Hi all,

Ever since I started working with RouterOS, I've wondered why is it necessary to specify the "out-interface" in the srcnat firewall rule?

Every example I see does it this way.

I've tested it both with and without in a multi-wan load balance situation and it didn't seem to make an difference.


My reasoning is this:

The packet is already in the srcnat table so we know it is going "out".

We already know what interface it is going out; the rule uses "out-interface" for matching,
not for providing information to the Action.

In a multi-wan setup, the action is the same is the same in all four rules: "action=masquerade". Nothing else is specified for Action so it is evidently able to extract whatever information it needs from the packet header itself.

Is there some reason we can't just use:
Wouldn't this be more efficient?

Thanks all.

And this will mean that incoming WAN packets which will go to your LAN (out-interface=<LAN>) will be masqueraded to the internal LAN IP and every external host will appear local to the LAN (src address will be the router). The same will happen if you have more than 1 LAN and want to route between them. If this is really what you want it should be OK.

I see. So the srcnat chain is not restricted to packets that are leaving the router via a wan port.
Hence to need to specify the out-interface so that only packets leaving via wan get masked.

Thank you.


But could the same effect be had using:
thus reducing the need for multiple rules in a multi-wan situation?

Or would "address type not local" not cover everything we need it to?

No, local in src-address-type means address owned by router, so src-address-type=!local still covers every other address on internet and your LAN, everything except what your router has. You might have success with out-interface=!<LAN> (if you have just one LAN), but it's prone to later mistakes, e.g. when you add VPN connection.