Network Address Translation is an Internet standard that allows hosts on local area networks to use one set of IP addresses for internal communications and another set of IP addresses for external communications. A LAN that uses NAT is ascribed as a natted network. For NAT to function, there should be a NAT gateway in each natted network. The NAT gateway (NAT router) performs IP address rewriting on the way packet travel from/to LAN.
Nat matches only the first packet of the connection, connection tracking remembers the action and performs on all other packets belonging to the same connection.
Whenever NAT rules are changed or added, the connection tracking table should be cleared otherwise NAT rules may seem to be not functioning correctly until connection entry expires.
Network address translation works by modifying network address information in the packets IP header. Let`s take a look at the common setup where a network administrator wants to access an office server from the internet.
We want to allow connections from the internet to the office server whose local IP is 10.0.0.3. In this case, we have to configure a destination address translation rule on the office gateway router:
The rule above translates: when an incoming connection requests TCP port 22 with destination address 172.16.16.1, use the dst-nat action and depart packets to the device with local IP address 10.0.0.3 and port 22.
To allow access only from the PC at home, we can improve our dst-nat rule with "src-address=192.168.88.1" which is a Home`s PC public (this examples) IP address. It is also considered to be more secure!
If you want to hide your local devices behind your public IP address received from ISP, you should configure the source network address translation (masquerading) feature of the MikroTik router.
Let`s assume you want to hide both office computer and server behind the public IP 172.16.16.1, the rule will look like the following one:
Now your ISP will see all the requests coming with IP 172.16.16.1 and they will not see your LAN network IP addresses.
Firewall NAT action=masquerade is a unique subversion of action=srcnat, it was designed for specific use in situations when public IP can randomly change, for example, DHCP server change assigned IP or PPPoE tunnel after disconnect gets different IP, in short - when public IP is dynamic.
Every time when interface disconnects and/or its IP address changes, the router will clear all masqueraded connection tracking entries related to the interface, this way improving system recovery time after public IP change. If srcnat is used instead of masquerade, connection tracking entries remain and connections can simply resume after a link failure.
Unfortunately, this can lead to some issues with unstable links when the connection gets routed over different links after the primary link goes down. In such a scenario following things can happen:
To work around this situation blackhole route can be created as an alternative to the route that might disappear on disconnect.
Hosts behind a NAT-enabled router do not have true end-to-end connectivity. Therefore some Internet protocols might not work in scenarios with NAT. Services that require the initiation of TCP connection from outside the private network or stateless protocols such as UDP, can be disrupted.
To overcome these limitations RouterOS includes a number of so-called NAT helpers, that enable NAT traversal for various protocols. When action=srcnat is used instead, connection tracking entries remain and connections can simply resume.
Though Source NAT and masquerading perform the same fundamental function: mapping one address space into another one, the details differ slightly. Most noticeably, masquerading chooses the source IP address for the outbound packet from the IP bound to the interface through which the packet will exit.
Hairpin network address translation (NAT Loopback) is where the device on the LAN is able to access another machine on the LAN via the public IP address of the gateway router.
In the following example gateway router consist of dst-nat configuration rule:
When a customer from the PC at home establishes a connection to the webserver, the router performs NAT as configured:
The issue occurs, when a client on the same internal network as the webserver requests a connection to the web server's public IP address, the connection breaks:
To resolve this issue, we will configure the src-nat rule as follows:
After configured rule above:
|action (action name; Default: accept)||Action to take if a packet is matched by the rule:|
|address-list (string; Default: )||Name of the address list to be used. Applicable if action is |
|address-list-timeout (none-dynamic | none-static | time; Default: none-dynamic)||Time interval after which the address will be removed from the address list specified by |
|chain (name; Default: )||Specifies to which chain rule will be added. If the input does not match the name of an already defined chain, a new chain will be created|
|comment (string; Default: )||Descriptive comment for the rule|
|connection-bytes (integer-integer; Default: )||Matches packets only if a given amount of bytes has been transferred through the particular connection. 0 - means infinity, for example |
|connection-limit (integer,netmask; Default: )||Matches connections per address or address block after a given value is reached|
|connection-mark (no-mark | string; Default: )||Matches packets marked via mangle facility with particular connection mark. If no-mark is set, the rule will match any unmarked connection|
|connection-rate (Integer 0..4294967295; Default: )||Connection Rate is a firewall matcher that allows capturing traffic based on the present speed of the connection|
