Hi,
I have question about masquerade or src-nat usage.
I have static IP address and my lan 192.168.5.0/24
can I use src-nat instead masquerade ?
Is masquerade needed if I use src-nat ?
add action=src-nat chain=srcnat comment="default: lan -> wan" src-address=192.168.5.0/24 to-addresses=public.ip
or
add action=masquerade chain=srcnat out-interface-list=WAN
thanks ?
Re: masquerade or src-nat to-addresses
masquerade is a special case of source-nat, which is handy if WAN IP address can change and isn't known at forehand.
There are those who suggest to use src-nat whenever you can:
https://mum.mikrotik.com/presentations/ ... 948376.pdf
There are those who suggest to use src-nat whenever you can:
https://mum.mikrotik.com/presentations/ ... 948376.pdf
Re: masquerade or src-nat to-addresses
Ok, If I understand, it is better to use src-nat instead masquerade if we can get static wan ip ?
Re: masquerade or src-nat to-addresses
Sorry, this might be a dumb question but if i use src-nat to-address can i assign a /31 to it?
Re: masquerade or src-nat to-addresses
The to-addresses can be any prefix (/32 which means a single address, /31 which means two addresses, /24 which means 256 addresses) or a range like 11.22.33.27-11.22.33.45. In either case, it specifies a pool from which a single new source address will be chosen for each connection. Does that answer your question?
Re: masquerade or src-nat to-addresses
usually we are using masquerade in case of you have dynamic ip-add.
In case if you have static ip-add fill free to go with src-nat
In case if you have static ip-add fill free to go with src-nat
Re: masquerade or src-nat to-addresses
Correct,
both options will work for fixed WANIP.
According to the WIKI the fixed WANIP has a more technically correct solution
However the format you chose is not the most obvious.
(1) Default rule on routers which is geared to cover both cases.......
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
(2) Assuming one has a fixed WAN IP of 24.34.234.5, and a standard IP DHCP Client scenario on ether1
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=24.34.234.5 (or whatever name has been given to ether1)
Note: There is no need for any source nat address in the basic configuration schema for both types!
Note: If the WAN connection is more complex, then use the active name ex. if via PPPOE, then use the PPPOE name, vice ether1
Note: if the WAN connection is more complex, then use the active name ex. with a vlan or pppoe with a vlan, then use the vlan name, vice ether1
both options will work for fixed WANIP.
According to the WIKI the fixed WANIP has a more technically correct solution
However the format you chose is not the most obvious.
(1) Default rule on routers which is geared to cover both cases.......
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
(2) Assuming one has a fixed WAN IP of 24.34.234.5, and a standard IP DHCP Client scenario on ether1
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=24.34.234.5 (or whatever name has been given to ether1)
Note: There is no need for any source nat address in the basic configuration schema for both types!
Note: If the WAN connection is more complex, then use the active name ex. if via PPPOE, then use the PPPOE name, vice ether1
Note: if the WAN connection is more complex, then use the active name ex. with a vlan or pppoe with a vlan, then use the vlan name, vice ether1