Basic NAT Masquerade Configuration
Basic NAT Masquerade Configuration
Section titled âBasic NAT Masquerade ConfigurationâTL;DR (Quick Start)
Section titled âTL;DR (Quick Start)âFor the impatient: hereâs the 30-second version.
# Basic masquerade for internet access/ip firewall nat add chain=srcnat action=masquerade out-interface=ether1Overview
Section titled âOverviewâThis guide demonstrates how to configure NAT masquerade on MikroTik RouterOS to allow internal network devices to access the internet through the router.
Prerequisites
Section titled âPrerequisitesâ- A MikroTik router running RouterOS 7.x or later
- Access to the router via SSH, WinBox, or WebFig
Configuration Steps
Section titled âConfiguration StepsâStep 1: Add Masquerade Rule for Outgoing Traffic
Section titled âStep 1: Add Masquerade Rule for Outgoing TrafficâConfigure masquerade NAT for traffic leaving through ether1 (WAN interface):
/ip firewall nat add chain=srcnat action=masquerade out-interface=ether1 comment="Masquerade for WAN"Step 2: Add Source NAT for Specific Network
Section titled âStep 2: Add Source NAT for Specific NetworkâAdd a masquerade rule specifically for the LAN subnet:
/ip firewall nat add chain=srcnat action=masquerade src-address=192.168.88.0/24 comment="Masquerade LAN network"Step 3: Add Destination NAT (Port Forward)
Section titled âStep 3: Add Destination NAT (Port Forward)âForward external port 8080 to an internal web server:
/ip firewall nat add chain=dstnat action=dst-nat protocol=tcp dst-port=8080 to-addresses=192.168.88.100 to-ports=80 comment="Port forward to webserver"Verification
Section titled âVerificationâCheck 1: NAT Rules
Section titled âCheck 1: NAT Rulesâ/ip firewall nat printExpected Output:
Flags: X - disabled, I - invalid, D - dynamic 0 chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix="" comment="Masquerade for WAN"
1 chain=srcnat action=masquerade src-address=192.168.88.0/24 log=no log-prefix="" comment="Masquerade LAN network"
2 chain=dstnat action=dst-nat to-addresses=192.168.88.100 to-ports=80 protocol=tcp dst-port=8080 log=no log-prefix="" comment="Port forward to webserver"Check 2: Connection Tracking
Section titled âCheck 2: Connection Trackingâ/ip firewall connection print where nat-dst-address!=""Expected Output (when traffic is flowing):
Flags: S - seen-reply, A - assured # PROTOCOL SRC-ADDRESS DST-ADDRESS TCP-STATE 0 SA tcp 203.0.113.50:54321 192.168.88.100:80 establishedTroubleshooting
Section titled âTroubleshootingâProblem: Internal devices canât access internet
Section titled âProblem: Internal devices canât access internetâSymptoms: LAN devices cannot reach external websites or services.
Causes & Solutions:
-
Wrong out-interface - Verify the interface name matches your WAN:
/interface print where running/ip firewall nat printEnsure the
out-interfacein your masquerade rule matches your actual WAN interface. -
Missing default route - Check routing table:
/ip route print where dst-address=0.0.0.0/0You need a default gateway pointing to your ISP.
-
Firewall blocking traffic - Check forward chain:
/ip firewall filter print chain=forwardEnsure LAN-to-WAN traffic is not being dropped.
Problem: Port forward not working
Section titled âProblem: Port forward not workingâSymptoms: External users cannot reach internal services via port forward.
Causes & Solutions:
-
ISP blocking port - Try a different port number to test.
-
Firewall rule missing - NAT changes destination but firewall still applies:
/ip firewall filter add chain=forward action=accept protocol=tcp dst-port=80 dst-address=192.168.88.100 -
NAT rule order - Ensure dstnat rules come before masquerade in the chain.
Problem: Hairpin NAT not working
Section titled âProblem: Hairpin NAT not workingâSymptoms: Internal devices canât access internal server using external IP.
Causes & Solutions:
- Need srcnat rule for internal traffic:
/ip firewall nat add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.88.100 protocol=tcp dst-port=80 action=masquerade
Problem: Connection tracking table full
Section titled âProblem: Connection tracking table fullâSymptoms: New connections fail, logs show ânf_conntrack: table fullâ
Causes & Solutions:
-
Increase tracking limit:
/ip firewall connection tracking set max-entries=65536 -
Reduce timeouts for idle connections:
/ip firewall connection tracking set tcp-established-timeout=1d
Related Topics
Section titled âRelated TopicsâPrerequisites
Section titled âPrerequisitesâ- IP Address Configuration - interfaces need IPs before NAT
- Static Routes - routing must be configured for NAT to work
Related Firewall Topics
Section titled âRelated Firewall Topicsâ- Firewall Filter Basics - packet filtering (runs after NAT)
- Firewall Mangle - packet marking for advanced NAT scenarios
- Address Lists - manage IP groups for NAT rules
Services That Need NAT
Section titled âServices That Need NATâ- DHCP Server - LAN clients need NAT for internet
- DHCP Relay - relay traffic may need NAT exceptions