Hello and welcome to the MikroTik section, in this post we will be teaching you how to create an outbound NAT rule on a MikroTik router in order to gain internet access from our LAN. If you would like to follow along you are welcome to build this topology in GNS3. If you have missed it we have an entire section dedicated to how to install GNS3 and import devices into the software for labbing purposes.


Mikrotik1 Topology

We have been tasked to provide internet access to a customer on their LAN. The MikroTik router has already been installed with a very base configuration. The LAN has been configured on Ether2 with an IP address of and Ether1 has been configured for DHCP to receive an IP address from our ISP for internet access.

You notice that you have internet access when you ping Google's DNS server from the router, which means that internet connectivity is working.


When you try and ping the DNS server from a computer on the LAN your requests are failing, however you are able to ping the default gateway IP address of the router.


You can confirm as this is a fresh setup that there are no firewall rules configured on the router that could be potentially blocking IP communication. You then determine that there is no NAT rule configured and this is why internet is failing from the LAN computer, so how do we fix this?

Add a NAT rule on the MikroTik

Configuration of NAT is very simple on a MikroTik router, I will show you how to implement NAT from both Winbox and the CLI and briefly try to explain the NAT process to you. Let's first perform the setup on Winbox by navigating to the IP tab and selecting the firewall option.


In the firewall section navigate to the NAT tab and select it. Once select click on the add button or "+" symbol in order to add a new NAT rule.


In our case we will be using a srcnat or a "source based NAT" where we will be translating a source IP address to a different IP address. Please ensure your Chain is "srcnat" now click on the drop-down arrow of the Out. Interface and select the interface you want to NAT your IP address out of, in our case this will be ether1 as we know that we are receiving internet through this port, and if we were to look at our routing table we would see the default route would also leave via this interface. When done simply click on Apply andthen select the Action tab in order to apply an action to the NAT rule.


Please click on the drop-down arrow of the action list. You will see various different actions you can do when implementing a NAT rule, however we will be using the masquerade rule. Which essentially hides our source IP address behind the IP address of the interface where traffic leaves. So in essence we will be masking our private IP addresses with the IP address that the ISP has given us via DHCP on ether1. When you are done please click on apply on OK.


You will now note that you have 1 NAT rule in the firewall section. This is great as we have completed our setup.


Let's navigate back to the LAN PC that did not have access to Google's DNS server  previously, if we now ping we will see that we are getting a response. You will also note that if you browse to www.google.com that we are also now getting to the website. This means that we have successfully provided internet to the LAN range by implementing a NAT rule on our router to mask our traffic behind an IP address that knows how to get to the internet and back.


Setup on the CLI

This is even simpler than adding the NAT rule on Winbox. You will simply have to navigate to the ip firewall nat directory and then you can add the command to add the NAT rule.

This is pretty straightforward for this setup as we will first need to "add" a new rule, tell the rule what chain it is in and specify our interface where traffic will go out of as well as the action.

I've done this all in one line just to show you how easy it is as seen in the image below. Once you have added the rule you will have the same outcome as when we added this on Winbox.


That's a Wrap

You have successfuly learned how to a NAT rule on a MikroTik router via winbox and the console. You have also learned the basics of NATing and what we are using it for. I hope this has been informative and that you have learned something new.

Categories: MikroTik

Admin bar avatar

The Network Berg

Network solutions specialist with over 12 years of experience in the computer networking landscape. Involved with solution design, project planning and implementations on Enterprise and ISP networks.