Community discussions

MikroTik App
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

default masquerade rule in mikrotik, deep or not

Tue Nov 22, 2022 11:31 am

Hello my friends..!
so in the default masquerade rulle in mikrotik they defining the out interface/interfacing list, why mikrotik do that..? so what is the purpose..?
as we know if we unselect the out interface -(creating a masquerade rule without defining the out interface)- no thing will change and the internet connection will still up,
so is this mandatory for another reason ..?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: default masquerade rule in mikrotik, deep or not

Tue Nov 22, 2022 2:03 pm

Do you run some internal servers (e.g. a webserver that has port forwarded from router to it) where source addresses (where clients are connecting from) matters? I'm guessing not. Unconditional masquerade means that it applies to all traffic passing through router, in any direction. So in this example, the server would think that all connections are from router and not from internet.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: default masquerade rule in mikrotik, deep or not

Tue Nov 22, 2022 2:07 pm

So in summary, if I send a request from subnet A to subnet B, the request will be sourcnatted to the gateway IP of subnet A and that is the only source address the server in subnet B will see and the return traffic will be unsourcenatted by the router?

Seems like no harm no foul except a ton of extra load on the CPU?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: default masquerade rule in mikrotik, deep or not

Tue Nov 22, 2022 2:33 pm

Yes to first question. And there won't be any extra load on CPU, because connection tracking, as the heavy part, happens anyway. It won't break things in hard way, users won't be running and screaming that something doesn't work. But you're introducing NAT for no reason, it doesn't give you any benefit. And it can break things when you do care about real source addresses.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: default masquerade rule in mikrotik, deep or not

Tue Nov 22, 2022 2:39 pm

If you have more than one internal LAN, masquerading all uselessly takes up more CPUs,
but at the same time it compromises both security and "convenience".
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: default masquerade rule in mikrotik, deep or not

Tue Nov 22, 2022 2:50 pm

most the time i see src nat rule without interface in scenarios where the person configuring does not have basic routing knowledge, so is a way for him or her to make things work

a dirty way

a disadvantage i see in this approach is that makes you more difficult do diagnose or track problems

i think if a person thinks that this makes no harm is because lacks basic networking knowledge and justify it by the premise "it works"
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: default masquerade rule in mikrotik, deep or not

Tue Nov 22, 2022 3:04 pm

:P "convenience"

Who is online

Users browsing this forum: LeoNaXe, svh79 and 32 guests