Masquerading is a special form of Source NAT where the source address is unknown at the time the rule is added to the tables in the kernel. If you want to allow hosts with private address behind your firewall to access the Internet and the external address is variable (DHCP) this is what you need to use.

NAT Gateway. This topic describes how to set up and manage a Network Address Translation (NAT) gateway. A NAT gateway gives cloud resources without public IP addresses access to the internet without exposing those resources to incoming internet connections.. Warning Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Step-By-Step Configuration of NAT with iptables. This tutorial shows how to set up network-address-translation (NAT) on a Linux system with iptables rules so that the system can act as a gateway and provide internet access to multiple hosts on a local network using a single public IP address. NAT: NAT servers are available on Windows 95/NT, Linux, Solaris, and some of the better ISDN routers (not Ascend) Pro: + Very configurable + No special application software needed Con: - Requires a subnet from your ISP (expensive) Network Address Translation is the name for a box that would have a pool of valid IP addresses on the Internet More Information. Due to variations in the configuration, setting, and collaboration of technical devices, the digital image colors shown here may vary from actual samples. MASQUERADE This target is only valid in the nat table, in the POSTROUTING chain. It should only be used with dynamically assigned IP (dialup) connec­tions: if you have a static IP address, you Source NAT. Used to "hide" the private source IP Address (i.e.:192.168.1.109), aka masquerading. To use masquerading, a source NAT rule with action 'masquerade' should be added to the firewall configuration: /ip firewall nat add chain=srcnat action=masquerade out-interface=Public. Above example shows you how to configure NAT on a Mikrotik Indeed Masquerade is the same as Src-Nat with the automatic selection of the external address as the source address. You need to use Src-Nat only when you have more than 1 external address (e.g. a subnet) and you want to specify which address is going to be used as the source of the NATted packet.

MASQUERADE This target is only valid in the nat table, in the POSTROUTING chain. It should only be used with dynamically assigned IP (dialup) connec­tions: if you have a static IP address, you

NAT Masquerade (Many-to-one) First of all lets look at configuration settings to translate a network range behind behind a single IP. set nat source rule 10 source address '192.168../16' set nat source rule 10 outbound-interface 'eth2' set nat source rule 10 protocol 'all' set nat source rule 10 translation address 'masquerade' # NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Forward traffic through eth0 - Change to match you out-interface -A POSTROUTING -s 192.168.1./24 -o eth0 -j MASQUERADE # don't delete the 'COMMIT' line or these nat table rules won't # be processed COMMIT Now enable the changes by restarting ufw. $ sudo ufw disable && sudo ufw enable FORWARD iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE service iptables save service iptables restart. Note: check if iptables is set to start during boot up. Or check the status of your iptables service: chkconfig -list iptables. If level 5 is on then it's ok othewise start the service at level 5 or level 2345. NAT vs NAPT . Network Address Translation (NAT) is the process that modifies the IP address in a header of an IP packet, while it is travelling through a routing device. NAT allows one set of IP addresses to be used for traffic within a LAN (Local Area Network) and another set of IP addresses to be used for outside traffic.

# NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Forward traffic through eth0 - Change to match you out-interface -A POSTROUTING -s 192.168.1./24 -o eth0 -j MASQUERADE # don't delete the 'COMMIT' line or these nat table rules won't # be processed COMMIT Now enable the changes by restarting ufw. $ sudo ufw disable && sudo ufw enable FORWARD

The nat chains are consulted according to their priorities, the first matching rule that adds a nat mapping (dnat, snat, masquerade) is the one that will be used for the connection. Stateless NAT. This type of NAT just modifies each packet according to your rules without any other state/connection tracking. 4. Add the second Hairpin NAT rule using Source NAT with eth1 (LAN) set as the Outbound Interface. Firewall / NAT > NAT > +Add Source NAT Rule. Description: hairpin Outbound Interface: eth1 Translation: Use Masquerade Protocol: TCP Source Address: 192.168.1./24 Destination Address: 192.168.1.10 Destination Port: 443 This tutorial shown you How to Enable NAT with Masquerade in Mikrotik Free Video Tutorial on CCNA, CCNP, Wireless Networking, Mikrotik router, Linux Server (Debian & Centos), Windows Server 2012 The public IP may change after instance power cycles - stop then start (if NOT an EIP), MASQUERADE is a better option in this use case. Important: It is still possible to use MASQUERADE target with static IP, just be aware of the extra overhead. References. iptables Tutorial. NAT Tutorial. New iptables Gotchas - SNAT VS MASQUERADE