AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers
221
RouterOS v3 Configuration and User Guide
9.4.3
NAT Applications
Description
In this section some NAT applications and examples of them are discussed.
Basic NAT configuration
Assume we want to create router that:
"hides" the private LAN "behind" one address
provides Public IP to the Local server
creates 1:1 mapping of network addresses
Example of Source NAT (Masquerading)
If you want to "hide" the private LAN 192.168.0.0/24 "behind" one address 10.5.8.109 given to you by the
ISP, you should use the source network address translation (masquerading) feature of the RouterOS
router. The masquerading will change the source IP address and port of the packets originated from the
network 192.168.0.0/24 to the address 10.5.8.109 of the router when the packet is routed through it.
To use masquerading, a source NAT rule with action 'masquerade' should be added to the firewall
configuration:
/ip firewall nat add chain=srcnat action=masquerade out-interface=Public
All outgoing connections from the network 192.168.0.0/24 will have source address 10.5.8.109 of the
router and source port above 1024. No access from the Internet will be possible to the Local addresses.
If you want to allow connections to the server on the local network, you should use destination Network
Address Translation (NAT).
Example of Destination NAT
If you want to link Public IP 10.5.8.200 address to Local one 192.168.0.109, you should use destination
address translation feature of the RouterOS router. Also if you want allow Local server to talk with
outside with given Public IP you should use source address translation, too
Add Public IP to Public interface:
/ip address add address=10.5.8.200/32 interface=Public
Add rule allowing access to the internal server from external networks:
/ip firewall nat add chain=dstnat dst-address=10.5.8.200 action=dst-nat \
to-addresses=192.168.0.109
Add rule allowing the internal server to talk to the outer networks having its source address translated to
10.5.8.200:
/ip firewall nat add chain=srcnat src-address=192.168.0.109 action=src-nat \
to-addresses=10.5.8.200
Example of one to one mapping
If you want to link Public IP subnet 11.11.11.0/24 to local one 2.2.2.0/24, you should use destination
address translation and source address translation features with
action=netmap
.
/ip firewall nat add chain=dstnat dst-address=11.11.11.1-11.11.11.254 \
action=netmap to-addresses=2.2.2.1-2.2.2.254
/ip firewall nat add chain=srcnat src-address=2.2.2.1-2.2.2.254 \
action=netmap to-addresses=11.11.11.1-11.11.11.254