Hy guys!
I got my hand an 1100AHx2 (routerOS 6.47) after the company I work replaced it (I'm not working at the IT department, but they know I’m interested in it and let me "play" with some of the device, it’s just self-learning) but The IT guy not the “sit down and explain it” type of guy.
They let the configuration on the device and I’m currently trying to understand the /IP FIREWALL NAT rules.
There is a lot of rules on the device, and I do not understand all, can you explain them? (not real IPs, vlan names, interface names)
First the network:

• ethernet1: internet access with public address 50.50.50.3

• ethernet2: (vlan) DEV 192.168.0.0/24 (router address .254)

• ethernet3(vlan) SERVER 192.168.2.0/24

192.168.2.32 --> server for Virtual machines

1. example: is this means everything from Src.address private ip changes “to addresses” private IP? Access to the internet?
2.example: I am not completely understanding this one. What does it mean? I know that the 192.168.0.200 IP address is a VIRTUAL MACHINE which can be find on the 192.168.2.32 server.
Something like this:? Because the server can be found on different ethernet it needs a NAT. The PC on the LAN thinks this server can be find on the private address 50.50.50.2 ?
a) PC with 192.168.0.10 send a packet to 50.50.50.2 with port 666
b) Router changes the 192.168.0.10 to 192.168.0.254 (it’s own IP address)
c) Router changes the 50.50.50.2 to 192.168.0.200
d) SERVER reply with SRC: 192.168.0.200 and DST: 192.168.0.254
e) Router changes the SRC to 50.50.50.2 and the DST to 192.168.0.10
Is this correct?
3.example: is this means when an incoming connection requests port 666 with destination address 50.50.50.3, change the dst address "to addresses"?

4. example: is this means when an incoming connection requests with 79.79.79.79 port 666 with destination address 50.50.50.3, change the dst address "to addresses"?

You are correct in all explanations.
2nd is related to 3rd, hairpin NAT, needed if clients should connect server in same subnet, using public IP.
https://help.mikrotik.com/docs/display/ ... HairpinNAT
3rd and 4th are almost the same, 4th rule restricts access only from src-address

thanks for answer, and what about these sequence of nat rules? If a packet coming from 192.168.0.0/24 network it will be always match with the first rule. What I am missing here? Why we need the second and third rule?



first rule:
second rule:
third rule

Unless the requirements are known, its not easy to decipher the purpose of any of the rules in MT because there are many ways to accomplish goals. I personally spend time here trying to sort out peoples problems using the MT and not hand holding for curiousity sake ;-)
Your best bet is to buy some books that are available and also start with these two youtube series....... to get going.
https://www.youtube.com/channel/UC_vCR9 ... exICys6z4w
https://www.youtube.com/channel/UCIHIxC ... HLUM59zy_Q

I agree. It is extremely difficult to understand the code of another programmer, especially when this code is not canonical.

The order of rules matters. Hairpin NAT rules (2. and 3.) should be before src nat all LAN rule (1.).