Page tree

Introduction

Network Address Translation is an Internet standard that allows hosts on local area networks to use one set of IP addresses for internal communications and another set of IP addresses for external communications. A LAN that uses NAT is ascribed as a natted network. For NAT to function, there should be a NAT gateway in each natted network. The NAT gateway (NAT router) performs IP address rewriting on the way packet travel from/to LAN.

Nat matches only the first packet of the connection, connection tracking remembers the action and performs on all other packets belonging to the same connection.

Whenever NAT rules are changed or added, the connection tracking table should be cleared otherwise NAT rules may seem to be not functioning correctly until connection entry expires.

Types of NAT:

  • source NAT or srcnat. This type of NAT is performed on packets that are originated from a natted network. A NAT router replaces the private source address of an IP packet with a new public IP address as it travels through the router. A reverse operation is applied to the reply packets traveling in the other direction.
  • destination NAT or dstnat. This type of NAT is performed on packets that are destined for the natted network. It is most commonly used to make hosts on a private network to be accessible from the Internet. A NAT router performing dstnat replaces the destination IP address of an IP packet as it travels through the router towards a private network.

Destination NAT

Network address translation works by modifying network address information in the packets IP header. Let`s take a look at the common setup where a network administrator wants to access an office server from the internet.

We want to allow connections from the internet to the office server whose local IP is 10.0.0.3. In this case, we have to configure a destination address translation rule on the office gateway router:

/ip firewall nat add chain=dstnat action=dst-nat dst-address=172.16.16.1 dst-port=22 to-addresses=10.0.0.3 protocol=tcp

The rule above translates: when an incoming connection requests TCP port 22 with destination address 172.16.16.1, use the dst-nat action and depart packets to the device with local IP address 10.0.0.3 and port 22.

To allow access only from the PC at home, we can improve our dst-nat rule with "src-address=192.168.88.1" which is a Home`s PC public (this examples) IP address. It is also considered to be more secure!

Source NAT

If you want to hide your local devices behind your public IP address received from ISP, you should configure the source network address translation (masquerading) feature of the MikroTik router. 
Let`s assume you want to hide both office computer and server behind the public IP 172.16.16.1, the rule will look like the following one:

/ip firewall nat add chain=srcnat src-address=10.0.0.0/24 action=src-nat to-addresses=172.16.16.1 out-interface=WAN

Now your ISP will see all the requests coming with IP 172.16.16.1 and they will not see your LAN network IP addresses.

Masquerade

Firewall NAT action=masquerade is a unique subversion of action=srcnat, it was designed for specific use in situations when public IP can randomly change, for example, DHCP server change assigned IP or PPPoE tunnel after disconnect gets different IP, in short - when public IP is dynamic.

/ip firewall nat add chain=srcnat src-address=10.0.0.0/24 action=masquarade out-interface=WAN

Every time when interface disconnects and/or its IP address changes, the router will clear all masqueraded connection tracking entries related to the interface, this way improving system recovery time after public IP change. If srcnat is used instead of masquerade, connection tracking entries remain and connections can simply resume after a link failure.

Unfortunately, this can lead to some issues with unstable links when the connection gets routed over different links after the primary link goes down. In such a scenario following things can happen:

  • on disconnect, all related connection tracking entries are purged;
  • next packet from every purged (previously masqueraded) connection will come into firewall as new, and, if a primary interface is not back, a packet will be routed out via alternative route (if you have any) thus creating a new masqueraded connection;
  • the primary link comes back, routing is restored over the primary link, so packets that belong to existing connections are sent over the primary interface without being masqueraded, that way leaking local IPs to a public network.

To work around this situation blackhole route can be created as an alternative to the route that might disappear on disconnect.

Hosts behind a NAT-enabled router do not have true end-to-end connectivity. Therefore some Internet protocols might not work in scenarios with NAT. Services that require the initiation of TCP connection from outside the private network or stateless protocols such as UDP, can be disrupted. 

To overcome these limitations RouterOS includes a number of so-called NAT helpers, that enable NAT traversal for various protocols. When action=srcnat is used instead, connection tracking entries remain and connections can simply resume.

Though Source NAT and masquerading perform the same fundamental function: mapping one address space into another one, the details differ slightly. Most noticeably, masquerading chooses the source IP address for the outbound packet from the IP bound to the interface through which the packet will exit.

Hairpin NAT

Hairpin network address translation (NAT Loopback) is where the device on the LAN is able to access another machine on the LAN via the public IP address of the gateway router. 



