MikroTik Router has a lot of features which help to customize network as our requirement. Sometimes, it may be our requirement that we need to allow internet access on per IP. Normally, when we apply masquerade NAT rule in our MikroTik Router, all private IPs will be masqueraded or a network block will be masqueraded.
If we do normal masqurade and enable a DHCP Server in our network, we may face a lot of unauthorized access in our network. Because when a user will be connected in our network, he/she will get internet information (IP, Subnet mask, Gateway and DNS) by DHCP Server and can access internet through our MikroTik Router. So, an unauthorized user can consume our paid bandwidth.
Usually we don’t want that any user can access internet through our MikroTik Router without our permission. If we want to prevent unauthorized access in our network, we have to apply a strategy named Single IP NAT Strategy. Single IP NAT strategy will help us to control unauthorized access to our network. If you apply single IP NAT strategy, no IP device can get internet access through our Router until we allow that IP.
Single IP NAT Strategy
Single IP NAT Strategy is not a MikroTik service but a logical tricks which will prevent unauthorized internet access in our network. Say, we are going to build a DHCP enabled network with MikroTik Router in our office like below network diagram where users will come with their IP devices and he/she will get connected in our network either wire or wireless media.
But we want that any user cannot access internet through our DHCP Server without our permission. For this, we can apply single IP NAT strategy in our MikroTik Router. If we wish to apply single IP NAT strategy in our MikroTik Router, keep reading this article where I will show how to apply single IP NAT strategy in MikroTik RouterOS 7.
How to Configure Single IP NAT in MikroTik Router
Before going to apply single IP NAT strategy in our MikroTik Router, we have to complete MikroTik Router basic configuration without NAT configuration. If you are a new MikroTik user, study my previous article about MikroTik Router Basic Configuration using Winbox and complete basic configuration of your MikroTik router without NAT configuration. Because single IP NAT strategy will be applied in NAT configuration.
If you have completed MikroTik Router basic configuration according to my article, follow below steps to apply single IP NAT strategy in MikroTik RouterOS 7.
- Go to IP > Firewall menu and click on NAT tab and then click on PLUS SIGN (+) to create a new NAT rule. In New NAT Rule window click on General tab and then select srcnat from Chain drop-down box.
- Now click on Advanced tab and type ipblock1 or your own string as you like in Src. Address List input box.
- Click on Action tab and choose masquerade from Actiondrop-down list and then click Apply and OK button.
- Now click on Address List tab in Firewall window and click PLUS Sign (+) to create a new list. Choose ipblock1 or your provided string from Name drop-down list and type the IP address on which you want to allow internet in Address input box and then click Apply and OK button.
- Do step 4 every time you want to allow an IP address to access internet through your router.
After this configuration, we can see that IP addresses which are listed in Address List panel can access internet trough our MikroTik router. But other IP addresses of our network cannot access internet through our MikroTik although these IP address are obtained by IP devices from our DHCP Server.
If you face any confusion to follow above steps properly, watch the below video carefully on Single IP Internet Access Strategy in MikroTik Router.
The trick named Single IP NAT Strategy to prevent unauthorized internet access in our network has been explained step by step in this article. A video tutorial has also been uploaded to remove any confusion to apply Single IP NAT strategy in MikroTik Router.
However, if you face any problem to apply Single IP NAT strategy in MikroTik Router, feel free to discuss in comment or contact with me from Contact page. I will try my best to stay with you.