Community discussions

MikroTik App
 
wentzlaf
just joined
Topic Author
Posts: 1
Joined: Thu Aug 18, 2022 5:48 am

Endpoint-Dependent NAT vs. Endpoint-Independent NAT

Thu Aug 18, 2022 5:57 am

Is the default port mapping of RouterOS's IP Masquerading endpoint-dependent or endpoint-independent? IE when a particular host inside of the NAT sets up a new outbound connection to a new destination with the same source port of a previously opened connection, does it use the same source port on the NAT or is the mapping dependent on the 4-tuple (source ip, source port, dest ip, dest port)? Endpoint dependent mapping makes NAT traversal much more difficult and arguably might be more secure. Is there some way to make RouterOS's Masquerading to endpoint-dependent?

Looking in Linux, it looks like there is a flag (--random) to netfilter which turns the default behavior from endpoint-independent into endpoint-dependent, but I am not sure how to set this in RouterOS. There seems to be a random flag to NAT, but it does something else.

As a bonus, is the answer any different for src-nat instead of masquerading?

Thanks in advance.
 
dalami
Member Candidate
Member Candidate
Posts: 135
Joined: Mon Dec 12, 2011 9:18 am

Re: Endpoint-Dependent NAT vs. Endpoint-Independent NAT

Mon Apr 17, 2023 12:25 am

See "endpoint-independent-nat" and "randomize-port".

Who is online

Users browsing this forum: jamesperks, johnson73, patrikg and 77 guests