Hello for all Mikrotik People there ...!
So i get stuck with this Mikrotik Config that realy i didn't know what its mean, So Please anyone can explain to me what this srcnat rule actually do.
So the scenario like this :
1-RB2011 with sfp that represent the out interface (WAN) so there is a fiper connection on it.
2-from this SFP interface they create a VLAN named as net with a specific id . in this case its 2002
3-then there is a loopback bridge with ip address and this bridge doesn't have any port related to it.
4-then the most questioned thing is the srcnat rule that look like this :
chain:srcnat action:src-nat to address:88.144.234.1
now if i tourch the net vlan all the dst address will be 88.144.234.1

all Mikrotik ports are up to internet and there is no proplem.

maybe alot of you encounter such a scenario or created it so please anyone can explain what this mean..?
really curious to know what this srcnat rule do in this situtaion and what is the relationship between it and the loopback bridge.
thanks in advance.
if you need a full router config i can send it.

Please copy-paste actual configuration of the device, your explanation can be interpreted in different ways. And explain what exactly you mean by "all Mikrotik ports are up to internet" ...

Other than that: NAT help page explains things quite in-depth. But basics (as far as I understand) is that NAT rule has two types of properties: matching properties and action properties. Action properties include: action, to-addresses and to-ports. All the rest are there to narrow down the selection of connections to which NAT rule should apply. And usually SRC-NAT rule has something like "out-interface=ether1" or "out-interface-list=WAN" so that NAT rule only applies to connections which are connecting WAN servers (and starting in any of connected networks, usually this means LAN). The way you described the rule (and I don't know how accurate your description is, hence my request to post actual configuration) there are no matching properties defined on your SRC-NAT rule, so it'll just apply to every single connection (and consequently packet) passing router.

Hello mkx..!
thanks for your interest..!
here is my config:
Please note that i change all public ip that's appear in this file.

something to add: you will notice that they assigned a public ip address for the loopback bridge and that's something also in questioned.

Are you asking about this rule?

add action=src-nat chain=srcnat dst-address-list=!10.237.239.0 to-addresses=88.122.55.66

I'm guessing that intent is to perform src-nat on all packets whose dst-address does not fall into 10.237.239.0/24 subnet? If that is so, then the line is wrong. Property dst-address-list requires name of address list (those are configured under /ip/firewall/address-list and the exclamation sign says that rule will affect packets whose dst-address is not in the named address list. Your config doesn't contain any address list, so rule will assume empty address list and negation of empty list is ... well, everything.
You could change rule so that it would have dst-address=!10.237.239.0/24 instead ... and make sure that subnet mask (/24 in this example) is correct. Or you could actually construct an address list (specially handy if it contains multiple, non-contiguous, address ranges) and update your current rule to refer to that interface list.


And (want it or not) my personal opinion on your config: it's a mess and dangerous and I would never connect thusly configured device to internet.

yes i agree with you and understand you .however, my heart of my question is why they put this public ip as an address for loopback bridge and then create a srcnat rule like that..?? that's the missing part in my mind..!?
so yes they want any internet user to be up on the internet -(or to goes through internet)- using this public. but does that a reason to make this rule..?

The config seems strange to me, but i have no knowledge of your providers network.


This rule NATs all traffic that doesn't have a destination address on a list named "77.255.244.0" (which isn't present in the config you posted) to src addr 88.122.55.66 (even between LAN interfaces, which seems strange)


This part is probably so the router itself is reachable on 88.122.55.66

Why do you see a lot of traffic directed to 88.122.55.66? Because all connections are getting natted to having source address 88.122.55.66

Could be a case of sloppy config, or "mikrotik can do anything" (or both)

also seems like part of the config is missing

I frankly don't know what's the point of loopback bridge and that src-nat. Indeed it does seem an awkward way of configuring a static WAN IP address, but why this way I've no idea. Either they have (similarly convoluted) access network or they didn't know exactly how to do it best way (or both). A hint is that there are 3 different pppoe client instances mentioned in config, one of them based on "unknown" interface ... Another hint is use of multiple bridges for actual interfaces when single bridge would (highly likely) do.