Nat - MikroTik RouterOS v2.9 Reference Manual

NAT

Description
Network Address Translation is an Internet standard that allows hosts on local area networks to use
one set of IP addresses for internal communications and another set of IP addresses for external
communications. A LAN that uses NAT is referred as natted network. For NAT to function, there
should be a NAT gateway in each natted network. The NAT gateway (NAT router) performs IP
address rewriting on the way a packet travel from/to LAN.
There are two types of NAT:
• source NAT or srcnat. This type of NAT is performed on packets that are originated from a
natted network. A NAT router replaces the private source address of an IP packet with a new
public IP address as it travels through the router. A reverse operation is applied to the reply
packets travelling in the other direction.
• destination NAT or dstnat. This type of NAT is performed on packets that are destined to the
natted network. It is most comonly used to make hosts on a private network to be acceesible
from the Internet. A NAT router performing dstnat replaces the destination IP address of an IP
packet as it travel through the router towards a private network.
NAT Drawbacks
Hosts behind a NAT-enabled router do not have true end-to-end connectivity. Therefore some
Internet protocols might not work in scenarios with NAT. Services that require the initiation of TCP
connection from outside the private network or stateless protocols such as UDP, can be disrupted.
Moreover, some protocols are inherently incompatible with NAT, a bold example is AH protocol
from the IPsec suite.
RouterOS includes a number of so-called NAT helpers, that enable NAT traversal for various
protocols.
Redirect and Masquerade
Redirect and masquerade are special forms of destination NAT and source NAT, respectively.
Redirect is similar to the regular destination NAT in the same way as masquerade is similar to the
source NAT - masquerade is a special form of source NAT without need to specify to-addresses -
outgoing interface address is used automatically. The same is for redirect - it is a form of
destination NAT where to-addresses is not used - incoming interface address is used instead. Note
that to-ports is meaningful for redirect rules - this is the port of the service on the router that will
handle these requests (e.g. web proxy).
When packet is dst-natted (no matter - action=nat or action=redirect), dst address is changed.
Information about translation of addresses (including original dst address) is kept in router's internal
tables. Transparent web proxy working on router (when web requests get redirected to proxy port
on router) can access this information from internal tables and get address of web server from them.
If you are dst-natting to some different proxy server, it has no way to find web server's address from
IP header (because dst address of IP packet that previously was address of web server has changed
to address of proxy server). Starting from HTTP/1.1 there is special header in HTTP request which
Page 458 of 695
Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.