In the following example gateway router consist of dst-nat configuration rule:

/ip firewall nat add chain=dstnat action=dst-nat dst-address=172.16.16.1 dst-port=443 to-addresses=10.0.0.3 to-ports=443 protocol=tcp

When a customer from the PC at home establishes a connection to the webserver, the router performs NAT as configured:

  1. the client sends a packet with a source IP address of 192.168.88.1 to a destination IP address of 172.16.16.1 on port 443 to request some web resource;
  2. the router destination NAT`s the packet to 10.0.0.3 and replaces the destination IP address in the packet accordingly. The source IP address stays the same: 192.168.88.1;
  3. the server replies to the client's request and the reply packet have a source IP address of 10.0.0.3 and a destination IP address of 192.168.88.1.
  4. the router determines that the packet is part of a previous connection and undoes the destination NAT, and puts the original destination IP address into the source IP address field. The destination IP address is 192.168.88.1, and the source IP address is 172.16.16.1;
  5. The client receives the reply packet it expects, and the connection is established;


The issue occurs, when a client on the same internal network as the webserver requests a connection to the web server's public IP address, the connection breaks:

  1. the client sends a packet with a source IP address of 10.0.0.2 to a destination IP address of 172.16.16.1 on port 443 to request some web resource;
  2. the router destination NATs the packet to 10.0.0.3 and replaces the destination IP address in the packet accordingly. The source IP address stays the same: 10.0.0.2;
  3. the server replies to the client's request. However, the source IP address of the request is on the same subnet as the webserver. The web server does not send the reply back to the router but sends it back directly to 10.0.0.2 with a source IP address in the reply of 10.0.0.3;
  4. The client receives the reply packet, but it discards it because it expects a packet back from 172.16.16.1, and not from 10.0.0.3;

To resolve this issue, we will configure the src-nat rule as follows:

/ip firewall nat
add action=masquerade chain=srcnat dst-address=10.0.0.3 out-interface=LAN protocol=tcp src-address=10.0.0.0/24

After configured rule above:

  1. the client sends a packet with a source IP address of 10.0.0.2 to a destination IP address of 172.16.16.1 on port 443 to request some web resource;
  2. the router destination NATs the packet to 10.0.0.3 and replaces the destination IP address in the packet accordingly. It also source NATs the packet and replaces the source IP address in the packet with the IP address on its LAN interface. The destination IP address is 10.0.0.3, and the source IP address is 10.0.0.1;
  3. the web server replies to the request and sends the reply with a source IP address of 10.0.0.3 back to the router's LAN interface IP address of 10.0.0.1;
  4. the router determines that the packet is part of a previous connection and undoes both the source and destination NAT, and puts the original destination IP address of 1.1.1.1 into the source IP address field, and the original source IP address of 172.16.16.1 into the destination IP address field

