postrouting stage, just before a packet is about to leave the router through an interface. Can you show me where exactly at the packet flow diagram the incoming packets are deNATted?

2. What does the router do with the packets incoming from NATted interfaces for which there is no corresponding rule in the NAT table. Does it discard them silently or does it allow them to pass unchanged according to the routing rules? In other words, having the above single rule for NAT, will I have my local network protected from the outer world without any additional firewall filter rules or do I still need to add something like this:

;;; Allow all outgoing traffic received from the local network
chain=forward action=accept in-interface=lan

;;; Process incoming traffic going to the local network
chain=forward action=jump jump-target=forward-in out-interface=lan

;;; Deny all other traffic (between external interfaces)
chain=forward action=drop

;;; Allow established connections
chain=forward-in action=accept connection-state=established

;;; Allow related connections
chain=forward-in action=accept connection-state=related

;;; Deny all other traffic (attempts to establish connections from the outer world)
chain=forward-in action=drop

Posted: **Mon Sep 10, 2012 4:12 pm**

Inbound packets which do not match an inbound dstnat rule, or a connection in connection tracking are discarded.

It is good practice to use both filter rules and NAT

Nick.

MikroTik

Source NAT (masquerade) questions

Source NAT (masquerade) questions

Re: Source NAT (masquerade) questions