MikroTik RouterOS supports NAT Port Mapping Protocol - NAT-PMP for transparent peer-to-peer network connectivity of personal computers and network-enabled intelligent devices or appliances.
Included in the protocol is a method for retrieving the external IPv4 address of a NAT gateway, thus allowing a client to make its external IPv4 address and port known to peers who may wish to communicate with it.
NAT-PMP uses UDP port number 5350 - on the client, and 5351 on the server side.
There are two interface types for PMP: internal (the one local clients are connected to) and external (the one the Internet is connected to). A router may only have one active external interface with a 'public' IP address on it, and as many internal interfaces as needed, all with source-NATted 'internal' IP addresses. The protocol works by creating dynamic NAT entries.
For more details on NAT PMP see RFC6886
/ip nat-pmp |
Property | Description |
---|---|
enabled (yes | no ; Default: no) | Enable NAT-PMP service |
/ip nat-pmp interfaces |
Property | Description |
---|---|
interface (string; Default: ) | Interface name on which PMP will be running on |
type (external | internal; Default: no) | PMP interface type:
|
forced-ip (Ip; Default: ) | Allow specifying what public IP to use if the external interface has more than one IP available. |
In more complex setups with VLANs, where the VLAN interface is considered as the LAN interface, the VLAN interface itself should be specified as the internal interface for PMP to work properly. |
We have masquerading already enabled on our router:
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1 |
To enable the PMP feature:
[admin@MikroTik] ip nat-pmp> set enable=yes [admin@MikroTik] ip nat-pmp> print enabled: yes |
Now, all we have to do is to add interfaces:
[admin@MikroTik] ip nat-pmp interfaces> add interface=ether1 type=external [admin@MikroTik] ip nat-pmp interfaces> add interface=ether2 type=internal [admin@MikroTik] ip nat-pmp interfaces> print Flags: X - disabled # INTERFACE TYPE 0 X ether1 external 1 X ether2 internal [admin@MikroTik] ip nat-pmp interfaces> enable 0,1 |
Now once the client from the internal interface side will send PMP request dynamic NAT rules will be created on the router, example rules could look something similar to these:
[admin@MikroTik] > ip firewall nat print Flags: X - disabled, I - invalid, D - dynamic 0 chain=srcnat action=masquerade out-interface=ether1 1 D ;;; nat-pmp 192.168.88.10: ApplicationX chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=55000 protocol=tcp dst-address=10.0.0.1 in-interface=ether1 dst-port=55000 2 D ;;; nat-pmp 192.168.88.10: ApplicationX chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=55000 protocol=udp dst-address=10.0.0.1 in-interface=ether1 dst-port=55000 |