NAT rules explained with examples

RouterOS General
1

Hy guys!
I got my hand an 1100AHx2 (routerOS 6.47) after the company I work replaced it (I’m not working at the IT department, but they know I’m interested in it and let me “play” with some of the device, it’s just self-learning) but The IT guy not the “sit down and explain it” type of guy.
They let the configuration on the device and I’m currently trying to understand the /IP FIREWALL NAT rules.
There is a lot of rules on the device, and I do not understand all, can you explain them? (not real IPs, vlan names, interface names)
First the network:

  • ethernet1: internet access with public address 50.50.50.3


  • ethernet2: (vlan) DEV 192.168.0.0/24 (router address .254)


  • ethernet3(vlan) SERVER 192.168.2.0/24

192.168.2.32 → server for Virtual machines

1. example: is this means everything from Src.address private ip changes “to addresses” private IP? Access to the internet?

action	chain	Src.address	to addresses
src-nat	srcnat	192.168.0.0/24	50.50.50.3

2.example: I am not completely understanding this one. What does it mean? I know that the 192.168.0.200 IP address is a VIRTUAL MACHINE which can be find on the 192.168.2.32 server.
Something like this:? Because the server can be found on different ethernet it needs a NAT. The PC on the LAN thinks this server can be find on the private address 50.50.50.2 ?
a) PC with 192.168.0.10 send a packet to 50.50.50.2 with port 666
b) Router changes the 192.168.0.10 to 192.168.0.254 (it’s own IP address)
c) Router changes the 50.50.50.2 to 192.168.0.200
d) SERVER reply with SRC: 192.168.0.200 and DST: 192.168.0.254
e) Router changes the SRC to 50.50.50.2 and the DST to 192.168.0.10
Is this correct?

action	chain	Src.address	Dst. Address	to addresses	dst.port
masquerade	srcnat		192.168.0.0/24	192.168.0.200	666

3.example: is this means when an incoming connection requests port 666 with destination address 50.50.50.3, change the dst address “to addresses”?

action	chain	Src.address	Dst. Address	to addresses	dst.port
dst-nat	dstnat	                50.50.50.3	192.168.0.200	666

4. example: is this means when an incoming connection requests with 79.79.79.79 port 666 with destination address 50.50.50.3, change the dst address “to addresses”?

action	chain	Src.address	Dst. Address	to addresses	dst.port
dst-nat	dstnat	79.79.79.79	50.50.50.3	192.168.0.200	666
2

You are correct in all explanations.
2nd is related to 3rd, hairpin NAT, needed if clients should connect server in same subnet, using public IP.
https://help.mikrotik.com/docs/display/ROS/NAT#NAT-HairpinNAT
3rd and 4th are almost the same, 4th rule restricts access only from src-address

3

thanks for answer, and what about these sequence of nat rules? If a packet coming from 192.168.0.0/24 network it will be always match with the first rule. What I am missing here? Why we need the second and third rule?



first rule:

action	chain	Src.address	Dst. Address	to addresses
src-nat	srcnat	192.168.0.0/24			50.50.50.3

second rule:

action		chain	Src.address	Dst. Address	to addresses	protocol
masquerade	srcnat	192.168.0.0/24	192.168.0.15			tcp

third rule

action		chain	Src.address	Dst. Address	to addresses	protocol
masquerade	srcnat	192.168.0.0/24	192.168.0.52			tcp
4

Unless the requirements are known, its not easy to decipher the purpose of any of the rules in MT because there are many ways to accomplish goals. I personally spend time here trying to sort out peoples problems using the MT and not hand holding for curiousity sake :wink:
Your best bet is to buy some books that are available and also start with these two youtube series… to get going.
https://www.youtube.com/channel/UC_vCR9AyLDxOlexICys6z4w
https://www.youtube.com/channel/UCIHIxCpBGe64YHLUM59zy_Q

5

I agree. It is extremely difficult to understand the code of another programmer, especially when this code is not canonical.

6

The order of rules matters. Hairpin NAT rules (2. and 3.) should be before src nat all LAN rule (1.).