I have a router that makes the folowing rule mascarade
/ ip firewall nat
add action = masquerade chain = srcnat src -address = 192.168.1.0 / 24
The problem is that if I look at some connections not made the mascarade I see that I receive requests from the private network 192.168.1.0/24 , as if it did not work the masquerade
Re: masquerade not working privated IP exposed
If a connection is made FROM a different network (e.g. 192.168.50.x) TO the 192.168.1.x network, then the replies are not going to get masqueraded. So if 192.168.50.22 pings 192.168.1.12, it will get replies from 192.168.1.12, as it should. If the Mikrotik were to NAT the reply packets, the connectivity would be broken.
(side note - this is a great example of how nat is NOT a security feature - it happens to resemble security for the majority of situations, but it's not really a firewall)
This is because NAT mappings go into a table, including connections that go through "un-natted."
Each packet is first compared to the translations table. If an entry is found, then the router doesn't bother to go check the nat table chains, it just uses the same "cached" decision.
Another possibility is that you have some other rule earlier in the srcnat chain which has an "accept" action and it's matching some of your traffic.
In general, unless you have multiple public IP addresses in use on the same interface, you can keep NAT very very simple - usually just one rule:
/ip firewall nat add chain=srcnat out-interface=wan action=masquerade
done.
If you just have the one IP address, there's no reason to match on source address, even if you're trying to stop users from using different IP Addresses behind your router. If you think that's happening and want to block this, then use the forward chain of the filter table for that.
(side note - this is a great example of how nat is NOT a security feature - it happens to resemble security for the majority of situations, but it's not really a firewall)
This is because NAT mappings go into a table, including connections that go through "un-natted."
Each packet is first compared to the translations table. If an entry is found, then the router doesn't bother to go check the nat table chains, it just uses the same "cached" decision.
Another possibility is that you have some other rule earlier in the srcnat chain which has an "accept" action and it's matching some of your traffic.
In general, unless you have multiple public IP addresses in use on the same interface, you can keep NAT very very simple - usually just one rule:
/ip firewall nat add chain=srcnat out-interface=wan action=masquerade
done.
If you just have the one IP address, there's no reason to match on source address, even if you're trying to stop users from using different IP Addresses behind your router. If you think that's happening and want to block this, then use the forward chain of the filter table for that.