Manual:IP/Firewall/NAT: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
 
(53 intermediate revisions by 8 users not shown)
Line 1: Line 1:
<div class=manual>
<div class=manual>


<h2>Summary</h2>
{{Warning|This manual is moved to https://help.mikrotik.com/docs/display/ROS/NAT}}
<p><b>Sub-menu:</b> <code>/ip firewall nat</code></p>
 
==Summary==
<p id="shbox"><b>Sub-menu:</b> <code>/ip firewall nat</code></p>
<br />
<br />
<p>
Network Address Translation is an Internet standard that allows hosts on local area networks to use one set of IP addresses for internal communications and another set of IP addresses for external communications. A LAN that uses NAT is referred as natted network. For NAT to function, there should be a NAT gateway in each natted network. The NAT gateway (NAT router) performs IP address rewriting on the way a packet travel from/to LAN.
Network Address Translation is an Internet standard that allows hosts on local area networks to use one set of IP addresses for internal communications and another set of IP addresses for external communications. A LAN that uses NAT is referred as natted network. For NAT to function, there should be a NAT gateway in each natted network. The NAT gateway (NAT router) performs IP address rewriting on the way a packet travel from/to LAN.
<br />
</p>
<br />
 
<p>
There are two types of NAT:
There are two types of NAT:
<ul>
 
: <li> <b>source NAT or srcnat.</b> This type of NAT is performed on packets that are originated from a natted network. A NAT router replaces the private source address of an IP packet with a new public IP address as it travels through the router. A reverse operation is applied to the reply packets travelling in the other direction.
<ul class="bullets">
: <li> <b>destination NAT or dstnat.</b> This type of NAT is performed on packets that are destined to the natted network. It is most comonly used to make hosts on a private network to be acceesible from the Internet. A NAT router performing dstnat replaces the destination IP address of an IP packet as it travel through the router towards a private network.
<li> <b>source NAT or srcnat.</b> This type of NAT is performed on packets that are originated from a natted network. A NAT router replaces the private source address of an IP packet with a new public IP address as it travels through the router. A reverse operation is applied to the reply packets travelling in the other direction.
<li> <b>destination NAT or dstnat.</b> This type of NAT is performed on packets that are destined to the natted network. It is most comonly used to make hosts on a private network to be acceesible from the Internet. A NAT router performing dstnat replaces the destination IP address of an IP packet as it travel through the router towards a private network.
</ul>
</ul>
</p>


<br />
<p>
<br />
Hosts behind a NAT-enabled router do not have true end-to-end connectivity. Therefore some Internet protocols might not work in scenarios with NAT. Services that require the initiation of TCP connection from outside the private network or stateless protocols such as UDP, can be disrupted. Moreover, some protocols are inherently incompatible with NAT, a bold example is AH protocol from the IPsec suite.
Hosts behind a NAT-enabled router do not have true end-to-end connectivity. Therefore some Internet protocols might not work in scenarios with NAT. Services that require the initiation of TCP connection from outside the private network or stateless protocols such as UDP, can be disrupted. Moreover, some protocols are inherently incompatible with NAT, a bold example is AH protocol from the IPsec suite.
<br />
</p>
<br />
 
<p>
To overcome these limitations RouterOS includes a number of so-called [[IP/Services#Service_Ports | NAT helpers]], that enable NAT traversal for various protocols.
To overcome these limitations RouterOS includes a number of so-called [[IP/Services#Service_Ports | NAT helpers]], that enable NAT traversal for various protocols.
<br />
</p>
 
===Masquerade===
Firewall NAT <code>action=masquerade</code> is unique subversion of <code>action=srcnat</code>, it was designed for specific use in situations when public IP can randomly change, for example DHCP-server changes it, or PPPoE tunnel after disconnect gets different IP, in short - when public IP is dynamic.
 
Every time interface disconnects and/or its IP address changes, router will clear all masqueraded connection tracking entries that send packet out that interface, this way improving system recovery time after public ip address change.
 
Unfortunately this can lead to some issues when <code>action=masquerade</code> is used in setups with unstable connections/links that get routed over different link when primary is down. In such scenario following things can happen:
* on disconnect, all related connection tracking entries are purged;
* next packet from every purged (previously masqueraded) connection will come into firewall as <code>connection-state=new</code>, and, if primary interface is not back, packet will be routed out via alternative route (if you have any) thus creating new connection;
* primary link comes back, routing is restored over primary link, so packets that belong to existing connections are sent over primary interface without being masqueraded leaking local IPs to a public network.
 
You can workaround this by creating <b>blackhole</b> route as alternative to route that might disappear on disconnect).
 
When <code>action=srcnat</code> is used instead, connection tracking entries remain and connections can simply resume.


