Your command works, anav but when I check back the NAT rule at webfig (sorry, this is my first time with RouterOS) it says that both in-interface-list and out-interface-list are set to LAN. Shouldn't out list be WAN? If I try adding in and out list to your command like this:
/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT for LAN" \
ipsec-policy=out,none in-interface-list=LAN out-interface-list=WAN out-interface=sfp1
it displays "failure" and the same error message as before.
Hi there,
Only the out interface is relevant.
So you can have either out-interface-list=WAN or out-interface=sfp1
(unless its PPPOE-out interface in which case you need to use the name vice the port if using the second option, same with a vlan).
standard ISP connection
/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT for LAN" \
ipsec-policy=out,none out-interface-list=WAN
OR
/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT for LAN" \
ipsec-policy=out,none out-interface=sfp1
PPPOE client where the ethernet port is sfp1 but the pppoe-out is the pppoe client interface name.
/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT for LAN" \
ipsec-policy=out,none out-interface-list=WAN
OR
/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT for LAN" \
ipsec-policy=out,none out-interface=pppoe-out
WAN CLIENT IS On a VLAN, so lets say vlan-Isp is on etherport sfp1
/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT for LAN" \
ipsec-policy=out,none out-interface-list=WAN
OR
/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT for LAN" \
ipsec-policy=out,none out-interface=vlan-isp
In all cases assuming interface list and interface list members is correct.
Thus its clear why the out-interface-list=WAN is popular as it covers most cases.