Properties

PropertyDescription
action (action name; Default: accept)Action to take if a packet is matched by the rule:
  • accept - accept the packet. A packet is not passed to the next NAT rule.
  • add-dst-to-address-list - add destination address to address list specified by address-list parameter
  • add-src-to-address-list - add source address to address list specified by address-list parameter
  • dst-nat - replaces destination address and/or port of an IP packet to values specified by to-addresses and to-ports parameters
  • jump - jump to the user-defined chain specified by the value of jump-target parameter
  • log - add a message to the system log containing the following data: in-interface, out-interface, src-mac, protocol, src-ip:port->dst-ip:port and length of the packet. After a packet is matched it is passed to the next rule in the list, similar as passthrough
  • masquerade - replaces source port of an IP packet to one specified by to-ports parameter and replace the source address of an IP packet to IP determined by routing facility. 
  • netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks
  • passthrough - if a packet is matched by the rule, increase counter and go to next rule (useful for statistics).
  • redirect - replaces destination port of an IP packet to one specified by to-ports parameter and destination address to one of the router's local addresses
  • return - passes control back to the chain from where the jump took place
  • same - gives a particular client the same source/destination IP address from a supplied range for each connection. This is most frequently used for services that expect the same client address for multiple connections from the same client
  • src-nat - replaces source address of an IP packet to values specified by to-addresses and to-ports parameters
address-list (string; Default: )Name of the address list to be used. Applicable if action is add-dst-to-address-list or add-src-to-address-list
address-list-timeout (none-dynamic | none-static | time; Default: none-dynamic)Time interval after which the address will be removed from the address list specified by address-list parameter. Used in conjunction with add-dst-to-address-list or add-src-to-address-list actions
  • Value of none-dynamic (00:00:00) will leave the address in the address list till reboot
  • Value of none-static will leave the address in the address list forever and will be included in configuration export/backup
chain (name; Default: )Specifies to which chain rule will be added. If the input does not match the name of an already defined chain, a new chain will be created
comment (string; Default: )Descriptive comment for the rule
connection-bytes (integer-integer; Default: )Matches packets only if a given amount of bytes has been transferred through the particular connection. 0 - means infinity, for example connection-bytes=2000000-0 means that the rule matches if more than 2MB has been transferred through the relevant connection
connection-limit (integer,netmask; Default: )Matches connections per address or address block after a given value is reached
connection-mark (no-mark | string; Default: )Matches packets marked via mangle facility with particular connection mark. If no-mark is set, the rule will match any unmarked connection
connection-rate (Integer 0..4294967295; Default: )Connection Rate is a firewall matcher that allows capturing traffic based on the present speed of the connection
connection-type (ftp | h323 | irc | pptp | quake3 | sip | tftp; Default: )Matches packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under /ip firewall service-port
content (string; Default: )Match packets that contain specified text
dscp (integer: 0..63; Default: )Matches DSCP IP header field.
dst-address (IP/netmask | IP range; Default: )Matches packets which destination is equal to specified IP or falls into specified IP range.
dst-address-list (name; Default: )Matches destination address of a packet against user-defined address list
dst-address-type (unicast | local | broadcast | multicast; Default: )Matches destination address type:
  • unicast - IP address used for point to point transmission
  • local - if dst-address is assigned to one of the router's interfaces
  • broadcast - packet is sent to all devices in a subnet
  • multicast - packet is forwarded to a defined group of devices
dst-limit (integer[/time],integer,dst-address | dst-port | src-address[/time]; Default: )Matches packets until a given pps limit is exceeded. As opposed to the limit matcher, every destination IP address/destination port has its own limit. Parameters are written in the following format: count[/time],burst,mode[/expire].
  • count - maximum average packet rate measured in packets per time interval
  • time - specifies the time interval in which the packet rate is measured (optional)
  • burst - number of packets that are not counted by packet rate
  • mode - the classifier for packet rate limiting
  • expire - specifies interval after which recored ip address /port will be deleted (optional)
dst-port (integer[-integer]: 0..65535; Default: )List of destination port numbers or port number ranges
fragment (yes|no; Default: )Matches fragmented packets. The first (starting) fragment does not count. If connection tracking is enabled there will be no fragments as the system automatically assembles every packet
hotspot (auth | from-client | http | local-dst | to-client; Default: )Matches packets received from HotSpot clients against various HotSpot matchers.
  • auth - matches authenticated HotSpot client packets
  • from-client - matches packets that are coming from the HotSpot client
  • http - matches HTTP requests sent to the HotSpot server
  • local-dst - matches packets that are destined to the HotSpot server
  • to-client - matches packets that are sent to the HotSpot client
icmp-options (integer:integer; Default: )Matches ICMP type: code fields
in-bridge-port (name; Default: )Actual interface the packet has entered the router if the incoming interface is a bridge
in-interface (name; Default: )Interface the packet has entered the router
ingress-priority (integer: 0..63; Default: )Matches ingress the priority of the packet. Priority may be derived from VLAN, WMM or MPLS EXP bit. Read more>>
ipsec-policy (in | out, ipsec | none; Default: )Matches the policy used by IpSec. Value is written in the following format: direction, policy. The direction is Used to select whether to match the policy used for decapsulation or the policy that will be used for encapsulation.
  • in - valid in the PREROUTING, INPUT, and FORWARD chains
  • out - valid in the POSTROUTING, OUTPUT, and FORWARD chains
  • ipsec - matches if the packet is subject to IpSec processing;
  • none - matches packet that is not subject to IpSec processing (for example, IpSec transport packet).

For example, if a router receives an IPsec encapsulated Gre packet, then rule ipsec-policy=in,ipsec will match Gre packet, but the rule ipsec-policy=in,none will match the ESP packet.

ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no-source-routing | no-timestamp | none | record-route | router-alert | strict-source-routing | timestamp; Default: )Matches IPv4 header options.
  • any - match packet with at least one of the ipv4 options
  • loose-source-routing - match packets with a loose source routing option. This option is used to route the internet datagram based on information supplied by the source
  • no-record-route - match packets with no record route option. This option is used to route the internet datagram based on information supplied by the source
  • no-router-alert - match packets with no router alter option
  • no-source-routing - match packets with no source routing option
  • no-timestamp - match packets with no timestamp option
  • record-route - match packets with record route option
  • router-alert - match packets with router alter option
  • strict-source-routing - match packets with strict source routing option
  • timestamp - match packets with a timestamp
jump-target (name; Default: )Name of the target chain to jump to. Applicable only if action=jump
layer7-protocol (name; Default: )Layer7 filter name defined in layer7 protocol menu.
limit (integer,time,integer; Default: )Matches packets until a given PPS limit is exceeded. Parameters are written in the following format: count[/time],burst.
  • count - maximum average packet rate measured in packets per time interval
  • time - specifies the time interval in which the packet rate is measured (optional, 1s will be used if not specified)
  • burst - number of packets that are not counted by packet rate
log-prefix (string; Default: )Adds specified text at the beginning of every log message. Applicable if action=log
nth (integer,integer; Default: )Matches every nth packet: nth=2,1 rule will match every first packet of 2, hence, 50% of all the traffic that is matched by the rule
out-bridge-port (name; Default: )Actual interface the packet is leaving the router if the outgoing interface is a bridge
out-interface (; Default: )Interface the packet is leaving the router
packet-mark (no-mark | string; Default: )Matches packets marked via mangle facility with particular packet mark. If no-mark is set, the rule will match any unmarked packet
packet-size (integer[-integer]:0..65535; Default: )Matches packets of specified size or size range in bytes
per-connection-classifier (ValuesToHash:Denominator/Remainder; Default: )PCC matcher allows dividing traffic into equal streams with the ability to keep packets with a specific set of options in one particular stream
port (integer[-integer]: 0..65535; Default: )Matches if any (source or destination) port matches the specified list of ports or port ranges. Applicable only if protocol is TCP or UDP
protocol (name or protocol ID; Default: tcp)Matches particular IP protocol specified by protocol name or number
psd (integer,time,integer,integer; Default: )Attempts to detect TCP and UDP scans. Parameters are in the following format WeightThreshold, DelayThreshold, LowPortWeight, HighPortWeight
  • WeightThreshold - total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence
  • DelayThreshold - delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence
  • LowPortWeight - the weight of the packets with privileged (<1024) destination port
  • HighPortWeight - the weight of the packet with non-privileged destination port
random (integer: 1..99; Default: )Matches packets randomly with a given probability
routing-mark (string; Default: )Matches packets marked by mangle facility with particular routing mark
same-not-by-dst (yes | no; Default: )Specifies whether to take into account or not destination IP address when selecting a new source IP address. Applicable if action=same
src-address (Ip/Netmaks, Ip range; Default: )Matches packets which source is equal to specified IP or falls into specified IP range.
src-address-list (name; Default: )Matches source address of a packet against user-defined address list
src-address-type (unicast | local | broadcast | multicast; Default: )

Matches source address type:

  • unicast - IP address used for point to point transmission
  • local - if an address is assigned to one of the router's interfaces
  • broadcast - packet is sent to all devices in a subnet
  • multicast - packet is forwarded to a defined group of devices
src-port (integer[-integer]: 0..65535; Default: )List of source ports and ranges of source ports. Applicable only if a protocol is TCP or UDP.
src-mac-address (MAC address; Default: )Matches source MAC address of the packet
tcp-mss (integer[-integer]: 0..65535; Default: )Matches TCP MSS value of an IP packet
time (time-time,sat | fri | thu | wed | tue | mon | sun; Default: )Allows to create a filter based on the packets' arrival time and date or, for locally generated packets, departure time and date
to-addresses (IP address[-IP address]; Default: 0.0.0.0)Replace the original address with the specified one. Applicable if action is dst-nat, netmap, same, src-nat
to-ports (integer[-integer]: 0..65535; Default: )Replace the original port with the specified one. Applicable if action is dst-nat, redirect, masquerade, netmap, same, src-nat
ttl (integer: 0..255; Default: )Matches packets TTL value

Stats

PropertyDescription
bytes (integer)The total amount of bytes matched by the rule
packets (integer)The total amount of packets matched by the rule

To show additional read-only properties:

[admin@MikroTik] > ip firewall nat print stats all
Flags: X - disabled, I - invalid, D - dynamic 
# CHAIN ACTION BYTES PACKETS
0 srcnat masquerade 265 659 987


  • No labels