<h2>Properties</h2>
==Properties==


<table class="styled_table">
<table class="styled_table">
Line 30: Line 51:
<tr>
<tr>
     <td><var><b>action</b></var> (<em>action name</em>; Default: <b>accept</b>)</td>
     <td><var><b>action</b></var> (<em>action name</em>; Default: <b>accept</b>)</td>
     <td>Action to take if packet is matched by the rule: <ul>
     <td>Action to take if packet is matched by the rule:  
: <li> <var>accept</var> - accept the packet. Packet is not passed to next NAT rule.
<ul class="bullets">
: <li> <var>add-dst-to-address-list</var> - add destination address to [[Address list]] specified by <code>address-list</code> parameter
<li> <var>accept</var> - accept the packet. Packet is not passed to next NAT rule.
: <li> <var>add-src-to-address-list</var> - add source address to [[Address list]] specified by <code>address-list</code> parameter
<li> <var>add-dst-to-address-list</var> - add destination address to [[Address list]] specified by <code>address-list</code> parameter
: <li> <var>dst-nat</var> - replaces destination address and/or port of an IP packet to values specified by <code>to-addresses</code> and <code>to-ports</code> parameters  
<li> <var>add-src-to-address-list</var> - add source address to [[Address list]] specified by <code>address-list</code> parameter
: <li> <var>jump</var> - jump to the user defined chain specified by the value of <code>jump-target</code> parameter
<li> <var>dst-nat</var> - replaces destination address and/or port of an IP packet to values specified by <code>to-addresses</code> and <code>to-ports</code> parameters  
: <li> <var>log</var> - add a message to the system log containing following data: in-interface, out-interface, src-mac, protocol, src-ip:port->dst-ip:port and length of the packet. After packet is matched it is passed to next rule in the list, similar as <code>passthrough</code>
<li> <var>jump</var> - jump to the user defined chain specified by the value of <code>jump-target</code> parameter
: <li> <var>masquerade</var> - replace source address of an IP packet to IP determined by routing facility.
<li> <var>log</var> - add a message to the system log containing following data: in-interface, out-interface, src-mac, protocol, src-ip:port->dst-ip:port and length of the packet. After packet is matched it is passed to next rule in the list, similar as <code>passthrough</code>
: <li> <var>netmap</var> - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks  
<li> <var>masquerade</var> - replaces source port of an IP packet to one specified by <code>to-ports</code> parameter and replace source address of an IP packet to IP determined by routing facility. <code>[[#Masquerade | Read more >>]]</code>
: <li> <var>passthrough</var> - ignore this rule and go to next one (useful for statistics).
<li> <var>netmap</var> - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks  
: <li> <var>redirect</var> - replaces destination port of an IP packet to one specified by <code>to-ports</code> parameter
<li> <var>passthrough</var> - if packet is matched by the rule, increase counter and go to next rule (useful for statistics).
: <li> <var>return</var> - passes control back to the chain from where the jump took place
<li> <var>redirect</var> - replaces destination port of an IP packet to one specified by <code>to-ports</code> parameter and destination address to one of the router's local addresses
: <li> <var>same</var> - gives a particular client the same source/destination IP address from supplied range for each connection. This is most frequently used for services that expect the same client address for multiple connections from the same client
<li> <var>return</var> - passes control back to the chain from where the jump took place
: <li> <var>src-nat</var> - replaces source address of an IP packet to values specified by <code>to-addresses</code> and <code>to-ports</code> parameters
<li> <var>same</var> - gives a particular client the same source/destination IP address from supplied range for each connection. This is most frequently used for services that expect the same client address for multiple connections from the same client
<li> <var>src-nat</var> - replaces source address of an IP packet to values specified by <code>to-addresses</code> and <code>to-ports</code> parameters
</ul>
</ul>
</td>
</td>
Line 52: Line 74:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>address-list-timeout</b></var> (<em>time</em>; Default: <b>00:00:00</b>)</td>
     <td><var><b>address-list-timeout</b></var> (<em>none-dynamic | none-static | time</em>; Default: <b>none-dynamic</b>)</td>
     <td>Time interval after which the address will be removed from the address list specified by <code>address-list</code> parameter. Used in conjunction with <code>add-dst-to-address-list</code> or <code>add-src-to-address-list</code> actions<br />
     <td>Time interval after which the address will be removed from the address list specified by <code>address-list</code> parameter. Used in conjunction with <code>add-dst-to-address-list</code> or <code>add-src-to-address-list</code> actions<br />
Value of <code>00:00:00</code> will leave the address in the address list forever</td>
<ul class="bullets">
<li>Value of <var>none-dynamic</var> (<code>00:00:00</code>) will leave the address in the address list till reboot
<li>Value of <var>none-static</var> will leave the address in the address list forever and will be included in configuration export/backup
</ul></td>
</tr>
</tr>
<tr>
<tr>
<tr>
     <td><var><b>chain</b></var> (<em>name</em>; Default: <b></b>)</td>
     <td><var><b>chain</b></var> (<em>name</em>; Default: <b></b>)</td>
Line 70: Line 96:
<tr>
<tr>
     <td><var><b>connection-limit</b></var> (<em>integer,netmaks</em>; Default: <b></b>)</td>
     <td><var><b>connection-limit</b></var> (<em>integer,netmaks</em>; Default: <b></b>)</td>
     <td>Restrict connection limit per address or address block/td>
     <td>Matches connections per address or address block after given value is reached.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>connection-mark</b></var> (<em>string</em>; Default: <b></b>)</td>
     <td><var><b>connection-mark</b></var> (<em>no-mark | string</em>; Default: <b></b>)</td>
     <td>Matches packets marked via mangle facility with particular connection mark</td>
     <td>Matches packets marked via mangle facility with particular connection mark. If <b>no-mark</b> is set, rule will match any unmarked connection.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>connection-rate</b></var> (<em>Integer 0..4294967295</em>; Default: <b></b>)</td>
     <td><var><b>connection-rate</b></var> (<em>Integer 0..4294967295</em>; Default: <b></b>)</td>
     <td>Connection Rate is a firewall matcher that allow to capture traffic based on present speed of the connection. [[Connection_Rate | more>]]</td>
     <td>Connection Rate is a firewall matcher that allow to capture traffic based on present speed of the connection. <code>[[Connection_Rate | Read more>>]]</code></td>
</tr>
<tr>
    <td><var><b>connection-state</b></var> (<em>estabilished | invalid | new | related</em>; Default: <b></b>)</td>
    <td>Interprets the connection tracking analysis data for a particular packet:
<ul>
: <li> <var>established</var> - a packet which belongs to an existing connection
: <li> <var>invalid</var> - a packet which could not be identified for some reason
: <li> <var>new</var> - a packet which begins a new connection
: <li> <var>related</var> - a packet which is related to, but not part of an existing connection, such as ICMP errors or a packet which begins FTP data connection
</ul>
</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>connection-type</b></var> (<em>ftp | h323 | irc | pptp | quake3 | sip | tftp</em>; Default: <b></b>)</td>
     <td><var><b>connection-type</b></var> (<em>ftp | h323 | irc | pptp | quake3 | sip | tftp</em>; Default: <b></b>)</td>
     <td>Matches packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under [[/ip firewall service-port]]</td>
     <td>Matches packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under [[IP/Services#Service_Ports | /ip firewall service-port]]</td>
</tr>
</tr>
<tr>
<tr>
Line 114: Line 129:
     <td><var><b>dst-address-type</b></var> (<em>unicast | local | broadcast | multicast</em>; Default: <b></b>)</td>
     <td><var><b>dst-address-type</b></var> (<em>unicast | local | broadcast | multicast</em>; Default: <b></b>)</td>
     <td>Matches destination address type:
     <td>Matches destination address type:
<ul>
<ul class="bullets">
: <li> <var>unicast</var> - IP address used for point to point transmission
<li> <var>unicast</var> - IP address used for point to point transmission
: <li> <var>local</var> - if dst-address is assigned to one of router's interfaces
<li> <var>local</var> - if dst-address is assigned to one of router's interfaces
: <li> <var>broadcast</var> - packet is sent to all devices in subnet
<li> <var>broadcast</var> - packet is sent to all devices in subnet
: <li> <var>multicast</var> - packet is forwarded to defined group of devices
<li> <var>multicast</var> - packet is forwarded to defined group of devices
</ul>
</ul>
</td>
</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>dst-limit</b></var> (<em>integer,time,integer,dst-address | dst-port | src-address, time</em>; Default: <b></b>)</td>
     <td><var><b>dst-limit</b></var> (<em>integer[/time],integer,dst-address | dst-port | src-address[/time]</em>; Default: <b></b>)</td>
     <td>Matches packets if given pps limit is exceeded. As opposed to the <var>limit</var> matcher, every destination IP address / destination port has it's own limit. Parameters are written in following format: <code>count,time,burst,mode,expire</code>.
     <td>Matches packets until a given pps limit is exceeded. As opposed to the <var>limit</var> matcher, every destination IP address / destination port has it's own limit. Parameters are written in following format: <code>count[/time],burst,mode[/expire]</code>.
<ul>
<ul class="bullets">
:<li><b>count</b> - maximum average packet rate measured in packets per <code>time</code> interval
<li><b>count</b> - maximum average packet rate measured in packets per <code>time</code> interval
:<li><b>time</b> - specifies the time interval in which the packet rate is measured
<li><b>time</b> - specifies the time interval in which the packet rate is measured (optional)
:<li><b>burst</b> - number of packets which are not counted by packet rate
<li><b>burst</b> - number of packets which are not counted by packet rate
:<li><b>mode</b> - the classifier for packet rate limiting
<li><b>mode</b> - the classifier for packet rate limiting
:<li><b>expire</b> - specifies interval after which recored ip address /port will be deleted
<li><b>expire</b> - specifies interval after which recored ip address /port will be deleted (optional)
</ul>
</ul>
</td>
</td>
Line 144: Line 159:
<tr>
<tr>
     <td><var><b>hotspot</b></var> (<em>auth | from-client | http | local-dst | to-client</em>; Default: <b></b>)</td>
     <td><var><b>hotspot</b></var> (<em>auth | from-client | http | local-dst | to-client</em>; Default: <b></b>)</td>
     <td></td>
     <td>Matches packets received from HotSpot clients against various HotSpot matchers.
<ul class="bullets">
<li><var>auth</var> - matches authenticted HotSpot client packets</li>
<li><var>from-client</var> - matches packets that are coming from the HotSpot client</li>
<li><var>http</var> - matches HTTP requests sent to the HotSpot server</li>
<li><var>local-dst</var> - matches packets that are destined to the HotSpot server</li>
<li><var>to-client</var> - matches packets that are sent to the HotSpot client</li>
</ul>
</td>
</tr>
</tr>
<tr>
<tr>
Line 160: Line 183:
<tr>
<tr>
     <td><var><b>ingress-priority</b></var> (<em>integer: 0..63</em>; Default: <b></b>)</td>
     <td><var><b>ingress-priority</b></var> (<em>integer: 0..63</em>; Default: <b></b>)</td>
     <td>Matches ingress priority of the packet. Priority may be derived from VLAN, WMM or MPLS EXP bit. [[WMM | Read more>]]</td>
     <td>Matches ingress priority of the packet. Priority may be derived from VLAN, WMM or MPLS EXP bit. <code>[[WMM | Read more>>]]</code></td>
</tr>
 
