Network Address Translation (NAT), essentially, is a vital mechanism in the world of networks. First, it allows multiple devices to share a single public IP address. Additionally, it improves security and effectively manages IPv4 address shortages.
At the end of the article you will find a small test that will allow you assess the knowledge acquired in this reading
Scenario
Imagine an office with several employees using Internet-connected devices. Without NAT, each device would require its own public IP address. On the contrary, thanks to NAT, all devices can share a single public IP address, saving IP addresses and simplifying network management.
Types of IP addresses
To understand how it works, it is important to know the types of IP addresses involved in the process.
- First, there are the private IP addresses, assigned to each device within the internal network.
- Second, there are public IP addresses, used to communicate with external devices over the Internet.
NAT acts as an intermediary, translating private IP addresses into public IP addresses and vice versa.
Example to illustrate the process
Suppose an employee wants to access a web page from his or her computer.
- The computer sends a request with its private IP address as the source.
- The NAT, upon receiving the request, translates it, replacing the private IP address with the public IP address assigned to the router.
- In this way, the request reaches the web server with the public IP address as the sender.
- When the server responds, the response is sent to the public IP address.
- NAT, again, kicks in and translates the public IP address to the corresponding private IP address, allowing the computer to receive the response.
It is essential to note that there are different types of NAT:
- static NAT
- dynamic NAT
- Port Address Translation (PAT).
Each of them has its own characteristics and specific applications.
For example, the static NAT assigns a unique public IP address to each private IP address, while the dynamic NAT uses a pool of public IP addresses that are assigned on a rotating basis.
In turn, the PAT allows multiple devices to share a single public IP address by translating port numbers, instead of IP addresses.
Botton line
By allowing multiple devices to share a single public IP address, you optimize the use of IPv4 addresses and improve the security of internal networks.
Additionally, its ability to translate private IP addresses into public IP addresses and vice versa facilitates communication between internal and external devices, thus ensuring an efficient and seamless user experience.
How to implement NAT with MikroTik RouterOS
Next, we will explain in detail how to implement NAT on a MikroTik device using RouterOS.
1.- Access the RouterOS interface
First, you must access the administration interface of your MikroTik device. You can do this using the “Winbox” graphical tool in Windows, or through the web interface.
2.- Navigate to the NAT configuration
Once inside the RouterOS interface, go to the “IP” section in the main menu and select “Firewall”. Here you will find several tabs, including “NAT”.
3.- Add a new NAT rule
Click the “Add” button (symbolized by a “+” sign) to create a new NAT rule. A configuration window will open where you can define the rule properties.
4.- Define the chain and the action
In the rule configuration window, select the appropriate chain, which is “srcnat” for source NAT or “dstnat” for destination NAT. Next, choose the action you want to perform, such as “masquerade” for source NAT or “dst-nat” (destination address translation) for destination NAT.
5.- Establish the conditions of the rule
At this stage, you must specify the conditions under which the NAT rule will be applied. For example, if you want to apply source NAT for traffic leaving your internal network to the Internet, you can configure the “Out. Interface” as the WAN interface and the “Address” in the “Src. Address” as the range of private IP addresses on your internal network.
6.- Configure address and port translation
If you are configuring destination NAT, you need to specify how IP addresses and port numbers should be translated. On the “Action” tab, select “dst-nat” as the action, and then set the “To Addresses” and “To Ports” as necessary.
7.- Save and apply the rule
Once you have configured all the necessary parameters, click “OK” to save the rule. The new NAT rule will appear in the list of rules in the “NAT” tab of the firewall.
8.- Verify and monitor the rule
To ensure that the NAT rule is working correctly, check the traffic passing through the rule and review the statistics provided by RouterOS. If necessary, adjust the rule settings to improve its performance or troubleshoot issues.
Configuration on a MikroTik router with the command line
Here is an example of how to configure source NAT (masquerade) on a MikroTik device using the command line. This configuration allows devices on the internal network to access the Internet using the public IP address assigned to the MikroTik router.
Suppose the WAN interface (Internet connection) is “ether1” and the private IP address range of the internal network is “192.168.1.0/24”. The source NAT configuration (masquerade) would look like this:
# Ingresa al terminal del router MikroTik
[admin@MikroTik] >
# Configura la interfaz WAN
[admin@MikroTik] > interface set ether1 name=WAN
# Configura la dirección IP en la interfaz WAN (asumiendo que tu ISP te proporciona una dirección IP dinámica)
[admin@MikroTik] > ip dhcp-client add interface=WAN disabled=no
# Configura la dirección IP en la interfaz LAN (la interfaz que se conecta a la red interna)
[admin@MikroTik] > ip address add address=192.168.1.1/24 interface=LAN
# Agrega la regla de NAT de origen (masquerade) para el tráfico que sale de la red interna hacia Internet
[admin@MikroTik] > ip firewall nat add chain=srcnat out-interface=WAN action=masquerade
This example is to configure destination NAT (dst-nat) on a MikroTik device using the command line. This configuration allows Internet users to access an internal web server (for example, 192.168.1.100) on port 80 through the MikroTik router's public IP address.
Suppose the WAN interface is “ether1” and the public IP address assigned to the MikroTik router is “203.0.113.2”. The destination NAT configuration would look like this:
# Ingresa al terminal del router MikroTik
[admin@MikroTik] >
# Configura la interfaz WAN
[admin@MikroTik] > interface set ether1 name=WAN
# Configura la dirección IP en la interfaz WAN (asumiendo que tu ISP te proporciona una dirección IP estática)
[admin@MikroTik] > ip address add address=203.0.113.2/24 interface=WAN
# Agrega la regla de NAT de destino (dst-nat) para el tráfico que ingresa desde Internet hacia el servidor web interno
[admin@MikroTik] > ip firewall nat add chain=dstnat dst-address=203.0.113.2 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.1.100 to-ports=80
These configuration examples are applicable if you use the command line in RouterOS. However, you can also apply these settings using the “Winbox” graphical tool or the web interface, following the steps mentioned above.