Community discussions

MikroTik App
just joined
Topic Author
Posts: 2
Joined: Wed Feb 17, 2021 5:16 pm

1:1 NAT (private to private)

Wed Feb 17, 2021 6:16 pm

Hello folks!

I got a request from a friend that is using an RB951G-2HnD MikroTik to help with the configuration to allow access to his application hosted in the machine through VPN IPsec site-to-site. But I am coming from Layer 2 world with Layer 3 awareness + never really used MikroTik devices so I want to make sure that I understand the topic well before I recommend doing something. You may wonder why I put 1:1 NAT in the topic name but talking about VPN so let me explain:

FYI, I am posting changed IPs, interface names, etc. for security reasons.

They are having the following interfaces configured:


WAN1 and WAN2 are fed from two different ISP vendors where "1" is active and "2" is standby (failover).

The local machine is within the LAN network and has an IP The whole LAN subnet is defined by

The VPN provider informed that they cannot build the connection as they are already using the network and asked if the NAT 1:1 can be performed to translate this local machine.

They proposed using the network and port 64123. Then they will build VPN IPSec Site-to-Site where LAN Address Pool will be on the user side and on the VPN Provider side.

Let's say we want to map the to So based on the official wiki the correct commands in this case would be:
/ip firewall nat add chain=dstnat dst-address= dst-port=64123 protocol=tcp action=netmap to-addresses= to-port 64123
/ip firewall nat add chain=srcnat src-address= dst-port=64123 protocol=tcp action=netmap to-addresses= to-port 64123
Is that enough or any additional configuration is needed? I am focusing on the NAT settings as I believe building VPN IPSec Site-to-Site service will be handled after building that 1:1 NAT configuration.

Please let me know if I am missing anything important here and feel free to shoot me with any docs/video/examples.

So far I have been reading this wiki.

Appreciate your help. Thanks.
just joined
Topic Author
Posts: 2
Joined: Wed Feb 17, 2021 5:16 pm

Re: 1:1 NAT (private to private)

Fri Feb 19, 2021 2:22 pm

Not sure if I am allowed to post under post but wanted to bump this thread.

The VPN connection is established but host cannot be reached from the VPN ISP side. Should I use dst-nat instead of netmap? Do I need to create any logical subnet of 172.16.x.X before it can be used in a NAT rule?

Thank you.

Who is online

Users browsing this forum: Majestic-12 [Bot], Moba, mommish and 54 guests