<tr>
    <td><var><b>ipsec-policy</b></var> (<em>in | out, ipsec | none</em>; Default: <b></b>)</td>
    <td>Matches the policy used by IpSec. Value is written in following format: <code><b>direction, policy</b></code>. Direction is Used to select whether to match the policy used for decapsulation or the policy that will be used for encapsulation.
            <ul>
            <li><var>in</var> - valid in the PREROUTING, INPUT and FORWARD chains</li>
            <li><var>out</var> - valid in the POSTROUTING, OUTPUT and FORWARD chains</li>
            </ul>
            <ul>
            <li><var>ipsec</var> - matches if the packet is subject to IpSec processing;</li>
            <li><var>none</var> - matches packet that is not subject to IpSec processing (for example, IpSec transport packet).</li>
            </ul>
            <p>For example, if router receives Ipsec encapsulated Gre packet, then rule <code>ipsec-policy=in,ipsec</code> will match Gre packet, but rule <code>ipsec-policy=in,none</code> will match ESP packet.</p></td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>ipv4-options</b></var> (<em>any | loose-source-routing | no-record-route | no-router-alert | no-source-routing | no-timestamp | none | record-route | router-alert | strict-source-routing | timestamp</em>; Default: <b></b>)</td>
     <td><var><b>ipv4-options</b></var> (<em>any | loose-source-routing | no-record-route | no-router-alert | no-source-routing | no-timestamp | none | record-route | router-alert | strict-source-routing | timestamp</em>; Default: <b></b>)</td>
     <td>Matches IPv4 header options.
     <td>Matches IPv4 header options.
<ul>
<ul class="bullets">
: <li> <var>any</var> - match packet with at least one of the ipv4 options  
<li> <var>any</var> - match packet with at least one of the ipv4 options  
: <li> <var>loose-source-routing</var> - match packets with loose source routing option. This option is used to route the internet datagram based on information supplied by the source  
<li> <var>loose-source-routing</var> - match packets with loose source routing option. This option is used to route the internet datagram based on information supplied by the source  
: <li> <var>no-record-route</var> - match packets with no record route option. This option is used to route the internet datagram based on information supplied by the source  
<li> <var>no-record-route</var> - match packets with no record route option. This option is used to route the internet datagram based on information supplied by the source  
: <li> <var>no-router-alert</var> - match packets with no router alter option  
<li> <var>no-router-alert</var> - match packets with no router alter option  
: <li> <var>no-source-routing</var> - match packets with no source routing option  
<li> <var>no-source-routing</var> - match packets with no source routing option  
: <li> <var>no-timestamp</var> - match packets with no timestamp option  
<li> <var>no-timestamp</var> - match packets with no timestamp option  
: <li> <var>record-route</var> - match packets with record route option  
<li> <var>record-route</var> - match packets with record route option  
: <li> <var>router-alert</var> - match packets with router alter option  
<li> <var>router-alert</var> - match packets with router alter option  
: <li> <var>strict-source-routing</var> - match packets with strict source routing option  
<li> <var>strict-source-routing</var> - match packets with strict source routing option  
: <li> <var>timestamp</var> - match packets with timestamp  
<li> <var>timestamp</var> - match packets with timestamp  
</ul>
</ul>
</td>
</td>
Line 185: Line 223:
<tr>
<tr>
     <td><var><b>layer7-protocol</b></var> (<em>name</em>; Default: <b></b>)</td>
     <td><var><b>layer7-protocol</b></var> (<em>name</em>; Default: <b></b>)</td>
     <td>Layer7 filter name defined in [[layer7 protocol menu]].</td>
     <td>Layer7 filter name defined in [[M:IP/Firewall/L7 | layer7 protocol menu]].</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>limit</b></var> (<em>integer,time,integer</em>; Default: <b></b>)</td>
     <td><var><b>limit</b></var> (<em>integer,time,integer</em>; Default: <b></b>)</td>
     <td>Matches packets if given pps limit is exceeded. Parameters are written in following format: <code>count,time,burst</code>.
     <td>Matches packets until a given pps limit is exceeded. Parameters are written in following format: <code>count[/time],burst</code>.
<ul>
<ul class="bullets">
:<li><b>count</b> - maximum average packet rate measured in packets per <code>time</code> interval
<li><b>count</b> - maximum average packet rate measured in packets per <code>time</code> interval
:<li><b>time</b> - specifies the time interval in which the packet rate is measured
<li><b>time</b> - specifies the time interval in which the packet rate is measured (optional, 1s will be used if not specified)
:<li><b>burst</b> - number of packets which are not counted by packet rate
<li><b>burst</b> - number of packets which are not counted by packet rate
</ul>
</ul>
</td>
</td>
Line 203: Line 241:
<tr>
<tr>
     <td><var><b>nth</b></var> (<em>integer,integer</em>; Default: <b></b>)</td>
     <td><var><b>nth</b></var> (<em>integer,integer</em>; Default: <b></b>)</td>
     <td>Matches every nth packet. [[NTH_in_RouterOS_3.x | Read more]]</td>
     <td>Matches every nth packet. <code>[[NTH_in_RouterOS_3.x | Read more >>]]</code></td>
</tr>
</tr>
<tr>
<tr>
Line 214: Line 252:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>packet-mark</b></var> (<em>string</em>; Default: <b></b>)</td>
     <td><var><b>packet-mark</b></var> (<em>no-mark | string</em>; Default: <b></b>)</td>
     <td>Matches packets marked via mangle facility with particular packet mark</td>
     <td>Matches packets marked via mangle facility with particular packet mark. If <b>no-mark</b> is set, rule will match any unmarked packet.</td>
</tr>
</tr>
<tr>
<tr>
Line 223: Line 261:
<tr>
<tr>
     <td><var><b>per-connection-classifier</b></var> (<em>ValuesToHash:Denominator/Remainder</em>; Default: <b></b>)</td>
     <td><var><b>per-connection-classifier</b></var> (<em>ValuesToHash:Denominator/Remainder</em>; Default: <b></b>)</td>
     <td>PCC matcher allows to divide traffic into equal streams with ability to keep packets with specific set of options in one particular stream. [[PCC | Read more >>]]</td>
     <td>PCC matcher allows to divide traffic into equal streams with ability to keep packets with specific set of options in one particular stream. <code>[[PCC | Read more >>]]</code></td>
</tr>
</tr>
<tr>
<tr>
Line 235: Line 273:
<tr>
<tr>
     <td><var><b>psd</b></var> (<em>integer,time,integer,integer</em>; Default: <b></b>)</td>
     <td><var><b>psd</b></var> (<em>integer,time,integer,integer</em>; Default: <b></b>)</td>
     <td>Attempts to detect TCP and UDP scans. Parameters are in following format <code>WeightThreshold, DelayThreshold, LopPortWeight, HighPortWeight</code>
     <td>Attempts to detect TCP and UDP scans. Parameters are in following format <code>WeightThreshold, DelayThreshold, LowPortWeight, HighPortWeight</code>
<ul>
<ul class="bullets">
: <li> <b>WeightThreshold</b> - total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence  
<li> <b>WeightThreshold</b> - total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence  
: <li> <b>DelayThreshold</b> - delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence  
<li> <b>DelayThreshold</b> - delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence  
: <li> <b>LowPortWeight</b> - weight of the packets with privileged (<=1024) destination port
<li> <b>LowPortWeight</b> - weight of the packets with privileged (<1024) destination port
: <li> <b>HighPortWeight</b> - weight of the packet with non-priviliged destination port  
<li> <b>HighPortWeight</b> - weight of the packet with non-priviliged destination port  
</ul>
</ul>
</td>
</td>
Line 268: Line 306:
     <td>
     <td>
Matches source address type:
Matches source address type:
<ul>
<ul class="bullets">
: <li> <var>unicast</var> - IP address used for point to point transmission
<li> <var>unicast</var> - IP address used for point to point transmission
: <li> <var>local</var> - if address is assigned to one of router's interfaces
<li> <var>local</var> - if address is assigned to one of router's interfaces
: <li> <var>broadcast</var> - packet is sent to all devices in subnet
<li> <var>broadcast</var> - packet is sent to all devices in subnet
: <li> <var>multicast</var> - packet is forwarded to defined group of devices
<li> <var>multicast</var> - packet is forwarded to defined group of devices
</ul>
</ul>
</td>
</td>
Line 285: Line 323:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>tcp-flags</b></var> (<em>ack | cwr | ece | fin | psh | rst | syn | urg</em>; Default: <b></b>)</td>
     <td><var><b>tcp-mss</b></var> (<em>integer[-integer]: 0..65535</em>; Default: <b></b>)</td>
    <td>Matches specified TCP flags
<ul>
: <li> <var>ack</var> - acknowledging data
: <li> <var>cwr</var> - congestion window reduced
: <li> <var>ece</var> - ECN-echo flag (explicit congestion notification)
: <li> <var>fin</var> - close connection
: <li> <var>psh</var> - push function
: <li> <var>rst</var> - drop connection
: <li> <var>syn</var> - new connection
: <li> <var>urg</var> - urgent data
</ul>
</td>
</tr>
<tr>
    <td><var><b>tcp-mss</b></var> (<em>integer: 0..65535</em>; Default: <b></b>)</td>
     <td>Matches TCP MSS value of an IP packet</td>
     <td>Matches TCP MSS value of an IP packet</td>
</tr>
</tr>
Line 312: Line 335:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>to-ports</b></var> (<em>integer[-integer]: 0..255</em>; Default: <b></b>)</td>
     <td><var><b>to-ports</b></var> (<em>integer[-integer]: 0..65535</em>; Default: <b></b>)</td>
     <td>Replace original port with specified one. Applicable if action is dst-nat, redirect, netmap, same, src-nat</td>
     <td>Replace original port with specified one. Applicable if action is dst-nat, redirect, masquerade, netmap, same, src-nat</td>
</tr>
</tr>
<tr>
<tr>
Line 331: Line 354:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>bytes</b></var> (<em>integer</em>;)</td>
     <td><var><b>bytes</b></var> (<em>integer</em>)</td>
     <td>Total amount of bytes matched by the rule</td>
     <td>Total amount of bytes matched by the rule</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>packets</b></var> (<em>integer</em>;)</td>
     <td><var><b>packets</b></var> (<em>integer</em>)</td>
     <td>Total amount of packets matched by the rule</td>
     <td>Total amount of packets matched by the rule</td>
</tr>
</tr>
Line 341: Line 364:


