More Information. Due to variations in the configuration, setting, and collaboration of technical devices, the digital image colors shown here may vary from actual samples.

Indeed Masquerade is the same as Src-Nat with the automatic selection of the external address as the source address. You need to use Src-Nat only when you have more than 1 external address (e.g. a subnet) and you want to specify which address is going to be used as the source of the NATted packet. NAT Masquerade (Many-to-one) First of all lets look at configuration settings to translate a network range behind behind a single IP. set nat source rule 10 source address '192.168../16' set nat source rule 10 outbound-interface 'eth2' set nat source rule 10 protocol 'all' set nat source rule 10 translation address 'masquerade' # NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Forward traffic through eth0 - Change to match you out-interface -A POSTROUTING -s 192.168.1./24 -o eth0 -j MASQUERADE # don't delete the 'COMMIT' line or these nat table rules won't # be processed COMMIT Now enable the changes by restarting ufw. $ sudo ufw disable && sudo ufw enable FORWARD iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE service iptables save service iptables restart. Note: check if iptables is set to start during boot up. Or check the status of your iptables service: chkconfig -list iptables. If level 5 is on then it's ok othewise start the service at level 5 or level 2345. NAT vs NAPT . Network Address Translation (NAT) is the process that modifies the IP address in a header of an IP packet, while it is travelling through a routing device. NAT allows one set of IP addresses to be used for traffic within a LAN (Local Area Network) and another set of IP addresses to be used for outside traffic.

Masquerading. There is a specialized case of Source NAT called masquerading: it should only be used for dynamically-assigned IP addresses, such as standard dialups (for static IP addresses, use SNAT above).

Network address translation (NAT) is a method of remapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used to avoid the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced The rule uses the NAT packet matching table (-t nat) and specifies the built-in POSTROUTING chain for NAT (-A POSTROUTING) on the firewall's external networking device (-o eth0).POSTROUTING allows packets to be altered as they are leaving the firewall's external device. The -j MASQUERADE target is specified to mask the private IP address of a node with the external IP address of the firewall Masquerading is a special form of Source NAT where the source address is unknown at the time the rule is added to the tables in the kernel. If you want to allow hosts with private address behind your firewall to access the Internet and the external address is variable (DHCP) this is what you need to use.

MASQUERADE This target is only valid in the nat table, in the POSTROUTING chain. It should only be used with dynamically assigned IP (dialup) connec­tions: if you have a static IP address, you

Source NAT. Used to "hide" the private source IP Address (i.e.:192.168.1.109), aka masquerading. To use masquerading, a source NAT rule with action 'masquerade' should be added to the firewall configuration: /ip firewall nat add chain=srcnat action=masquerade out-interface=Public. Above example shows you how to configure NAT on a Mikrotik Indeed Masquerade is the same as Src-Nat with the automatic selection of the external address as the source address. You need to use Src-Nat only when you have more than 1 external address (e.g. a subnet) and you want to specify which address is going to be used as the source of the NATted packet.