Hi Everyone,

Yes, a total beginner question . I did a search on forum and read a lot of posts, but still don't fully understand of what masquerading is, and how it's different from NAT.

I read that masquerading translates many private IPs to one Public IP, but doesn't NAT already does that?

I'm trying to understand what masquerading is to determine if I need a masquerading entry (in NAT window) for each Hotspot network? I've noticed that hotspot network works either way with, or without the masquerading entry.

Please explain

Thank You

A masquerade is a NAT. I use masquerade when the device interface is a dhcp client. It NATs all localnet addresses to the dhcp assigned address. You don't need to know the ip.

A srcnat does basically the same, except I use this when the device interface ip is static. It prevents problems later if I decide to assign a second ip to that interface.

I do not masquerade the hotspot. I route my networks and srcnat only at the public interface.

Thought I could help clarify this matter, as I was also facing this problem not too long ago.

As Tim said, "masquerade" IS a NAT. It's a src-nat for every local connection that goes through the router to the internet, changing the source addresses from local addresses (192.168.x.x) to the router's public IP.

On the opposite end, there's "redirect", which is a dst-nat changing the dest address of all requests from your local clients to the router's LAN address.

Is this correct? I think it is.

Hope this helps.

From the iptables man page:

SNAT
This target is only valid in the nat table, in the POSTROUTING chain. It specifies that the source address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined

MASQUERADE
This target is only valid in the nat table, in the POSTROUTING chain. It should only be used with dynamically assigned IP (dialup) connections: if you have a static IP address, you should use the SNAT target. Masquerading is equivalent to specifying a mapping to the IP address of the interface the packet is going out, but also has the effect that connections are forgotten when the interface goes down. This is the correct behavior when the next dialup is unlikely to have the same interface address (and hence any established connections are lost anyway).

Masquerade and src-nat (RouterOS calls it that rather than snat) are essentially the same thing, but src-nat translates to a static IP address and masquerade automatically picks an IP address on the interface traffic is leaving the router through. That makes it very useful for interfaces that receive addresses via DHCP or PPP.

Destination NAT is something completely different: it also changes IP addresses in the IP header field, but it modifies the destination IP address (and therefore redirects the packet to a different host than the original source sent it to) and not the source IP address.

Uhh... I thought that's what I said.

Is it not?

Well, that's that then.

We have an official answer.

-Z-

Uhh... I thought that's what I said.

Is it not?

Well, that's that then.

We have an official answer.

-Z-

Actually, that is what I said....

Ah, yes, well, that's true.



Oh, and I clarified.

Ahem...

To add a little to this...
I'm having trouble understanding how to access devices behind the routers. I'm posting this here because I was told that I shouldn't do masquerade nat, I should do srcnat instead because the masquerade was blocking me access behind the router. I kinda get that.
So here's my setup in a nutshell
Core router is UBNT EdgeRouter Pro 8 port. Wireless ISP btw. From there it goes out to other sites with a MT router at each site(or there will be soon) running ospf. But the only way I have at the moment to get behind the routers, is that I've created a vpn connection to each tower, and when I connect vpn, I can get to customer radios and the access points there. But there had to be a better way. Routing?
Anyone have any input?