One of the common questions I get is what is the difference between Masquerade and SRC-NAt? Which should I use?
\nThe quick answer is to use SRC-NAT if your gateway IP is static, and use masquerade if it can change.<\/p>\n
The Mikrotik Wiki Entry Every time interface disconnects and\/or its IP address changes, <\/em>router will clear all masqueraded connection tracking entries that send <\/em>packet out that interface, this way improving system recovery time after public <\/em>ip address change.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":" One of the common questions I get is what is the difference between Masquerade and SRC-NAt? Which should I use? The quick answer is to use SRC-NAT if your gateway IP is static, and use masquerade if it can change. The Mikrotik Wiki Entry Firewall NAT action=masquerade is unique subversion of action=srcnat, it was designed […]<\/p>\n","protected":false},"author":1,"featured_media":161,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[24,17],"tags":[644,25,315,645],"jetpack_publicize_connections":[],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.mtin.net\/blog\/wp-content\/uploads\/2014\/09\/2014-08-05-19.26.03.png?fit=650%2C650","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6VLMf-Fc","jetpack-related-posts":[{"id":2250,"url":"http:\/\/www.mtin.net\/blog\/mikrotik-destination-nat\/","url_meta":{"origin":2554,"position":0},"title":"Mikrotik Destination Nat","author":"j2sw","date":"May 1, 2018","format":false,"excerpt":"Scenario You have a customer with a Mikrotik router that needs a port forwarded to an internal IP address. In our case, a customer has a camera that communicates on port 80 with a static IP add of 192.168.21.49 on their internal LAN. Solution add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=192.168.21.49\u2026","rel":"","context":"In "Mikrotik"","block_context":{"text":"Mikrotik","link":"http:\/\/www.mtin.net\/blog\/category\/mikrotik\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1379,"url":"http:\/\/www.mtin.net\/blog\/simple-shut-off-scripting\/","url_meta":{"origin":2554,"position":1},"title":"Simple shut-off scripting","author":"j2sw","date":"September 15, 2016","format":false,"excerpt":"I had a client today who is doing some manual things as they are using Quickbooks for billing and such. \u00a0One thing they kind of struggle with is turning off people for non-payment and such. \u00a0Their current method is adding a que and throttling someone to a low-speed to make\u2026","rel":"","context":"In "Mikrotik"","block_context":{"text":"Mikrotik","link":"http:\/\/www.mtin.net\/blog\/category\/mikrotik\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1178,"url":"http:\/\/www.mtin.net\/blog\/mikortik-user-meet-2016-presentation\/","url_meta":{"origin":2554,"position":2},"title":"Mikortik User Meet 2016 Presentation","author":"j2sw","date":"May 8, 2016","format":false,"excerpt":"My powerpoint converted to PDF. Topics Include: Carrier Grade NAT Xbox & Nat BGP Tips mum-2016","rel":"","context":"In "BGP"","block_context":{"text":"BGP","link":"http:\/\/www.mtin.net\/blog\/category\/networking\/bgp\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2837,"url":"http:\/\/www.mtin.net\/blog\/baicells-public-ips-on-client-routers\/","url_meta":{"origin":2554,"position":3},"title":"Baicells: Public IPs on client routers","author":"j2sw","date":"February 7, 2019","format":false,"excerpt":"Public IPs on Baicells Client Routers. I needed to Provide a few customers with Public IPs while most of the UEs and clients got private IP. The following is what I did to allow this to work: Requirements: EnodeB in Bridge mode UE in NAT mode MikroTik Router with DHCP\u2026","rel":"","context":"In "Wireless"","block_context":{"text":"Wireless","link":"http:\/\/www.mtin.net\/blog\/category\/wireless\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.mtin.net\/blog\/wp-content\/uploads\/2017\/05\/17821343_1510820508928612_1776831623_n.jpg?fit=405%2C720&resize=350%2C200","width":350,"height":200},"classes":[]},{"id":2755,"url":"http:\/\/www.mtin.net\/blog\/basic-ipv6-mikrotik-firewall\/","url_meta":{"origin":2554,"position":4},"title":"Basic IPV6 Mikrotik Firewall","author":"j2sw","date":"January 24, 2019","format":false,"excerpt":"Below is a basic IPV6 firewall fillter for your Mikrotik CPE devices.\u00a0 This is a good start for customer-facing CPE. \u00a0 \/ipv6 firewall filter add chain=forward comment=\"allow forwarding established, related\" connection state=established,related add chain=forward comment=\"allow forward lan->wan\" in-interface=lan out-interface=wan add chain=forward comment=\"allow ICMPv6 forwarding\" in-interface=wan protocol=icmpv6 add action=reject chain=forward comment=\"reject\u2026","rel":"","context":"In "IPV6"","block_context":{"text":"IPV6","link":"http:\/\/www.mtin.net\/blog\/category\/networking\/ipv6\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2165,"url":"http:\/\/www.mtin.net\/blog\/ipv6-firewall-rules-for-mikrotik\/","url_meta":{"origin":2554,"position":5},"title":"IPV6 Firewall rules for Mikrotik","author":"j2sw","date":"March 23, 2018","format":false,"excerpt":"Some basic IPV6 Firewall Rules for Mikrotik. Replace in-interface=\"\" with your appropriate interface. \/ipv6 firewall filter add chain=input protocol=icmpv6 add chain=input connection-state=established,related add chain=input dst-port=546 in-interface=ether1-wan protocol=udp src-port=547 add action=drop chain=input connection-state=invalid add action=drop chain=input connection-state=new in-interface=ether1-wan add chain=forward protocol=icmpv6 add chain=forward connection-state=established,related add chain=forward connection-state=new in-interface=!ether1-wan add action=drop chain=forward\u2026","rel":"","context":"In "Mikrotik"","block_context":{"text":"Mikrotik","link":"http:\/\/www.mtin.net\/blog\/category\/mikrotik\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/2554"}],"collection":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/comments?post=2554"}],"version-history":[{"count":2,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/2554\/revisions"}],"predecessor-version":[{"id":2556,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/2554\/revisions\/2556"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/media\/161"}],"wp:attachment":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/media?parent=2554"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/categories?post=2554"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/tags?post=2554"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nFirewall NAT action=masquerade is <\/em>unique subversion of action=srcnat, it was designed for specific use in situations when public IP can randomly change, for <\/em>example DHCP-server changes it, or PPPoE tunnel after disconnect gets different IP, in short – when public IP is dynamic.<\/em><\/p>\n