SNAT vs. Masquerade...

Discussion in 'Tomato Firmware' started by bripab007, Mar 31, 2009.

  1. bripab007

    bripab007 Network Guru Member

    Just curious if anyone's noticed any adverse or beneficial effects from using SNAT instead of Masquerade in Victek's RAF mod.

    Specifically, I've seen that it should be marginally quicker in NAT'ing since it doesn't look at the WAN IP when sending out packets from LAN hosts.

    I've also read that it's typically not used with DHCP'd WAN IP addresses (most home cable modem users and quite a few home DSL users, I would suspect) because the NAT table gets screwed up if the IP changes, however, it's been said that Tomato's firewall service restarts when WAN IP change is detected, so this shouldn't pose a problem.

    So, basically, I'm just looking for thoughts from those more well-versed in the subject than I :)
  2. bripab007

    bripab007 Network Guru Member

    No one has any thoughts on this? :tongue:
  3. Toastman

    Toastman Super Moderator Staff Member Member

    I'm no expert in the subject, but I have been trying it, I don't notice any speed difference myself. I never noticed any problem when the WAN IP changed. But I left it at MASQUERADE to be on the safe side in the end (chicken)....
    visceralpsyche likes this.
  4. bripab007

    bripab007 Network Guru Member

    Fair enough :) I was starting to chicken out, too, even though it's been running fine for the past week or so.

    I was going to see if I could force my cable modem to pick up a new IP address and see how Tomato reacts, just hadn't gotten around to it yet.
  5. Toastman

    Toastman Super Moderator Staff Member Member

    How are you finding your TM. Any odd quirks - is the stability any better with the extra memory? (I notice my ASUS seems less inclined to random reboot or reboot when accessing web GUI). I am trying to force myself to buy some!
  6. bripab007

    bripab007 Network Guru Member

    Man, the TM is awesome. It feels quicker than my old WRT54G ver.2, even though I've only overclocked it to 225Mhz. The extra RAM is probably great, although it's difficult for just me and my wife to really give it the torture test. I mean, I've had torrents downloading, while video iChat'ing, while surfing the web, while my wife is surfing on her computer, and it's held up just fine. Seems just as stable as Tomato's ever been. In fact, I just happened to notice that my WAN IP did get changed yesterday afternoon, and apparently SNAT and Tomato's firewall handled it just fine, so I guess I'll leave it on SNAT.

    But, yeah, I've bought three of the TM's so far, one to Tomato for myself, one I Tomato'd for my parents to replace their ridiculously slow and weak WRT54G ver.6 and one that I DD-WRT'd and sold to a friend and then configured it as a repeater with a virtual Access Point for his own apartment (the repeater is leeching the internet off his next-door neighbor's AP, and they split the bill).

    So, yeah, I'm quite happy with the TM :D
  7. Toastman

    Toastman Super Moderator Staff Member Member

    Thanks! That's very encouraging. Forgot to say, my ISP changes my IP every 24 hours, so it did get a good testing...
  8. FattysGoneWild

    FattysGoneWild LI Guru Member

    Did you guys ever find out which 1 is best to use? Does the selection matter if you have dsl, cable, fios etc? I am on cable internet if that makes any difference.
  9. fyellin

    fyellin LI Guru Member

    Just while we're on the subject. Is there documentation somewhere (or else just a quick summary) of what the difference is between SNAT and MASQUERADE? Wikipedia seems to indicate that what these terms mean precisely depends on the which manufacturer you're talking to.:confused:
  10. RonWessels

    RonWessels Network Guru Member

    Quick summary:

    Both are network address translation (NAT) techniques whereby the source (LAN) address gets automagically converted to another address (typically the WAN address) by the router.

    MASQUERADE converts the address to the WAN address, whatever it happens to be. In other words, at every conversion, it has to check what the WAN address is.

    SNAT converts the address to a fixed address, set to the WAN address by the firewall initialization. While this would be a problem if the WAN address subsequently changes, Tomato will restart the firewall (and therby re-initialize the SNAT address) when that happens.