<br />
<br />
By default <b>print</b> is equivalent to <b>print static</b> and shows only static rules.
<pre>
[admin@dzeltenais_burkaans] /ip firewall mangle> print stats
Flags: X - disabled, I - invalid, D - dynamic
#  CHAIN              ACTION                  BYTES          PACKETS       
0  prerouting        mark-routing            17478158        127631       
1  prerouting        mark-routing            782505          4506         
</pre>
To print also dynamic rules use <b>print all</b>.
<pre>
[admin@dzeltenais_burkaans] /ip firewall mangle> print all stats
Flags: X - disabled, I - invalid, D - dynamic
#  CHAIN              ACTION                  BYTES          PACKETS       
0  prerouting        mark-routing            17478158        127631       
1  prerouting        mark-routing            782505          4506         
2 D forward            change-mss              0              0             
3 D forward            change-mss              0              0             
4 D forward            change-mss              0              0             
5 D forward            change-mss              129372          2031 
</pre>
Or to print only dynamic rules use <b>print dynamic</b>
<pre>
[admin@dzeltenais_burkaans] /ip firewall mangle> print stats dynamic
Flags: X - disabled, I - invalid, D - dynamic
#  CHAIN              ACTION                  BYTES          PACKETS       
0 D forward            change-mss              0              0             
1 D forward            change-mss              0              0             
2 D forward            change-mss              0              0             
3 D forward            change-mss              132444          2079
</pre>
<br />
</p>
</p>


<h2>Menu specific commands</h2>
<h2>Menu specific commands</h2>
Line 352: Line 406:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>reset-counters</b></var> (<em>id</em>;)</td>
     <td><var><b>reset-counters</b></var> (<em>id</em>)</td>
     <td>Reset [[#Stats | statistics]] counters for specified firewall rules.</td>
     <td>Reset [[#Stats | statistics]] counters for specified firewall rules.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>reset-counters-all</b></var> (<em></em>;)</td>
     <td><var><b>reset-counters-all</b></var> (<em></em>)</td>
     <td>Reset [[#Stats | statistics]] counters for all firewall rules.</td>
     <td>Reset [[#Stats | statistics]] counters for all firewall rules.</td>
</tr>
</tr>
</table>
</table>


==Basic examples==
<h3>Source NAT</h3>
<h4>Masquerade</h4>
<p>
If you want to "hide" the private LAN 192.168.0.0/24 "behind" one address 10.5.8.109 given to you by the ISP, you should use the source network address translation (masquerading) feature of the MikroTik router. The masquerading will change the source IP address and port of the packets originated from the network 192.168.0.0/24 to the address 10.5.8.109 of the router when the packet is routed through it.
</p>
<p>
To use masquerading, a source NAT rule with action 'masquerade' should be added to the firewall configuration:
<pre>
/ip firewall nat add chain=srcnat action=masquerade out-interface=Public
</pre>
All outgoing connections from the network 192.168.0.0/24 will have source address 10.5.8.109 of the router and source port above 1024. No access from the Internet will be possible to the Local addresses. If you want to allow connections to the server on the local network, you should use destination Network Address Translation (NAT).
</p>
<h4>Source nat to specific address</h4>
If you have multiple public IP addresses, source nat can be changed to specific IP, for example, one local subnet can be hidden behind first IP and second local subnet is masqueraded behind second IP.
<pre>
/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 action=src-nat to-addresses=1.1.1.1 out-interface=Public
add chain=srcnat src-address=192.168.2.0/24 action=src-nat to-addresses=1.1.1.2 out-interface=Public
</pre>
<h3>Destination NAT</h3>
<h4>Forward all traffic to internal host</h4>
<p>
If you want to link Public IP 10.5.8.200 address to Local one 192.168.0.109, you should use destination address translation feature of the MikroTik router. Also if you want allow Local server to initiate connections to outside with given Public IP you should use source address translation, too.
</p>
<p>
Add Public IP to Public interface:
<pre>
/ip address add address=10.5.8.200/32 interface=Public 
</pre>
Add rule allowing access to the internal server from external networks:
<pre>
/ip firewall nat add chain=dstnat dst-address=10.5.8.200 action=dst-nat \
to-addresses=192.168.0.109
</pre>
Add rule allowing the internal server to initate connections to the outer networks having its source address translated to 10.5.8.200:
<pre>
/ip firewall nat add chain=srcnat src-address=192.168.0.109 action=src-nat \
to-addresses=10.5.8.200
</pre>
</p>
<h4>Port mapping/forwarding</h4>
<p>If you would like to direct requests for a certain port to an internal machine (sometimes called opening a port, port mapping), you can do it like this:</p>
<pre>
/ip firewall nat add chain=dstnat dst-port=1234 action=dst-nat protocol=tcp to-address=192.168.1.1 to-port=1234
</pre>
This rule translates to: ''when an incoming connection requests TCP port 1234, use the DST-NAT action and redirect it to local address 192.168.1.1 and the port 1234''
<h4>Port forwarding to internal FTP server</h4>
[[File:ftp-passive.png]]
<p>
As you can see from illustration above FTP uses more than one connection, but only command channel should be forwarded by Destination nat. Data channel is considered as related connection and should be accepted with "accept related" rule if you have strict firewall. Note that for related connections to be properly detected FTP helper has to be enabled.
</p>
<pre>
/ip firewall nat
add chain=dstnat dst-address=10.5.8.200 dst-port=21 protocol=tcp action=dst-nat to-addresses=192.168.0.109
</pre>
<pre>
/ip firewall filter
add chain=forward connection-state=established,related action=accept
</pre>
<p>Note that active FTP might not work if client is behind dumb firewall or NATed router, because data channel is initiated by the server and cannot directly access the client.</p>
[[File:ftp-active-fail.png]]
<p>If client is behind Mikrotik router, then make sure that FTP helper is enabled</p>
<pre>
[admin@3C22-atombumba] /ip firewall service-port> print
Flags: X - disabled, I - invalid
#  NAME                                                                PORTS
0  ftp                                                                  21 
1  tftp                                                                69 
2  irc                                                                  6667
3  h323                                                               
4  sip                                                                  5060
                                                                          5061
5  pptp                                                               
</pre>
<h3>1:1 mapping</h3>
<p>
If you want to link Public IP subnet 11.11.11.0/24 to local one 2.2.2.0/24, you should use destination address translation and source address translation features with action=netmap.
<pre>
/ip firewall nat add chain=dstnat dst-address=11.11.11.0/24 \
action=netmap to-addresses=2.2.2.0/24
/ip firewall nat add chain=srcnat src-address=2.2.2.0/24 \
action=netmap to-addresses=11.11.11.0/24 
</pre>
Same can be written using different address notation, that still have to match with the described network
<pre>
/ip firewall nat add chain=dstnat dst-address=11.11.11.0-11.11.11.255 \
action=netmap to-addresses=2.2.2.0-2.2.2.255
/ip firewall nat add chain=srcnat src-address=2.2.2.0-2.2.2.255 \
action=netmap to-addresses=11.11.11.0-11.11.11.255 
</pre>
</p>
<h3>Carrier-Grade NAT (CGNAT) or NAT444</h3>


<h2>Basic examples</h2>
<p>To combat IPv4 address exhaustion, new RFC 6598 was deployed. The idea is to use shared 100.64.0.0/10 address space inside carrier's network and performing NAT on carrier's edge router to sigle public IP or public IP range.</p>
<p>Because of nature of such setup it is also called NAT444, as opposed to a NAT44 network for a 'normal' NAT environment, three different IPv4 address spaces are involved.</p>
[[file:cgnat.png]]
 
