IP-Firewall-NAT

Summary
Sub-menu: /ip firewall nat
Network Address Translation is an Internet standard that allows hosts on local area networks to use one set of IP
addresses for internal communications and another set of IP addresses for external communications. A LAN that
uses NAT is referred as natted network. For NAT to function, there should be a NAT gateway in each natted
network. The NAT gateway (NAT router) performs IP address rewriting on the way a packet travel from/to LAN.
There are two types of NAT:
• source NAT or srcnat. This type of NAT is performed on packets that are originated from a natted network. A
NAT router replaces the private source address of an IP packet with a new public IP address as it travels through
the router. A reverse operation is applied to the reply packets travelling in the other direction.
• destination NAT or dstnat. This type of NAT is performed on packets that are destined to the natted network. It
is most comonly used to make hosts on a private network to be acceesible from the Internet. A NAT router
performing dstnat replaces the destination IP address of an IP packet as it travel through the router towards a
private network.
Hosts behind a NAT-enabled router do not have true end-to-end connectivity. Therefore some Internet protocols
might not work in scenarios with NAT. Services that require the initiation of TCP connection from outside the
private network or stateless protocols such as UDP, can be disrupted. Moreover, some protocols are inherently
incompatible with NAT, a bold example is AH protocol from the IPsec suite.
To overcome these limitations RouterOS includes a number of so-called NAT helpers, that enable NAT traversal for
various protocols.
Properties
Property Description
action (action name; Default: accept) Action to take if packet is matched by the rule:
Manual:IP/Firewall/NAT 2
• accept - accept the packet. Packet is not passed to next NAT rule.
• add-dst-to-address-list - add destination address to Address list
specified by address-list parameter
• add-src-to-address-list - add source address to Address list
specified by address-list parameter
• dst-nat - replaces destination address and/or port of an IP packet to
values specified by to-addresses and to-ports parameters
• jump - jump to the user defined chain specified by the value of
jump-target parameter
• log - add a message to the system log containing following data:
in-interface, out-interface, src-mac, protocol, src-ip:port->dst-ip:port and
length of the packet. After packet is matched it is passed to next rule in the
list, similar as passthrough
• masquerade - replace source address of an IP packet to IP determined by
routing facility.
• netmap - creates a static 1:1 mapping of one set of IP addresses to another
one. Often used to distribute public IP addresses to hosts on private
networks
• passthrough - ignore this rule and go to next one (useful for statistics).
• redirect - replaces destination port of an IP packet to one specified by
to-ports parameter and destination address to one of the router s local
addresses
• return - passes control back to the chain from where the jump took place
• same - gives a particular client the same source/destination IP address
from supplied range for each connection. This is most frequently used for
services that expect the same client address for multiple connections from
the same client
• src-nat - replaces source address of an IP packet to values specified by
to-addresses and to-ports parameters
address-list (string; Default: ) Name of the address list to be used. Applicable if action is
add-dst-to-address-list or add-src-to-address-list
address-list-timeout (time; Default: 00:00:00) Time interval after which the address will be removed from the address list
specified by address-list parameter. Used in conjunction with
add-dst-to-address-list or add-src-to-address-list
actions
Value of 00:00:00 will leave the address in the address list forever
chain (name; Default: ) Specifies to which chain rule will be added. If the input does not match the
name of an already defined chain, a new chain will be created.
comment (string; Default: ) Descriptive comment for the rule.
connection-bytes (integer-integer; Default: ) Matches packets only if a given amount of bytes has been transfered through
the particular connection. 0 - means infinity, for example
connection-bytes=2000000-0 means that the rule matches if more
than 2MB has been transfered through the relevant connection
connection-limit (integer,netmaks; Default: ) Restrict connection limit per address or address block/td>
connection-mark (no-mark | string; Default: ) Matches packets marked via mangle facility with particular connection mark. If
no-mark is set, rule will match any unmarked connection.
connection-rate (Integer 0..4294967295; Default: ) Connection Rate is a firewall matcher that allow to capture traffic based on
present speed of the connection. Read more>>