Introduction

Network Address Translation is an Internet standard that allows hosts on local area networks to use one set of IP addresses for internal communications and another set of IP addresses for external communications. A LAN that uses NAT is ascribed as a natted network. For NAT to function, there should be a NAT gateway in each natted network. The NAT gateway (NAT router) performs IP address rewriting on the way packet travel from/to LAN.

...

Types of NAT:

• source NAT or srcnat. This type of NAT is performed on packets that are originated from a natted network. A NAT router replaces the private source address of an IP packet with a new public IP address as it travels through the router. A reverse operation is applied to the reply packets traveling in the other direction.
• destination NAT or dstnat. This type of NAT is performed on packets that are destined for the natted network. It is most commonly used to make hosts on a private network to be accessible from the Internet. A NAT router performing dstnat replaces the destination IP address of an IP packet as it travels through the router towards a private network.

Source NAT

For example, the basic rule to hide local networks behind one public IP:

...

As you can see from the example, we are using the srcnat chain because we want to manipulate the source information. By specifying out interface we ensure that the source will be modified only for those packets that leave a specific interface, in our case, it is an interface named "Public", and the last action is to src-nat - change the source address of the packet to global address configured on "Public" interface.

Masquerade

/ip firewall nat add chain=srcnat action=masquerade out-interface=Public

...

To overcome these limitations RouterOS includes a number of so-called NAT helpers, that enable NAT traversal for various protocols.

Destination NAT

Let's see an opposite example where we want to change the destination address or perform port mapping:

...

What this rule does is, when an incoming connection requests TCP port 1234, it uses the dst-nat action and redirect it to local address 192.168.88.2 and the port 12340. In this example, we chose to specify ports to illustrate how traffic can be mapped from one port to another. If you do not specify a to-port parameter, then the destination port inside the packet is not changed.

NAT examples

Image ModifiedDestination NAT

Network address translation works by modifying network address information in the packets IP header. Let`s take a look at the common setup where a network administrator wants to access an office server from the internet.

...

/ip firewall nat add chain=srcnat src-address=10.0.0.3 action=src-nat to-addresses=172.16.16.1

Source NAT

If you want to hide your local devices behind your public IP address received from ISP, you should configure the source network address translation (masquerading) feature of the MikroTik router. 
Let`s assume you want to hide both office computer and server behind the public IP 172.16.16.1, the rule will look like the following one:

...

Now your ISP will see all the requests coming with IP 172.16.16.1 and they will not see your LAN network IP addresses.

Masquerade

Firewall NAT action=masquerade is a unique subversion of action=srcnat, it was designed for specific use in situations when public IP can randomly change, for example, DHCP-server changes it, or PPPoE tunnel after disconnect gets different IP, in short - when public IP is dynamic.  Every time the interface disconnects and/or its IP address changes, the router will clear all masqueraded connection tracking entries that send a packet out of that interface. This improves recovery time after public IP address changes.

...

Hairpin NAT

Hairpin network address translation (NAT Loopback) is where the device on the LAN is able to access another machine on the LAN via the public IP address of the gateway router. 

...