IP masquerade is the name given to one type of network address translation that allows all of the hosts on a private network to use the Internet at the price of a single IP address. IP masquerading allows you to use a private (reserved) IP network address on your LAN and have your Linux-based router perform some clever, real-time translation of
Masquerading is a special form of Source NAT where the source address is unknown at the time the rule is added to the tables in the kernel. If you want to allow hosts with private address behind your firewall to access the Internet and the external address is variable (DHCP) this is what you need to use. The masquerading will change the source IP address and port of the packets originated from the network 192.168../24 to the address 10.5.8.109 of the router when the packet is routed through it. To use masquerading, a source NAT rule with action 'masquerade' should be added to the firewall configuration: MIKROTIK NAT. This is a short howto explaining how to set up a full-NAT on a Mikrotik RouterOS. This setup allows you to hide (masquerade) your private IP address from a public network. -t nat : select table "nat" for configuration of NAT rules.-A POSTROUTING : Append a rule to the POSTROUTING chain (-A stands for "append").-o eth1 : this rule is valid for packets that leave on the second network interface (-o stands for "output")-j MASQUERADE The nat chains are consulted according to their priorities, the first matching rule that adds a nat mapping (dnat, snat, masquerade) is the one that will be used for the connection. Stateless NAT. This type of NAT just modifies each packet according to your rules without any other state/connection tracking. 4. Add the second Hairpin NAT rule using Source NAT with eth1 (LAN) set as the Outbound Interface. Firewall / NAT > NAT > +Add Source NAT Rule. Description: hairpin Outbound Interface: eth1 Translation: Use Masquerade Protocol: TCP Source Address: 192.168.1./24 Destination Address: 192.168.1.10 Destination Port: 443
Tables: Group of chains: filter and nat; Each chain has a policy - the default target; 8 What is Masquerading? All computers appear to have the same IP This is done with Network Adress Translation It's easy to fake the "outgoing packet" "Incoming packets" must be translated too Port translation - a must
-t nat : select table "nat" for configuration of NAT rules.-A POSTROUTING : Append a rule to the POSTROUTING chain (-A stands for "append").-o eth1 : this rule is valid for packets that leave on the second network interface (-o stands for "output")-j MASQUERADE The nat chains are consulted according to their priorities, the first matching rule that adds a nat mapping (dnat, snat, masquerade) is the one that will be used for the connection. Stateless NAT. This type of NAT just modifies each packet according to your rules without any other state/connection tracking. 4. Add the second Hairpin NAT rule using Source NAT with eth1 (LAN) set as the Outbound Interface. Firewall / NAT > NAT > +Add Source NAT Rule. Description: hairpin Outbound Interface: eth1 Translation: Use Masquerade Protocol: TCP Source Address: 192.168.1./24 Destination Address: 192.168.1.10 Destination Port: 443
IP masquerade is the name given to one type of network address translation that allows all of the hosts on a private network to use the Internet at the price of a single IP address. IP masquerading allows you to use a private (reserved) IP network address on your LAN and have your Linux-based router perform some clever, real-time translation of
Source NAT. Used to "hide" the private source IP Address (i.e.:192.168.1.109), aka masquerading. To use masquerading, a source NAT rule with action 'masquerade' should be added to the firewall configuration: /ip firewall nat add chain=srcnat action=masquerade out-interface=Public. Above example shows you how to configure NAT on a Mikrotik Indeed Masquerade is the same as Src-Nat with the automatic selection of the external address as the source address. You need to use Src-Nat only when you have more than 1 external address (e.g. a subnet) and you want to specify which address is going to be used as the source of the NATted packet. NAT Masquerade (Many-to-one) First of all lets look at configuration settings to translate a network range behind behind a single IP. set nat source rule 10 source address '192.168../16' set nat source rule 10 outbound-interface 'eth2' set nat source rule 10 protocol 'all' set nat source rule 10 translation address 'masquerade' # NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Forward traffic through eth0 - Change to match you out-interface -A POSTROUTING -s 192.168.1./24 -o eth0 -j MASQUERADE # don't delete the 'COMMIT' line or these nat table rules won't # be processed COMMIT Now enable the changes by restarting ufw. $ sudo ufw disable && sudo ufw enable FORWARD iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE service iptables save service iptables restart. Note: check if iptables is set to start during boot up. Or check the status of your iptables service: chkconfig -list iptables. If level 5 is on then it's ok othewise start the service at level 5 or level 2345. NAT vs NAPT . Network Address Translation (NAT) is the process that modifies the IP address in a header of an IP packet, while it is travelling through a routing device. NAT allows one set of IP addresses to be used for traffic within a LAN (Local Area Network) and another set of IP addresses to be used for outside traffic.