|connection-type (ftp | h323 | irc | pptp | quake3 | sip | tftp; Default: )||Matches packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under /ip firewall service-port|
|content (string; Default: )||Match packets that contain specified text|
|dscp (integer: 0..63; Default: )||Matches DSCP IP header field.|
|dst-address (IP/netmask | IP range; Default: )||Matches packets which destination is equal to specified IP or falls into specified IP range.|
|dst-address-list (name; Default: )||Matches destination address of a packet against user-defined address list|
|dst-address-type (unicast | local | broadcast | multicast; Default: )||Matches destination address type:|
|dst-limit (integer[/time],integer,dst-address | dst-port | src-address[/time]; Default: )||Matches packets until a given pps limit is exceeded. As opposed to the limit matcher, every destination IP address/destination port has its own limit. Parameters are written in the following format: |
|dst-port (integer[-integer]: 0..65535; Default: )||List of destination port numbers or port number ranges|
|fragment (yes|no; Default: )||Matches fragmented packets. The first (starting) fragment does not count. If connection tracking is enabled there will be no fragments as the system automatically assembles every packet|
|hotspot (auth | from-client | http | local-dst | to-client; Default: )||Matches packets received from HotSpot clients against various HotSpot matchers.|
|icmp-options (integer:integer; Default: )||Matches ICMP type: code fields|
|in-bridge-port (name; Default: )||Actual interface the packet has entered the router if the incoming interface is a bridge|
|in-interface (name; Default: )||Interface the packet has entered the router|
|ingress-priority (integer: 0..63; Default: )||Matches ingress the priority of the packet. Priority may be derived from VLAN, WMM or MPLS EXP bit. |
|ipsec-policy (in | out, ipsec | none; Default: )||Matches the policy used by IpSec. Value is written in the following format: |
For example, if a router receives an IPsec encapsulated Gre packet, then rule
|ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no-source-routing | no-timestamp | none | record-route | router-alert | strict-source-routing | timestamp; Default: )||Matches IPv4 header options.|
|jump-target (name; Default: )||Name of the target chain to jump to. Applicable only if |
|layer7-protocol (name; Default: )||Layer7 filter name defined in layer7 protocol menu.|
|limit (integer,time,integer; Default: )||Matches packets until a given PPS limit is exceeded. Parameters are written in the following format: |
|log-prefix (string; Default: )||Adds specified text at the beginning of every log message. Applicable if |
|nth (integer,integer; Default: )||Matches every nth packet: nth=2,1 rule will match every first packet of 2, hence, 50% of all the traffic that is matched by the rule|
|out-bridge-port (name; Default: )||Actual interface the packet is leaving the router if the outgoing interface is a bridge|
|out-interface (; Default: )||Interface the packet is leaving the router|
|packet-mark (no-mark | string; Default: )||Matches packets marked via mangle facility with particular packet mark. If no-mark is set, the rule will match any unmarked packet|
|packet-size (integer[-integer]:0..65535; Default: )||Matches packets of specified size or size range in bytes|
|per-connection-classifier (ValuesToHash:Denominator/Remainder; Default: )||PCC matcher allows dividing traffic into equal streams with the ability to keep packets with a specific set of options in one particular stream|
|port (integer[-integer]: 0..65535; Default: )||Matches if any (source or destination) port matches the specified list of ports or port ranges. Applicable only if |
|protocol (name or protocol ID; Default: tcp)||Matches particular IP protocol specified by protocol name or number|
|psd (integer,time,integer,integer; Default: )||Attempts to detect TCP and UDP scans. Parameters are in the following format |
|random (integer: 1..99; Default: )||Matches packets randomly with a given probability|
|routing-mark (string; Default: )||Matches packets marked by mangle facility with particular routing mark|
|same-not-by-dst (yes | no; Default: )||Specifies whether to take into account or not destination IP address when selecting a new source IP address. Applicable if |
|src-address (Ip/Netmaks, Ip range; Default: )||Matches packets which source is equal to specified IP or falls into specified IP range.|
|src-address-list (name; Default: )||Matches source address of a packet against user-defined address list|
|src-address-type (unicast | local | broadcast | multicast; Default: )|
Matches source address type:
|src-port (integer[-integer]: 0..65535; Default: )||List of source ports and ranges of source ports. Applicable only if a protocol is TCP or UDP.|
|src-mac-address (MAC address; Default: )||Matches source MAC address of the packet|
|tcp-mss (integer[-integer]: 0..65535; Default: )||Matches TCP MSS value of an IP packet|
|time (time-time,sat | fri | thu | wed | tue | mon | sun; Default: )||Allows to create a filter based on the packets' arrival time and date or, for locally generated packets, departure time and date|
|to-addresses (IP address[-IP address]; Default: 0.0.0.0)||Replace the original address with the specified one. Applicable if action is dst-nat, netmap, same, src-nat|
|to-ports (integer[-integer]: 0..65535; Default: )||Replace the original port with the specified one. Applicable if action is dst-nat, redirect, masquerade, netmap, same, src-nat|
|ttl (integer: 0..255; Default: )||Matches packets TTL value|
|bytes (integer)||The total amount of bytes matched by the rule|
|packets (integer)||The total amount of packets matched by the rule|
To show additional read-only properties: