[craig0]

Hi all:

I am a little confused with the following two entries in my POSTROUTING chain and trying to understand how the NAT is implemented with port translation

SNAT 0 -- * vlan2 0.0.0.0/0 0.0.0.0/0 to:X.X.X.X

X.X.X.X is my WAN IP address (I just prefer not to show it)

MASQUERADE 0 -- * br0 192.168.1.0/24 192.168.1.0/24

So the first entry basically just NATs my sourceIP to the WAN IP for all traffic routed out the WAN side(vlan2).....but no port translation

but why the MASQUERADE on the br0 interface? I thought the MASQUERADE would be used on any traffic coming from the bridge (br0) and destined for the WAN (vlan2)

help me understand what is going here.

Thanks,

Craig

[phuzi0n]

The masquerade rule is to allow loopback to function. It really ought to be a SNAT rule too for a minor performance difference... It's actually removed from current builds for the past 2 months and its removal is causing lots of grief.

http://svn.dd-wrt.com:8000/dd-wrt/ticket/1868

[craig0]

So if that is just used for loopback then I guess no port translation is done for traffic destined for the WAN?

[phuzi0n]

Destination NAT occurs in the nat table's PREROUTING chain.

[craig0]

I know port forwarding is done in the PREROUTING chain with DNAT, but what about translation of the local source port for outbound traffic?

Ie I have two clients on my LAN that are attempting to contact the same server on the Internet. Each client binds to the same source port rather than having a dynamic allocated source port. Obviously for this to work the local source port of one of clients would need to be translated. Now I thought this was done via the MASQUERADE target but this doesn't seem to be the case? What mechanism handles the translation of the local source port when a conflict exists?

Hope my question is clear

Thanks.

Craig

[phuzi0n]

SNAT and MASQUERADE both do it automatically when needed to avoid such a conflict. Read the iptables man page.