beautypg.com

3 nat applications, Description, Example of source nat (masquerading) – Allied Telesis AT-WR4500 User Manual

Page 221: Example of destination nat, Example of one to one mapping

background image

AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers

221

RouterOS v3 Configuration and User Guide

9.4.3

NAT Applications

Description

In this section some NAT applications and examples of them are discussed.
Basic NAT configuration
Assume we want to create router that:
"hides" the private LAN "behind" one address
provides Public IP to the Local server
creates 1:1 mapping of network addresses

Example of Source NAT (Masquerading)

If you want to "hide" the private LAN 192.168.0.0/24 "behind" one address 10.5.8.109 given to you by the
ISP, you should use the source network address translation (masquerading) feature of the RouterOS
router. The masquerading will change the source IP address and port of the packets originated from the
network 192.168.0.0/24 to the address 10.5.8.109 of the router when the packet is routed through it.
To use masquerading, a source NAT rule with action 'masquerade' should be added to the firewall
configuration:

/ip firewall nat add chain=srcnat action=masquerade out-interface=Public


All outgoing connections from the network 192.168.0.0/24 will have source address 10.5.8.109 of the
router and source port above 1024. No access from the Internet will be possible to the Local addresses.
If you want to allow connections to the server on the local network, you should use destination Network
Address Translation (NAT).

Example of Destination NAT

If you want to link Public IP 10.5.8.200 address to Local one 192.168.0.109, you should use destination
address translation feature of the RouterOS router. Also if you want allow Local server to talk with
outside with given Public IP you should use source address translation, too
Add Public IP to Public interface:

/ip address add address=10.5.8.200/32 interface=Public


Add rule allowing access to the internal server from external networks:

/ip firewall nat add chain=dstnat dst-address=10.5.8.200 action=dst-nat \

to-addresses=192.168.0.109


Add rule allowing the internal server to talk to the outer networks having its source address translated to
10.5.8.200:

/ip firewall nat add chain=srcnat src-address=192.168.0.109 action=src-nat \

to-addresses=10.5.8.200

Example of one to one mapping

If you want to link Public IP subnet 11.11.11.0/24 to local one 2.2.2.0/24, you should use destination
address translation and source address translation features with action=netmap.

/ip firewall nat add chain=dstnat dst-address=11.11.11.1-11.11.11.254 \

action=netmap to-addresses=2.2.2.1-2.2.2.254


/ip firewall nat add chain=srcnat src-address=2.2.2.1-2.2.2.254 \

action=netmap to-addresses=11.11.11.1-11.11.11.254

This manual is related to the following products:
See also other documents in the category Allied Telesis Hardware: