IP's from connected router ("LOCAL-router") goes out through border-gateway to internet and gets new public IP in the border-gateway.
When I use 'masquerade' the border-GW picks lowest public IP available on its WAN interface for traffic to internet coming from this specific srce IP.
I have full /24 set of public IP's residing on this WAN interface (minus .1 , that is provider's GW address)
Since I want to give several users behind the "LOCAL-router" different public IP's I need to use srce-nat rule and specify public IP that belongs to given LAN-ip.
I use it in other WAN connected router somewhere else withoug problems.
I use it in this border-GW router for client traffic coming in at other LAN-interface and each single client IP gets src-natted to a given public IP. No problems.
So, 'masquerade' works for all or any LAN IP's coming from "LOCAL-router"
I can even temporarily disable any public IP on the WAN interface and the masquerade picks next lowest IP to label on traffic leaving for the internet.
But not any srce-nat rule works for this specific traffic. Not to any public IP. Traffic leaves router, but when it comes back it seems the conn. tracking table doesn't know where to send the return traffic back to.
In the same border-GW router I can easy mark (mangle in pre-routing) this specific traffic and make it route out to another interface to go to another remote WAN router and it works fine.
I than make also a policy route for this specific traffic but to go to the WAN on this router and traffic stops.... if in srce-nat. In masquerade it just routes out to this WAN.
I don't understand.
What is the difference of the CCR treating incoming packets to masquerade then on an outgoing interface compared to do the same for the same packets but now with a srce-nat rule?
Anybody with any clues?