CGNAT configuration on RouterOS does not differ from any other regular source NAT configuration:
<pre>
/ip firewall nat
add chain=src-nat action=srcnat src-address=100.64.0.0/10 to-address=2.2.2.2 out-interface=<public_if>
</pre>
Where:
* 2.2.2.2 - public IP address,
* public_if - interface on providers edge router connected to internet
 
The advantage of NAT444 is obvious, less public IPv4 addresses used. But this technique comes with mayor drawbacks:
* The service provider router performing CGNAT needs to maintain a state table for all the address translations: this requires a lot of memory and CPU resources.
* Console gaming problems. Some games fail when two subscribers using the same outside public IPv4 address try to connect to each other.
* Tracking of users for legal reasons means extra logging, as multiple households go behind one public address.
* Anything requiring incoming connections is broken. While this already was the case with regular NAT, end users could usually still set up port forwarding on their NAT router. CGNAT makes this impossible. This means no web servers can be hosted here, and IP Phones cannot receive incoming calls by default either.
* Some web servers only allow a maximum number of connections from the same public IP address, as a means to counter DoS attacks like SYN floods. Using CGNAT this limit is reached more often and some services may be of poor quality.
* 6to4 requires globally reachable addresses and will not work in networks that employ addresses with limited topological span.
 
More on things that can break can be read in this article [http://chrisgrundemann.com/index.php/2011/nat444-cgn-lsn-breaks/]
 
Packets with Shared Address Space source or destination addresses MUST NOT be forwarded across Service Provider boundaries.  Service Providers MUST filter such packets on ingress links.
In RouterOS this can be easily done with firewall filters on edge routers:
<pre>
/ip firewall filter
add chain=input src-address=100.64.0.0/10 action=drop in-interface=<public_if>
add chain=output dst-address=100.64.0.0/10 action=drop out-interface=<public_if>
add chain=forward src-address=100.64.0.0/10 action=drop in-interface=<public_if>
add chain=forward src-address=100.64.0.0/10 action=drop out-interface=<public_if>
add chain=forward dst-address=100.64.0.0/10 action=drop out-interface=<public_if>
</pre>
 
 
Service providers may be required to do logging of MAPed addresses, in large CGN deployed network that may be a problem.
Fortunately RFC 7422 suggests a way to manage CGN translations in such a way as to significantly reduce the amount of logging required while providing traceability for abuse response.
 
RFC states that instead of logging each connection, CGNs could deterministically map customer private addresses (received on the customer-facing interface of the CGN, a.k.a., internal side) to public addresses extended with port ranges.
 
In RouterOS described algorithm can be done with few script functions.
Lets take an example:
{| border="1" class="wikitable collapsible sortable" style="text-align: left"
|  nowrap | <b>Inside IP </b>
|  nowrap | <b>Outside IP/Port range</b>
|-
| 100.64.1.1
|  2.2.2.2:2000-2099
|-
| 100.64.1.2
|  2.2.2.2:2100-2199
|-
| 100.64.1.3
|  2.2.2.2:2200-2299
|-
| 100.64.1.4
|  2.2.2.2:2300-2399
|-
| 100.64.1.5
|  2.2.2.2:2400-2499
|-
| 100.64.1.6
|  2.2.2.2:2500-2599
|-
|}
 
Instead of writing NAT mappings by hand we could write a function which adds such rules automatically.
<pre>
:global sqrt do={
  :for i from=0 to=$1 do={
    :if (i * i > $1) do={ :return ($i - 1) }
  }
}
 
:global addNatRules do={
  /ip firewall nat add chain=srcnat action=jump jump-target=xxx \
    src-address="$($srcStart)-$($srcStart + $count - 1)"
 
  :local x [$sqrt $count]
  :local y $x
  :if ($x * $x = $count) do={ :set y ($x + 1) }
  :for i from=0 to=$x do={
    /ip firewall nat add chain=xxx action=jump jump-target="xxx-$($i)" \
    src-address="$($srcStart + ($x * $i))-$($srcStart + ($x * ($i + 1) - 1))"
  }
 
  :for i from=0 to=($count - 1) do={
    :local prange "$($portStart + ($i * $portsPerAddr))-$($portStart + (($i + 1) * $portsPerAddr) - 1)"
    /ip firewall nat add chain="xxx-$($i / $x)" action=src-nat protocol=tcp src-address=($srcStart + $i) \
    to-address=$toAddr to-ports=$prange
    /ip firewall nat add chain="xxx-$($i / $x)" action=src-nat protocol=udp src-address=($srcStart + $i) \
    to-address=$toAddr to-ports=$prange
  }
}
 
</pre>
 
After pasting above script in the terminal function "addNatRules" is available. If we take our example, we need to map 6 shared network addresses to be mapped to 2.2.2.2 and each address uses range of 100 ports starting from 2000. So we run our function:
<pre>
$addNatRules count=6 srcStart=100.64.1.1 toAddr=2.2.2.2 portStart=2000 portsPerAddr=100
</pre>
 
Now you should be able to get set of rules:
<pre>
[admin@rack1_b18_450] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0    chain=srcnat action=jump jump-target=xxx src-address=100.64.1.1-100.64.1.6 log=no log-prefix=""
 
1    chain=xxx action=jump jump-target=xxx-0 src-address=100.64.1.1-100.64.1.2 log=no log-prefix=""
 
2    chain=xxx action=jump jump-target=xxx-1 src-address=100.64.1.3-100.64.1.4 log=no log-prefix=""
 
3    chain=xxx action=jump jump-target=xxx-2 src-address=100.64.1.5-100.64.1.6 log=no log-prefix=""
 
4    chain=xxx-0 action=src-nat to-addresses=2.2.2.2 to-ports=2000-2099 protocol=tcp src-address=100.64.1.1 log=no log-prefix=""
 
5    chain=xxx-0 action=src-nat to-addresses=2.2.2.2 to-ports=2000-2099 protocol=udp src-address=100.64.1.1 log=no log-prefix=""
 
6    chain=xxx-0 action=src-nat to-addresses=2.2.2.2 to-ports=2100-2199 protocol=tcp src-address=100.64.1.2 log=no log-prefix=""
 
7    chain=xxx-0 action=src-nat to-addresses=2.2.2.2 to-ports=2100-2199 protocol=udp src-address=100.64.1.2 log=no log-prefix=""
 
8    chain=xxx-1 action=src-nat to-addresses=2.2.2.2 to-ports=2200-2299 protocol=tcp src-address=100.64.1.3 log=no log-prefix=""
 
9    chain=xxx-1 action=src-nat to-addresses=2.2.2.2 to-ports=2200-2299 protocol=udp src-address=100.64.1.3 log=no log-prefix=""
 
10    chain=xxx-1 action=src-nat to-addresses=2.2.2.2 to-ports=2300-2399 protocol=tcp src-address=100.64.1.4 log=no log-prefix=""
 
11    chain=xxx-1 action=src-nat to-addresses=2.2.2.2 to-ports=2300-2399 protocol=udp src-address=100.64.1.4 log=no log-prefix=""
 
12    chain=xxx-2 action=src-nat to-addresses=2.2.2.2 to-ports=2400-2499 protocol=tcp src-address=100.64.1.5 log=no log-prefix=""
 
13    chain=xxx-2 action=src-nat to-addresses=2.2.2.2 to-ports=2400-2499 protocol=udp src-address=100.64.1.5 log=no log-prefix=""
 
14    chain=xxx-2 action=src-nat to-addresses=2.2.2.2 to-ports=2500-2599 protocol=tcp src-address=100.64.1.6 log=no log-prefix=""
 
15    chain=xxx-2 action=src-nat to-addresses=2.2.2.2 to-ports=2500-2599 protocol=udp src-address=100.64.1.6 log=no log-prefix=""
</pre>




</div>
</div>


[[Category:Manual]]
{{Cont}}
[[Category:Unfinished]]
 
[[Category:Manual|Firewallnat]]
[[Category:Firewall|Firewallnat]]

Latest revision as of 05:59, 26 April 2022

Warning: This manual is moved to https://help.mikrotik.com/docs/display/ROS/NAT


Summary

Sub-menu: /ip firewall nat


Network Address Translation is an Internet standard that allows hosts on local area networks to use one set of IP addresses for internal communications and another set of IP addresses for external communications. A LAN that uses NAT is referred as natted network. For NAT to function, there should be a NAT gateway in each natted network. The NAT gateway (NAT router) performs IP address rewriting on the way a packet travel from/to LAN.

