Hello

Using an RB3011 on v6.49.7 with dual WAN for failover only (no load balancing) successfully running through mangle for inbound dst-nat return traffic.

Primary WAN is static public IP (ethernet), backup WAN is static public IP by DHCP on PPPoE client (DSL ISP) - the IPs will not change (no dynamic IPs).

I have read that src-nat for outgoing traffic is most suitable when there is not a dynamic IP in use.

However, my question is that in a failover configuration whether masquerade would be better at improving speed of failover (re-establishment) of existing connections?

Many thanks in advance

Matt

hello.

Primary WAN is static public IP (ethernet), backup WAN is static public IP by DHCP on PPPoE client (DSL ISP) - the IPs will not change (no dynamic IPs).

that static ip provided by the dhcp is called dhcp reservation.

I have read that src-nat for outgoing traffic is most suitable when there is not a dynamic IP in use.

correct. masquerade doesn't need to know which outside ip address the internal inside are going to be translated to.

while the src-nat command has better control over which internal ip going to be translated to which outside ip. and the same mechanism goes for dst-nat command as well.

However, my question is that in a failover configuration whether masquerade would be better at improving speed of failover (re-establishment) of existing connections?

imho. what system is really needed by any kind of network address translation is connection tracking.

as long as the incoming stream are matched with the outgoing, the nat functions perfectly.

for failover schema, you need an additional system which is making a policy based routing for each gateway so that the stream doesn't break.

of course, the mikrotik wiki has plenty of useful config example for us to read.

and fellow @anav he has written so many examples too in this forum.

hope this helps.

Hello

Thank you for being the first to reply.

However, I already have the routing and failover working... my question was only: given my types of connections (primary and backup), and that they are both static IPs, was there any benefit to using masquerade over src-nat?

Thanks, Matt

The Mikrotik will clear all masqueraded connection tracking entries using an interface for egress when that interface disconnects and/or its IP address changes.

This can cause excessive CPU utilisation if you have a signficant number of connections. A more common issue is when the primary WAN in a failover setup recovers, the connection tracking for some UDP traffic, such as SIP and IPsec, does not recover (new conntrack entries using the second WAN which were created after the primary WAN conntrack entries were cleared remain).

So masquerade removing connection tracking entries only happens on physical (or PPPoE) interface disconnect?

Yes. More info in the documentation https://help.mikrotik.com/docs/display/ ... Masquerade. You can use an on-up (PPPoE, static IP) or lease script (DHCP) to perform actions when an interface reconnects.

But if the interface does not go "down" it just has no route/default gateway (because it has no internet connectivity), it will behave the same as src-nat?

viewtopic.php?t=11368
viewtopic.php?t=193093