Firewall In/Out/Local and.. NAT masquerade ?

Can anyone please explain the difference between In / Out / Local ?.
When we want to attach firewall rules to eth interface, it asks which “direction” (In / Out / Local).
when do we use each one?.

One more question if you may…:
When we do NAT, we need to enter the translation address. As far as i understand, the translation address is the address of the router doing the NAT convertion. am i wrong?. and… when (and why) sometimes we use: “masquerade”, like in the following example:
set nat source rule 10 translation address masquerade

Thank you.!

This is a pretty good overview of the definitions:

No. The ‘translation’ address is the IP of the device hosting the service you need to NAT to. If you want to open port 80 to server, is the translation address. You are TRANSLATING the public ip and port to a private ip and port.

[quote] when (and why) sometimes we use: “masquerade”, like in the following example:
set nat source rule 10 translation address masquerade[/quote]

You need a masquerade when you have several private IPs and devices that need to use a single outbound, public facing IP. You only use it once per VLAN/subnet to direct how the traffic flows OUT of the network.

First, thank you for the detailed explanation. just to make sure i understand:

  1. As for translation address, as far as i understand, it is basically the “end point” we want to connect to (in case that is an actual end point like web server / dns server and such). But… what happens if we simply want to browse the internet? (for any website) => we wouldn’t do translation for each website i assume. in that case we (as far as i understand) set the translation address to the router. is that correct?. and… are there any other “cases” were we set the translation address to the router?.

  2. As for masquerade. As far as i understand, when (for example) we have several laptops in the private network and they all want to “go outside” (for example, for web browsing) and they are all coming out of the same router (which is basically 1 public ip) => then on that case we will set the masquerade attribute. am i correct?. By the way, what will happen if we don’t use masquerade and simply set the translation to be the IP of the router of each rule. is taht ok? (basically it should be the same as masquerade if i understand correctly). In addition, you said something about “You only use it once per VLAN/subnet”. can you explain that please?. what happens if we set it twice?.

Sorry for head ache :slight_smile: thanks a lot for explaining!.

Yes. The translation address is the device/service you want to EXPOSE to the internet. This is a web server/dns server/etc on YOUR local network that you are translating to. So I can hit your public IP:443 and get to your web server for instance.

No, translation is for YOUR internal LAN. You are not translating external sources. You would never set the translation address to be the router.


No, you don’t translate to your router. You are not translating anything to your router.

Well, nothing will happen. If you have another rule further down the chain with the same masquerade settings, it just simply will not fire. You don’t need it more than once.
Why would you need it more than once? You are including an ENTIRE subnet in the rule and saying “THIS INTERFACE IS MY EXTERNAL FACING INTERFACE FOR THIS ENTIRE SUBNET”. Why would you tell the system the same thing twice?