There are two types of NAT:

  • source NAT or srcnat. This type of NAT is performed on packets that are originated from a natted network. A NAT router replaces the private source address of an IP packet with a new public IP address as it travels through the router. A reverse operation is applied to the reply packets travelling in the other direction.
  • destination NAT or dstnat. This type of NAT is performed on packets that are destined to the natted network. It is most comonly used to make hosts on a private network to be acceesible from the Internet. A NAT router performing dstnat replaces the destination IP address of an IP packet as it travel through the router towards a private network.

Hosts behind a NAT-enabled router do not have true end-to-end connectivity. Therefore some Internet protocols might not work in scenarios with NAT. Services that require the initiation of TCP connection from outside the private network or stateless protocols such as UDP, can be disrupted. Moreover, some protocols are inherently incompatible with NAT, a bold example is AH protocol from the IPsec suite.

To overcome these limitations RouterOS includes a number of so-called NAT helpers, that enable NAT traversal for various protocols.

Masquerade

Firewall NAT action=masquerade is unique subversion of action=srcnat, it was designed for specific use in situations when public IP can randomly change, for example DHCP-server changes it, or PPPoE tunnel after disconnect gets different IP, in short - when public IP is dynamic.

Every time interface disconnects and/or its IP address changes, router will clear all masqueraded connection tracking entries that send packet out that interface, this way improving system recovery time after public ip address change.

Unfortunately this can lead to some issues when action=masquerade is used in setups with unstable connections/links that get routed over different link when primary is down. In such scenario following things can happen:

  • on disconnect, all related connection tracking entries are purged;
  • next packet from every purged (previously masqueraded) connection will come into firewall as connection-state=new, and, if primary interface is not back, packet will be routed out via alternative route (if you have any) thus creating new connection;
  • primary link comes back, routing is restored over primary link, so packets that belong to existing connections are sent over primary interface without being masqueraded leaking local IPs to a public network.

You can workaround this by creating blackhole route as alternative to route that might disappear on disconnect).

When action=srcnat is used instead, connection tracking entries remain and connections can simply resume.

Properties

Property Description
action (action name; Default: accept) Action to take if packet is matched by the rule:
  • accept - accept the packet. Packet is not passed to next NAT rule.
  • add-dst-to-address-list - add destination address to Address list specified by address-list parameter
  • add-src-to-address-list - add source address to Address list specified by address-list parameter
  • dst-nat - replaces destination address and/or port of an IP packet to values specified by to-addresses and to-ports parameters
  • jump - jump to the user defined chain specified by the value of jump-target parameter
  • log - add a message to the system log containing following data: in-interface, out-interface, src-mac, protocol, src-ip:port->dst-ip:port and length of the packet. After packet is matched it is passed to next rule in the list, similar as passthrough
  • masquerade - replaces source port of an IP packet to one specified by to-ports parameter and replace source address of an IP packet to IP determined by routing facility. Read more >>
  • netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks
  • passthrough - if packet is matched by the rule, increase counter and go to next rule (useful for statistics).
  • redirect - replaces destination port of an IP packet to one specified by to-ports parameter and destination address to one of the router's local addresses
  • return - passes control back to the chain from where the jump took place
  • same - gives a particular client the same source/destination IP address from supplied range for each connection. This is most frequently used for services that expect the same client address for multiple connections from the same client
  • src-nat - replaces source address of an IP packet to values specified by to-addresses and to-ports parameters
address-list (string; Default: ) Name of the address list to be used. Applicable if action is add-dst-to-address-list or add-src-to-address-list
address-list-timeout (none-dynamic | none-static | time; Default: none-dynamic) Time interval after which the address will be removed from the address list specified by address-list parameter. Used in conjunction with add-dst-to-address-list or add-src-to-address-list actions
  • Value of none-dynamic (00:00:00) will leave the address in the address list till reboot
  • Value of none-static will leave the address in the address list forever and will be included in configuration export/backup
chain (name; Default: ) Specifies to which chain rule will be added. If the input does not match the name of an already defined chain, a new chain will be created.
comment (string; Default: ) Descriptive comment for the rule.
connection-bytes (integer-integer; Default: ) Matches packets only if a given amount of bytes has been transfered through the particular connection. 0 - means infinity, for example connection-bytes=2000000-0 means that the rule matches if more than 2MB has been transfered through the relevant connection
connection-limit (integer,netmaks; Default: ) Matches connections per address or address block after given value is reached.
connection-mark (no-mark | string; Default: ) Matches packets marked via mangle facility with particular connection mark. If no-mark is set, rule will match any unmarked connection.
connection-rate (Integer 0..4294967295; Default: ) Connection Rate is a firewall matcher that allow to capture traffic based on present speed of the connection. Read more>>
connection-type (ftp | h323 | irc | pptp | quake3 | sip | tftp; Default: ) Matches packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under /ip firewall service-port
content (string; Default: ) Match packets that contain specified text
dscp (integer: 0..63; Default: ) Matches DSCP IP header field.
dst-address (IP/netmask | IP range; Default: ) Matches packets which destination is equal to specified IP or falls into specified IP range.
dst-address-list (name; Default: ) Matches destination address of a packet against user-defined address list
dst-address-type (unicast | local | broadcast | multicast; Default: ) Matches destination address type:
  • unicast - IP address used for point to point transmission
  • local - if dst-address is assigned to one of router's interfaces
  • broadcast - packet is sent to all devices in subnet
  • multicast - packet is forwarded to defined group of devices
dst-limit (integer[/time],integer,dst-address | dst-port | src-address[/time]; Default: ) Matches packets until a given pps limit is exceeded. As opposed to the limit matcher, every destination IP address / destination port has it's own limit. Parameters are written in following format: count[/time],burst,mode[/expire].
  • count - maximum average packet rate measured in packets per time interval
  • time - specifies the time interval in which the packet rate is measured (optional)
  • burst - number of packets which are not counted by packet rate
  • mode - the classifier for packet rate limiting
  • expire - specifies interval after which recored ip address /port will be deleted (optional)
dst-port (integer[-integer]: 0..65535; Default: ) List of destination port numbers or port number ranges
fragment (yes|no; Default: ) Matches fragmented packets. First (starting) fragment does not count. If connection tracking is enabled there will be no fragments as system automatically assembles every packet
hotspot (auth | from-client | http | local-dst | to-client; Default: ) Matches packets received from HotSpot clients against various HotSpot matchers.
  • auth - matches authenticted HotSpot client packets
  • from-client - matches packets that are coming from the HotSpot client
  • http - matches HTTP requests sent to the HotSpot server
  • local-dst - matches packets that are destined to the HotSpot server
  • to-client - matches packets that are sent to the HotSpot client
icmp-options (integer:integer; Default: ) Matches ICMP type:code fileds
in-bridge-port (name; Default: ) Actual interface the packet has entered the router, if incoming interface is bridge
in-interface (name; Default: ) Interface the packet has entered the router
ingress-priority (integer: 0..63; Default: ) Matches ingress priority of the packet. Priority may be derived from VLAN, WMM or MPLS EXP bit. Read more>>
ipsec-policy (in | out, ipsec | none; Default: ) Matches the policy used by IpSec. Value is written in following format: direction, policy. Direction is Used to select whether to match the policy used for decapsulation or the policy that will be used for encapsulation.
  • in - valid in the PREROUTING, INPUT and FORWARD chains
  • out - valid in the POSTROUTING, OUTPUT and FORWARD chains
  • ipsec - matches if the packet is subject to IpSec processing;
  • none - matches packet that is not subject to IpSec processing (for example, IpSec transport packet).

For example, if router receives Ipsec encapsulated Gre packet, then rule ipsec-policy=in,ipsec will match Gre packet, but rule ipsec-policy=in,none will match ESP packet.

ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no-source-routing | no-timestamp | none | record-route | router-alert | strict-source-routing | timestamp; Default: ) Matches IPv4 header options.
  • any - match packet with at least one of the ipv4 options
  • loose-source-routing - match packets with loose source routing option. This option is used to route the internet datagram based on information supplied by the source
  • no-record-route - match packets with no record route option. This option is used to route the internet datagram based on information supplied by the source
  • no-router-alert - match packets with no router alter option
  • no-source-routing - match packets with no source routing option
  • no-timestamp - match packets with no timestamp option
  • record-route - match packets with record route option
  • router-alert - match packets with router alter option
  • strict-source-routing - match packets with strict source routing option
  • timestamp - match packets with timestamp
jump-target (name; Default: ) Name of the target chain to jump to. Applicable only if action=jump
layer7-protocol (name; Default: ) Layer7 filter name defined in layer7 protocol menu.
limit (integer,time,integer; Default: ) Matches packets until a given pps limit is exceeded. Parameters are written in following format: count[/time],burst.
  • count - maximum average packet rate measured in packets per time interval
  • time - specifies the time interval in which the packet rate is measured (optional, 1s will be used if not specified)
  • burst - number of packets which are not counted by packet rate
log-prefix (string; Default: ) Adds specified text at the beginning of every log message. Applicable if action=log
nth (integer,integer; Default: ) Matches every nth packet. Read more >>
out-bridge-port (name; Default: ) Actual interface the packet is leaving the router, if outgoing interface is bridge
out-interface (; Default: ) Interface the packet is leaving the router
packet-mark (no-mark | string; Default: ) Matches packets marked via mangle facility with particular packet mark. If no-mark is set, rule will match any unmarked packet.
packet-size (integer[-integer]:0..65535; Default: ) Matches packets of specified size or size range in bytes.
per-connection-classifier (ValuesToHash:Denominator/Remainder; Default: ) PCC matcher allows to divide traffic into equal streams with ability to keep packets with specific set of options in one particular stream. Read more >>
port (integer[-integer]: 0..65535; Default: ) Matches if any (source or destination) port matches the specified list of ports or port ranges. Applicable only if protocol is TCP or UDP
protocol (name or protocol ID; Default: tcp) Matches particular IP protocol specified by protocol name or number
psd (integer,time,integer,integer; Default: ) Attempts to detect TCP and UDP scans. Parameters are in following format WeightThreshold, DelayThreshold, LowPortWeight, HighPortWeight
  • WeightThreshold - total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence
  • DelayThreshold - delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence
  • LowPortWeight - weight of the packets with privileged (<1024) destination port
  • HighPortWeight - weight of the packet with non-priviliged destination port
random (integer: 1..99; Default: ) Matches packets randomly with given probability.
routing-mark (string; Default: ) Matches packets marked by mangle facility with particular routing mark
same-not-by-dst (yes | no; Default: ) Specifies whether to take into account or not destination IP address when selecting a new source IP address. Applicable if action=same
src-address (Ip/Netmaks, Ip range; Default: ) Matches packets which source is equal to specified IP or falls into specified IP range.
src-address-list (name; Default: ) Matches source address of a packet against user-defined address list
src-address-type (unicast | local | broadcast | multicast; Default: )

Matches source address type:

  • unicast - IP address used for point to point transmission
  • local - if address is assigned to one of router's interfaces
  • broadcast - packet is sent to all devices in subnet
  • multicast - packet is forwarded to defined group of devices
src-port (integer[-integer]: 0..65535; Default: ) List of source ports and ranges of source ports. Applicable only if protocol is TCP or UDP.
src-mac-address (MAC address; Default: ) Matches source MAC address of the packet
tcp-mss (integer[-integer]: 0..65535; Default: ) Matches TCP MSS value of an IP packet
time (time-time,sat | fri | thu | wed | tue | mon | sun; Default: ) Allows to create filter based on the packets' arrival time and date or, for locally generated packets, departure time and date
to-addresses (IP address[-IP address]; Default: 0.0.0.0) Replace original address with specified one. Applicable if action is dst-nat, netmap, same, src-nat
to-ports (integer[-integer]: 0..65535; Default: ) Replace original port with specified one. Applicable if action is dst-nat, redirect, masquerade, netmap, same, src-nat
ttl (integer: 0..255; Default: ) Matches packets TTL value

Stats

/ip firewall nat print stats will show additional read-only properties

Property Description
bytes (integer) Total amount of bytes matched by the rule
packets (integer) Total amount of packets matched by the rule


By default print is equivalent to print static and shows only static rules.

[admin@dzeltenais_burkaans] /ip firewall mangle> print stats
Flags: X - disabled, I - invalid, D - dynamic 
 #   CHAIN              ACTION                  BYTES           PACKETS        
 0   prerouting         mark-routing            17478158        127631         
 1   prerouting         mark-routing            782505          4506           

To print also dynamic rules use print all.

[admin@dzeltenais_burkaans] /ip firewall mangle> print all stats
Flags: X - disabled, I - invalid, D - dynamic 
 #   CHAIN              ACTION                  BYTES           PACKETS        
 0   prerouting         mark-routing            17478158        127631         
 1   prerouting         mark-routing            782505          4506           
 2 D forward            change-mss              0               0              
 3 D forward            change-mss              0               0              
 4 D forward            change-mss              0               0              
 5 D forward            change-mss              129372          2031  

Or to print only dynamic rules use print dynamic

[admin@dzeltenais_burkaans] /ip firewall mangle> print stats dynamic 
Flags: X - disabled, I - invalid, D - dynamic 
 #   CHAIN              ACTION                  BYTES           PACKETS        
 0 D forward            change-mss              0               0              
 1 D forward            change-mss              0               0              
 2 D forward            change-mss              0               0              
 3 D forward            change-mss              132444          2079 


Menu specific commands

Property Description
reset-counters (id) Reset statistics counters for specified firewall rules.
reset-counters-all () Reset statistics counters for all firewall rules.

Basic examples

Source NAT

Masquerade

If you want to "hide" the private LAN 192.168.0.0/24 "behind" one address 10.5.8.109 given to you by the ISP, you should use the source network address translation (masquerading) feature of the MikroTik router. The masquerading will change the source IP address and port of the packets originated from the network 192.168.0.0/24 to the address 10.5.8.109 of the router when the packet is routed through it.

To use masquerading, a source NAT rule with action 'masquerade' should be added to the firewall configuration:

/ip firewall nat add chain=srcnat action=masquerade out-interface=Public

All outgoing connections from the network 192.168.0.0/24 will have source address 10.5.8.109 of the router and source port above 1024. No access from the Internet will be possible to the Local addresses. If you want to allow connections to the server on the local network, you should use destination Network Address Translation (NAT).

Source nat to specific address

If you have multiple public IP addresses, source nat can be changed to specific IP, for example, one local subnet can be hidden behind first IP and second local subnet is masqueraded behind second IP.

/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 action=src-nat to-addresses=1.1.1.1 out-interface=Public
add chain=srcnat src-address=192.168.2.0/24 action=src-nat to-addresses=1.1.1.2 out-interface=Public


Destination NAT

Forward all traffic to internal host

If you want to link Public IP 10.5.8.200 address to Local one 192.168.0.109, you should use destination address translation feature of the MikroTik router. Also if you want allow Local server to initiate connections to outside with given Public IP you should use source address translation, too.

Add Public IP to Public interface:

/ip address add address=10.5.8.200/32 interface=Public   

Add rule allowing access to the internal server from external networks:

/ip firewall nat add chain=dstnat dst-address=10.5.8.200 action=dst-nat \
	to-addresses=192.168.0.109 

Add rule allowing the internal server to initate connections to the outer networks having its source address translated to 10.5.8.200:

/ip firewall nat add chain=srcnat src-address=192.168.0.109 action=src-nat \
	to-addresses=10.5.8.200

Port mapping/forwarding

If you would like to direct requests for a certain port to an internal machine (sometimes called opening a port, port mapping), you can do it like this:

/ip firewall nat add chain=dstnat dst-port=1234 action=dst-nat protocol=tcp to-address=192.168.1.1 to-port=1234 

This rule translates to: when an incoming connection requests TCP port 1234, use the DST-NAT action and redirect it to local address 192.168.1.1 and the port 1234

Port forwarding to internal FTP server

As you can see from illustration above FTP uses more than one connection, but only command channel should be forwarded by Destination nat. Data channel is considered as related connection and should be accepted with "accept related" rule if you have strict firewall. Note that for related connections to be properly detected FTP helper has to be enabled.

/ip firewall nat
add chain=dstnat dst-address=10.5.8.200 dst-port=21 protocol=tcp action=dst-nat to-addresses=192.168.0.109
/ip firewall filter
add chain=forward connection-state=established,related action=accept

Note that active FTP might not work if client is behind dumb firewall or NATed router, because data channel is initiated by the server and cannot directly access the client.


If client is behind Mikrotik router, then make sure that FTP helper is enabled

[admin@3C22-atombumba] /ip firewall service-port> print 
Flags: X - disabled, I - invalid 
 #   NAME                                                                 PORTS
 0   ftp                                                                  21   
 1   tftp                                                                 69   
 2   irc                                                                  6667 
 3   h323                                                                
 4   sip                                                                  5060 
                                                                          5061 
 5   pptp                                                                


1:1 mapping

If you want to link Public IP subnet 11.11.11.0/24 to local one 2.2.2.0/24, you should use destination address translation and source address translation features with action=netmap.

