Community discussions

MikroTik App
 
dalami
Member Candidate
Member Candidate
Topic Author
Posts: 134
Joined: Mon Dec 12, 2011 9:18 am

Is a catchall src-nat good or bad?

Sat Jun 03, 2023 3:27 am

Typically, our standard default install will have a masquerade rule on the outbound interface of a router. Sometimes, when using static IP's, we can use an explicit src-nat instead of a masquerade. I *think* this isn't terribly controversial.

Now, if I add a tunnel, say Wireguard for argument's sake, we'll add another src-nat or masquerade rule for the tunnel. As this is the more restrictive traffic it goes before the default rule. Feel free to flame me here if this is wrong.

Now - it seems to me this should account for all traffic. Yet, if I add a final "catchall" masquerade rule with no conditions some packets do go through it. Not many - but more than 0 which I don't understand. What would be causing this? This is without (as far as I know) broadcast services like OSPF enabled.

This then makes me wonder - what's wrong with just a generic masquerade rule with no conditions on it?
 
wiseroute
Member
Member
Posts: 352
Joined: Sun Feb 05, 2023 11:06 am

Re: Is a catchall src-nat good or bad?

Sat Jun 03, 2023 7:30 am

@ dalami,

nice masquerade vs srcnat observation. super 👍🏻
This then makes me wonder - what's wrong with just a generic masquerade rule with no conditions on it?
no. there is nothing wrong with plain masquerade. even it is so simple to setup.

in basic linux iptables terms example to masquerade any lan subnet to the internet using dynamic pppoe :
iptables -t nat - A postrouting - o ppp+ -j MASQUERADE 
from there you don't even see which subnet got translated etc. just plain output interface and translate.

whereas srcnat - being more details in classifiers and action.

is masquerade catch-all good or bad?
the answer is only depends on how you define *trusted* managed networks.

hope this helps.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Is a catchall src-nat good or bad?

Sat Jun 03, 2023 3:25 pm

You do not need a source nat rule for wireguard automatically. It depends on the scenario.
The one time its mandatory is if your router is acting as a client (during handshake) connecting to a third party VPN provider.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Is a catchall src-nat good or bad?

Sat Jun 03, 2023 4:32 pm

Now - it seems to me this should account for all traffic. Yet, if I add a final "catchall" masquerade rule with no conditions

Don't forget that when there are truly no matchers, then that catchall will affect traffic through all router interfaces, not only the WAN interfaces ...

It's only too easy to forget about router<->LAN traffic when thinking about NAT rules ... but router has no concept of WAN (which needs NAT), it has to be properly configured to act as if there indeed was such thing as WAN.

Who is online

Users browsing this forum: No registered users and 81 guests