One of the common questions I get is what is the difference between Masquerade and SRC-NAt? Which should I use?
The quick answer is to use SRC-NAT if your gateway IP is static, and use masquerade if it can change.
The Mikrotik Wiki Entry
Firewall NAT action=masquerade is unique subversion of action=srcnat, it was designed for specific use in situations when public IP can randomly change, for example DHCP-server changes it, or PPPoE tunnel after disconnect gets different IP, in short – when public IP is dynamic.
Every time interface disconnects and/or its IP address changes, router will clear all masqueraded connection tracking entries that send packet out that interface, this way improving system recovery time after public ip address change.
Recently there has been some activity on integration with LetsEncrypt and Mikrotik. WHile Mikrotik does not directly support Letsencrypt directly yet, you can make it work with this setup
From the Mikrotik Wiki
- input – used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router’s addresses. Packets passing through the router are not processed against the rules of the input chain (DST address of the router)
- forward – used to process packets passing through the router (SRC and DST is not on the router)
- output – used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain
Mikrotik has released some new certifications. https://mikrotik.com/training/about
- MTCNA – MikroTik Certified Network Associate (view outline)
- MTCRE – MikroTik Certified Routing Engineer (view outline)
- MTCWE – MikroTik Certified Wireless Engineer (view outline)
- MTCTCE – MikroTik Certified Traffic Control Engineer (view outline)
- MTCUME – MikroTik Certified User Management Engineer (view outline)
- MTCIPv6E – MikroTik Certified IPv6 Engineer (view outline)
- MTCINE – MikroTik Certified Inter-networking Engineer (view outline)
- MTCSE – MikroTik Certified Security Engineer (view outline)
Recently I spun up a Mikrotik instance under Vultr for the purpose of doing some v6 testing. I was running into some problems with getting IPV6 to route properly. Vultr has IPV6 setup on their side to auto configure a gateway, etc. when it comes to IPV6. They are expecting a host, not a router. Why is his a problem?
The RFC states that nodes that act as routers are NOT to use SLAAC for IPv6 address configuration. In other words, routers that derived their interface IPv6 address from SLAAC cannot act as routers on that segment. This is a pretty hard set in stone thing when it comes to the RFC.
So how do we get around this in this instance? Go to IPV6…settings and turn off IPV6 forward.
IPv6 will start working at this point. The catch is, you won’t see neither address nor default route anywhere. It’s there, but it’s hidden. If you try to ping some external address, it will work.