/ip firewall nat add chain=dstnat dst-address=11.11.11.0/24 \
	action=netmap to-addresses=2.2.2.0/24

/ip firewall nat add chain=srcnat src-address=2.2.2.0/24 \
	action=netmap to-addresses=11.11.11.0/24  

Same can be written using different address notation, that still have to match with the described network

/ip firewall nat add chain=dstnat dst-address=11.11.11.0-11.11.11.255 \
	action=netmap to-addresses=2.2.2.0-2.2.2.255

/ip firewall nat add chain=srcnat src-address=2.2.2.0-2.2.2.255 \
	action=netmap to-addresses=11.11.11.0-11.11.11.255  


Carrier-Grade NAT (CGNAT) or NAT444

To combat IPv4 address exhaustion, new RFC 6598 was deployed. The idea is to use shared 100.64.0.0/10 address space inside carrier's network and performing NAT on carrier's edge router to sigle public IP or public IP range.

Because of nature of such setup it is also called NAT444, as opposed to a NAT44 network for a 'normal' NAT environment, three different IPv4 address spaces are involved.

CGNAT configuration on RouterOS does not differ from any other regular source NAT configuration:

/ip firewall nat 
 add chain=src-nat action=srcnat src-address=100.64.0.0/10 to-address=2.2.2.2 out-interface=<public_if>

Where:

  • 2.2.2.2 - public IP address,
  • public_if - interface on providers edge router connected to internet

The advantage of NAT444 is obvious, less public IPv4 addresses used. But this technique comes with mayor drawbacks:

  • The service provider router performing CGNAT needs to maintain a state table for all the address translations: this requires a lot of memory and CPU resources.
  • Console gaming problems. Some games fail when two subscribers using the same outside public IPv4 address try to connect to each other.
  • Tracking of users for legal reasons means extra logging, as multiple households go behind one public address.
  • Anything requiring incoming connections is broken. While this already was the case with regular NAT, end users could usually still set up port forwarding on their NAT router. CGNAT makes this impossible. This means no web servers can be hosted here, and IP Phones cannot receive incoming calls by default either.
  • Some web servers only allow a maximum number of connections from the same public IP address, as a means to counter DoS attacks like SYN floods. Using CGNAT this limit is reached more often and some services may be of poor quality.
  • 6to4 requires globally reachable addresses and will not work in networks that employ addresses with limited topological span.

More on things that can break can be read in this article [1]

Packets with Shared Address Space source or destination addresses MUST NOT be forwarded across Service Provider boundaries. Service Providers MUST filter such packets on ingress links. In RouterOS this can be easily done with firewall filters on edge routers:

/ip firewall filter
 add chain=input src-address=100.64.0.0/10 action=drop in-interface=<public_if>
 add chain=output dst-address=100.64.0.0/10 action=drop out-interface=<public_if>
 add chain=forward src-address=100.64.0.0/10 action=drop in-interface=<public_if>
 add chain=forward src-address=100.64.0.0/10 action=drop out-interface=<public_if>
 add chain=forward dst-address=100.64.0.0/10 action=drop out-interface=<public_if>


Service providers may be required to do logging of MAPed addresses, in large CGN deployed network that may be a problem. Fortunately RFC 7422 suggests a way to manage CGN translations in such a way as to significantly reduce the amount of logging required while providing traceability for abuse response.

RFC states that instead of logging each connection, CGNs could deterministically map customer private addresses (received on the customer-facing interface of the CGN, a.k.a., internal side) to public addresses extended with port ranges.

In RouterOS described algorithm can be done with few script functions. Lets take an example:

Inside IP Outside IP/Port range
100.64.1.1 2.2.2.2:2000-2099
100.64.1.2 2.2.2.2:2100-2199
100.64.1.3 2.2.2.2:2200-2299
100.64.1.4 2.2.2.2:2300-2399
100.64.1.5 2.2.2.2:2400-2499
100.64.1.6 2.2.2.2:2500-2599

Instead of writing NAT mappings by hand we could write a function which adds such rules automatically.

:global sqrt do={
  :for i from=0 to=$1 do={
    :if (i * i > $1) do={ :return ($i - 1) }
  }
}

:global addNatRules do={
  /ip firewall nat add chain=srcnat action=jump jump-target=xxx \
    src-address="$($srcStart)-$($srcStart + $count - 1)"

  :local x [$sqrt $count]
  :local y $x
  :if ($x * $x = $count) do={ :set y ($x + 1) }
  :for i from=0 to=$x do={
    /ip firewall nat add chain=xxx action=jump jump-target="xxx-$($i)" \
     src-address="$($srcStart + ($x * $i))-$($srcStart + ($x * ($i + 1) - 1))"
  }

  :for i from=0 to=($count - 1) do={
    :local prange "$($portStart + ($i * $portsPerAddr))-$($portStart + (($i + 1) * $portsPerAddr) - 1)"
    /ip firewall nat add chain="xxx-$($i / $x)" action=src-nat protocol=tcp src-address=($srcStart + $i) \
     to-address=$toAddr to-ports=$prange
    /ip firewall nat add chain="xxx-$($i / $x)" action=src-nat protocol=udp src-address=($srcStart + $i) \
     to-address=$toAddr to-ports=$prange
  }
}

After pasting above script in the terminal function "addNatRules" is available. If we take our example, we need to map 6 shared network addresses to be mapped to 2.2.2.2 and each address uses range of 100 ports starting from 2000. So we run our function:

$addNatRules count=6 srcStart=100.64.1.1 toAddr=2.2.2.2 portStart=2000 portsPerAddr=100

Now you should be able to get set of rules:

[admin@rack1_b18_450] /ip firewall nat> print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=jump jump-target=xxx src-address=100.64.1.1-100.64.1.6 log=no log-prefix="" 

 1    chain=xxx action=jump jump-target=xxx-0 src-address=100.64.1.1-100.64.1.2 log=no log-prefix="" 

 2    chain=xxx action=jump jump-target=xxx-1 src-address=100.64.1.3-100.64.1.4 log=no log-prefix="" 

 3    chain=xxx action=jump jump-target=xxx-2 src-address=100.64.1.5-100.64.1.6 log=no log-prefix="" 

 4    chain=xxx-0 action=src-nat to-addresses=2.2.2.2 to-ports=2000-2099 protocol=tcp src-address=100.64.1.1 log=no log-prefix="" 

 5    chain=xxx-0 action=src-nat to-addresses=2.2.2.2 to-ports=2000-2099 protocol=udp src-address=100.64.1.1 log=no log-prefix="" 

 6    chain=xxx-0 action=src-nat to-addresses=2.2.2.2 to-ports=2100-2199 protocol=tcp src-address=100.64.1.2 log=no log-prefix="" 

 7    chain=xxx-0 action=src-nat to-addresses=2.2.2.2 to-ports=2100-2199 protocol=udp src-address=100.64.1.2 log=no log-prefix="" 

 8    chain=xxx-1 action=src-nat to-addresses=2.2.2.2 to-ports=2200-2299 protocol=tcp src-address=100.64.1.3 log=no log-prefix="" 

 9    chain=xxx-1 action=src-nat to-addresses=2.2.2.2 to-ports=2200-2299 protocol=udp src-address=100.64.1.3 log=no log-prefix="" 

10    chain=xxx-1 action=src-nat to-addresses=2.2.2.2 to-ports=2300-2399 protocol=tcp src-address=100.64.1.4 log=no log-prefix="" 

11    chain=xxx-1 action=src-nat to-addresses=2.2.2.2 to-ports=2300-2399 protocol=udp src-address=100.64.1.4 log=no log-prefix="" 

12    chain=xxx-2 action=src-nat to-addresses=2.2.2.2 to-ports=2400-2499 protocol=tcp src-address=100.64.1.5 log=no log-prefix="" 

13    chain=xxx-2 action=src-nat to-addresses=2.2.2.2 to-ports=2400-2499 protocol=udp src-address=100.64.1.5 log=no log-prefix="" 

14    chain=xxx-2 action=src-nat to-addresses=2.2.2.2 to-ports=2500-2599 protocol=tcp src-address=100.64.1.6 log=no log-prefix="" 

15    chain=xxx-2 action=src-nat to-addresses=2.2.2.2 to-ports=2500-2599 protocol=udp src-address=100.64.1.6 log=no log-prefix=""


[ Top | Back to Content ]