Show NAT translation table

RouterOS Beginner Basics
1

Is it possible to show the currently active NAT translation table?
Not the rules that govern the NAT, but the active connections and how they are translated.

I know I can view the connections in the firewall but it has no column indicating if it is a NATted connection and what
are the translated addresses/ports.

(I am trying to debug a config issue in a complicated configuration. I can trace the translated packets going out to
internet and see the replies coming back, but I don’t see the translated replies on the inside interface. I wonder if
the NAT translation is OK and where else the replies can get lost. I don’t see drops in the Firewall rules)

Game NAT issues on routed public IP connections
firewall vs nat packet flow
2

Use /ip firewall connection print detail - if the reply-src-address is different to dst-address (or reply-dst-address is different to src-address) then its NATing.

3

Ok thanks! That was the table I was looking for. It apparently exists only in the command mode, not in the web if.
Unfortunately I have not located my problem yet, as the NAT entry appears there but I don’t receive the replies, but at
least I know what I don’t need to look into (the NAT accept/masquerade rules).

4

Try other options than “detail”

append –
as-value –
brief – Displays brief description
count-only – Shows only the count of special login users
detail – Displays detailed information
file – Print the content of the submenu into specific file
follow –
follow-only –
from –
interval – Displays information and refreshes it in selected time interval
terse – Show details in compact and machine friendly format
value-list – Show properties one per line
where –
without-paging – Displays information in one piece

5

I located the problem, which was caused by a missing IP rule entry.
I would not think it was necessary. Apparently a packet returned from a NATted destination is looked up in
the IP rules matching an entry with DESTINATION address equal to the SOURCE of the returned packet
(which is the DESTINATION of th originally sent packet)

I don’t know if this is a bug, but I could work around it by adding another rule matching the local network as
a destination.

6

Latest RouterOS now shows the NAT status in the /ip firewall connections print output.