Community discussions

MikroTik App
 
hagoyi
newbie
Topic Author
Posts: 29
Joined: Wed May 17, 2023 8:36 pm

Masquarade src-address-type=!local?

Mon Jun 05, 2023 1:03 pm

Why don't we exclude the router's own address from the main masquerading rule?
/ip firewall nat add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN src-address-type=!local
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Masquarade src-address-type=!local?

Mon Jun 05, 2023 2:41 pm

If nothing fancy is going on, then routing decission will result in selecting correct src-address for appropriate egress interface and thus SRC-NAT is indeed not needed. Packet flow diagram shows that packet still passes src-nat function (which is part of postrouting chain), but I guess it's safe to assume that src-nat notices that there's nothing to be done and simply passes packet unaltered (hence additional selector to the src-nat rule is not needed).
If router process explicitly sets src-address to one of router's own addresses but which is not "native to egress interface" (but still qualifies as local src-address-type), then src-nat has to be performed or else two-way connection would likely fail. So in this case adding the additional selector to src-nat rule would break connectivity (and router would leak LAN address(es) through WAN interface).

Note that the discussion above doesn't apply for forwarded traffic where src-address is not local anyways.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: Masquarade src-address-type=!local?

Mon Jun 05, 2023 4:07 pm

That is right. Using src-address-type=!local is likely too broad. But of course you could use src-address=!(the address of the external interface).

Who is online

Users browsing this forum: Bing [Bot], menyarito, morphema and 52 guests