Single IP NAT Strategy in MikroTik Router

MikroTik Router has a lot of features which help to customize your network as your requirement. Sometimes, it may be your requirement that you need to allow per IP internet access. Normally, when you apply masquerade NAT rule in your MikroTik router, you accept all private IP will be masqueraded or a network block will be masqueraded. But if you do so and enable a DHCP server in your network, you may face a lot of unauthorized accesses in your network. Because when a user will be connected in our network, he/she will get internet information (IP, Subnet mask, Gateway and DNS) by DHCP server and can access internet through your MikroTik router. So, an unauthorized user can consume your bandwidth. But you don’t want that any user can access internet through your MikroTik router without your permission. If you want to prevent unauthorized access in your network, you have to apply a strategy named Single IP NAT strategy. Single IP NAT strategy will help you to control unauthorized access to your network. If you apply single IP NAT strategy, no IP device can get internet access through your router until you allow that IP.

Single IP NAT Strategy

Single IP NAT Strategy is not a MikroTik service but a logical tricks which will prevent unauthorized internet access in your network. Say, you are going to build a DHCP enabled network with MikroTik router in your office like below network diagram where users will come with their IP devices and he/she will be connected with your network by wire or wireless device.

DHCP Enabled Network
DHCP Enabled Network

But you don’t want that any user can access internet through your DHCP server without your permission. For this, you should apply single IP NAT strategy in your MikroTik router. If you wish to apply single IP NAT strategy in your MikroTik router, keep reading this article where I will show you how to apply single IP NAT strategy in your MikroTik router.

Single IP NAT Configuration in MikroTik Router

Before going to apply single IP NAT strategy in your MikroTik, you have to complete MikroTik router basic configuration without NAT configuration. If you are a new MikroTik user, spend some time to study my previous article about MikroTik Router Basic Configuration using winbox and complete basic configuration of your MikroTik router without NAT configuration. Because single IP NAT strategy will be applied in NAT configuration. If you have completed your MikroTik router basic configuration according to my article, follow below steps to apply single IP NAT strategy in your MikroTik router.

  1. Go to IP > Firewall menu and click on NAT tab and then click on add new button (PLUS Sign) to create a new NAT rule. In New NAT Rule window click on General tab and then select srcnat from Chain drop-down box.
  2. Now click on Advanced tab and type ipblock1 or your own string as you like in Src. Address List input box.
  3. Click on Action tab and choose masquerade from Action drop-down list and then click Apply and OK button.
  4. Now click on Address List tab in Firewall window and click on add new button (PLUS Sign) to create a new list. Choose ipblock1 or your provided string from Name drop-down list and type the IP address on which you want to allow internet in Address input box and then click Apply and OK button.
  5. Do step 4 every time you want to allow an IP to access internet through your router.

After this configuration, you can see that IP addresses which are listed in Address List panel can access internet trough your MikroTik router. But other IP addresses of your network block cannot access internet through your router although these IP address are obtained by IP devices from your MikroTik DHCP server.

You have to follow the above steps carefully otherwise you cannot apply single IP NAT strategy in your MikroTik router. If you face any difficulty to do above steps properly, watch my below video carefully about Single IP NAT Strategy in MikroTik Router.

The logical tricks named Single IP NAT Strategy to prevent unauthorized internet access in your network has been explained step by step in this article. A video tutorial has also been uploaded to remove your any confusion to apply single IP NAT strategy in MikroTik router. However, if you face any problem to apply single IP NAT strategy in your MikroTik router, feel free to discuss in comment or contact with me from Contact page. I will try my best to stay with you.

Why not a Cup of COFFEE if the solution?

single-ip-nat-strategy-in-mikrotik-router

ABU SAYEED

I am a system administrator and like to share knowledge that I am learning from my daily experience. I usually work on MikroTik, Redhat/CentOS Linux, Windows Server, physical server and storage, virtual technology and other system related topics. Follow Me: Facebook, Twitter and Linkedin.

Your name can also be listed here. Have an IT topic? Submit it here to become a System Zone author.

12 comments

  • Avatar for sapanda sapanda

    Can someone use this steps to allow some ips in an ISP solution. Like in the settings where I was told to help manage their network, the have like range of ip in static mode, say from 2-50, but each ip must be assigned to any user who connected to their network. In the network, they use mac filtering from the radio/wireless side, but assuming a user with some tech experience, was assigned ip of 192.168.30.5 with a bandwidth of 512kbps, but he goes an change his ip to 192.168.30.7 which has not being assigned to anyone and it has no limitation. Will asigning ip address list help reduce such person from messing up the network.

  • Avatar for ihsan ihsan

    Dear,,

    so nice,,very good explanation,,,,but if some one assign manual IP address that has in NAT list and i do not want to use internet by that user. so how can i restrict a user from assigning listed NAT IP address…means from listed NAT IP,,an IP address already added for specific user…

    Thanks

  • Avatar for Md. Haider Mahmud Juwel Md. Haider Mahmud Juwel

    Thats Great,,,Thank U Boss….

  • Avatar for mafuz mafuz

    thank u so much

  • Avatar for sonny sonny

    What if I have different ip pools (10.10.10.0/24, 10.20.10.0/24 & 10.30.10.0/24), how can i allow a mac address to connect to the internet with different ip pools? thanks

    • IP can be assigned in different ways such as DHCP and PPPoE. But single IP NAT strategy help you to prevent unwanted network access through your router.

  • Avatar for RAJENDRA SINGH RAJENDRA SINGH

    I HAVE ONLY STATIC WAN IP,USERID AND PASSWORD ,SO I CAN CONFIGURE MY ROUTER1100AH
    WITHOUT GATEWAY

    • Without gateway router configuration impossible. If you have static IP, why do you need userid and password? userid and password is normally required for PPPoE connection. If you have PPPoE WAN, you can configure your WAN as PPPoE client.

  • Avatar for cufe cufe

    If the intent is to give or deny permissions, FILTER rules are designed to do that:
    /ip firewall filer
    add chain=forward in-interface=lan out-interface=wan src-address-list=ipblock1 action=accept
    add chain=forward in-interface=lan out-interface=wan action=drop

  • Avatar for Amar Yadav Amar Yadav

    Hi Sayeed,
    I am a new working on Mikrotik router and I am really enjoying and learing a lots from your articles. I am trying to learn a lot by your articles. Thanks to give us more solution in this way.

    Would like to suggest one thing, Please record audio also when you make video.

    • Thanks for your suggestion. I usually describe all things in article. So feeling no interest in audio. However I am trying but still my environment is not suitable for audio recording because I do video in my office which is a open space.

Leave a Reply

Your email address will not be published. Required fields are marked *

*