    In theory, SNAT should be faster, since both are performing the same translation but MASQUERADE has to perform that extra lookup. In practice, we're only talking about a few machine instructions here, so the difference is not noticeable.
    Ped Man, visceralpsyche and kthaddock like this.
  11. fyellin

    fyellin LI Guru Member

    Exactly what I was looking for. Thanks for the clear explanation.
  12. Toastman

    Toastman Super Moderator Staff Member Member

    Me too, thanks Ron
  13. mrap

    mrap LI Guru Member

    Thanks for the explanation!
  14. Mr.CTT

    Mr.CTT Serious Server Member

    +1 Thank You!
  15. Tomato User

    Tomato User Network Newbie Member

    please tell me, whats TM?
  16. TrueBlueBlooded

    TrueBlueBlooded Addicted to LI Member

  17. brassman

    brassman Networkin' Nut Member

    Right, so Masquerade converts R2's addresses into its own on R1. For example, big fancy R1's DHCP range is So R2's lan and wireless hosts (e.g., Host1, host2, and host3) will be FORCED into within that R1's DHCP range. But having duplicate Host addresses that are the same, can make "hacking a host"...erm... security risk. So, SNAT translates R1's host address into IP tables of R2. Think of it as a moniker of a moniker of a moniker. Every router (e.g., R1, R2, and R3) will have their respective system of doing things, or naming things. Totally, totally respectable. SNAT is a SIMPLE translation of host1 behind R1 to R2 and then to host2. That is, H1 is behind R1 and H2 is behind R2. But one problem still exists..

    Why doesn't SNAT work like this? Advanced>firewall>NAT>Nat Loopback as ALL and Advanced>firewall>NAT>NAT target as SNAT? Seems I can ping everything outside of R1 and R2 (i.e., i can ping everything like or, but not other hosts (for example, host 1 behind R1 and host 2 behind R2). In fact, because of this, my H1 behind R1 cannot print to R2's H2 (where H2 is a printer). Will SNAT loopback be fixed anytime soon?

    *NOTE: If you are where I am, then the final touch to two Gateways (GU-1 and GU-2) is SNAT. If SNAT is functioning on Shibby's tomato, then i should be able to ping H1 behind R1 and R2's H2.

    **NOTE 2: My diagram setup looks like this:

    Host 1 (my computer) (LAN)- - - -(LAN) Router 1 (LAN)-------- (WAN) Router 2 (LAN/WIRELESS)----------- Host 2 (printer). ==> this does not work! However, all H1 and H2 can work together to ping outside of the routers (i.e., or I hear port forwarding can work, but my gosh! that sounds so wrong!
  18. Sean B.

    Sean B. Network Guru Member

    Why are you connecting one LAN to another using a WAN port? Is there an actual reason you're torturing yourself with NAT?
  19. eibgrad

    eibgrad Network Guru Member

    Let's be very clear about the purpose of SNAT/MASQUERADE. It simply allows the router to change the source IP on a packet, and is typically used on a NAT router to change the *local* IP range (the whole range, whether assigned by DHCP or static assignment, e.g., to the public IP of the WAN before being dumped on the public network (since the local IP range is not routable over the internet). On the reply, the router converts the (public) destination IP of the packet back to a local IP.

    That said, there are other circumstances when being able to change a source IP might prove useful. But in the case of accessing devices across multiple local IP networks on the router (e.g., 192.168.1.x <--> 192.168.2.x), there's no need to SNAT packets (e.g., changing the source IP of to that of the router on the other network, By default, the router is blocking traffic on the FORWARD chain of the firewall between those local networks, and so you amend the firewall rules to allow specific traffic to flow between devices. You DON'T use SNAT to muck w/ the IP addresses to essentially "trick" one network into thinking that traffic from the other local network is actually coming from its own network (which I *think* is what you're trying to do).
  20. brassman

    brassman Networkin' Nut Member

    You are right about a lot of things, but quite the opposite at the end, Mr. Eibling. I have tried to turn off the NAT firewall and ping the ip address of H2 from my H1 (PC) behind R1 (again, to H2 (PC) of R2). I received "Request Timed Out", which is about right. Without NAT firewall, or also known as translation, then R2 should not allow my H1 (PC) behind R1 to get through R2 (Gateway-UP) to get to H2.

    *Correction to my 1 other post above: I do not want Port forwarding, although that may be a lesser option. I want IP TABLE forwarding. What this means is I want H1 (IP behind R1 (IP to send this address to R2 (, so R2 can temporarily remember it in cache. Keep the connection alive by frequent pinging? I thought this was what masquerade does, but doesn't seem to be working?

    *Edit: totally agree you with there about "tricking" by forcing other routers to use their own IP address range as oppose to just being on the same subnet is enough and having their own respective ranges (i.e., and
  21. Sean B.

    Sean B. Network Guru Member

    You do not need nor should be using NAT or the WAN port for this. All you need to do is create another LAN interface on router 2 with DHCP disabled, give it an IP address that is within the subnet of router1's LAN, and then add one of the LAN ports to that interface. Connect router1 to router2 on that LAN port. Add LAN access rules to allow forwarding between the networks on router 2 and you're done.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice