Only NAT packets you can deliver responses for

When setting up a masquerading nat, it is worth considering masquerading only packets from known networks. That is, instead of rule like iifname eth-inside masquerade use something like iifname eth-inside ip saddr 198.51.100.0/24 masquerade.

I learned the hard way: my laptop in a masqueraded network picked a wrong source address from a subnet the router had no knowledge about. The outbound packets passed through right, but the responses came in, undergone translation, and since the destination was unknown to the router, it used the default route, sending the packet back to the ISP.

The result: IDS triggered by many packets from my router with source IP addresses from all around the Internet, all with destination to my private address. (The ISP was not happy about that.)