Community discussions

MikroTik App
just joined
Topic Author
Posts: 1
Joined: Sun Nov 06, 2022 5:45 pm

Masquerade incomprehension

Sun Nov 06, 2022 6:00 pm

Hi everyone,

I have a small masquerade issue that is bothering me.

My setup is configured like this:
  • bridge-lan (LAN) uses
  • bridge-dmz (DMZ) uses
  • ether8 (WAN) uses x.y.z.w from my ISP's DHCP
The only masquerade rule is:
2 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
Yet I can connect from any IP in to any IP in (the opposite is also true) with the router masquerading the IP as ( the other way around).
Is that the expected behavior?
Doesn't the masquerade rule explicitly state that only traffic to WAN should be allowed?

Any help would be greatly appreciated.
User avatar
Forum Guru
Forum Guru
Posts: 14387
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Masquerade incomprehension

Mon Nov 07, 2022 1:41 pm

YOu are mixing up apples and oranges.
Source masquerade is typical NAT behaviour,
all your private LANIPs are given a source IP of the router (WANIP) on the way out the door so that any website only sees a source address of the public IP of the router.
The return traffic is translated back to private IPs upon hitting the router.

So source natting has nothing to do with allowing LAN to LAN traffic...................
That is a combination of L2 traffic rules and L3 traffic rules.
Typically to separate traffic (mac addresses) at layer2, one can use different etherports, bridges, vlans etc.........
To separate traffic (IP addresses) at layer3, one uses firewall rules on the router.

If you want the config reviewed to see where you are going wrong post the config
/export file=anynameyouwish ( minus the router serial # and any public WAN IP information )
Forum Guru
Forum Guru
Posts: 9049
Joined: Mon Apr 20, 2009 9:11 pm

Re: Masquerade incomprehension

Mon Nov 07, 2022 3:23 pm

"WAN" is just name of interface list, it's possible that it contains more interfaces than it should. It's either that or another scnat rule.

Who is online

Users browsing this forum: Google [Bot], NahodnejOtaku, seriquiti and 36 guests