Sat Feb 18, 2023 11:34 am
The most important feature of masquerade (as compared to "normal" SRC NAT) is "WAN link state awareness". Meaning that if WAN link goes down, masquerade prepares for WAN IP address change (which is what often happens). And preparation for IP address change includes tearing down all connections ... obviously firewall on router can't set connection as dropped on any of connection endpoint (client, server), firewall would have to send RST packets to both sides and it can't do it for one side because link to that side just dropped. But it does clear own connection tracking table. And from this point forward any TCP packet, not being the first of TCP connection establishment handshake (payload-less packet with SYN flag set), is deemed as invalid (and thus dropped unless firewall filter rules are flawed).
With "normal" SRC NAT the above doesn't happen. Which means that when WAN address is static, most (if not all) connections will resume after a pause (if the pause is shorter than TCP retransmission timeouts and/or application timeouts). However, if WAN address changes, all of ongoing connections will drop because address used by SRC NAT won't belong to router any more and return packets won't reach it.