Single IP NAT Strategy in MikroTik RouterOS 7
MikroTik Router has a lot of features which help to customize network as our requirement. Sometimes, it may be our requirement that we need to allow internet access on per IP. Normally, when we apply masquerade NAT rule in our MikroTik Router, all private IPs will be masqueraded or a network block will be masqueraded.
If we do normal masqurade and enable a DHCP Server in our network, we may face a lot of unauthorized access in our network. Because when a user will be connected in our network, he/she will get internet information (IP, Subnet mask, Gateway and DNS) by DHCP Server and can access internet through our MikroTik Router. So, an unauthorized user can consume our paid bandwidth.
Usually we don’t want that any user can access internet through our MikroTik Router without our permission. If we want to prevent unauthorized access in our network, we have to apply a strategy named Single IP NAT Strategy. Single IP NAT strategy will help us to control unauthorized access to our network. If you apply single IP NAT strategy, no IP device can get internet access through our Router until we allow that IP.
Single IP NAT Strategy
Single IP NAT Strategy is not a MikroTik service but a logical tricks which will prevent unauthorized internet access in our network. Say, we are going to build a DHCP enabled network with MikroTik Router in our office like below network diagram where users will come with their IP devices and he/she will get connected in our network either wire or wireless media.
But we want that any user cannot access internet through our DHCP Server without our permission. For this, we can apply single IP NAT strategy in our MikroTik Router. If we wish to apply single IP NAT strategy in our MikroTik Router, keep reading this article where I will show how to apply single IP NAT strategy in MikroTik RouterOS 7.
How to Configure Single IP NAT in MikroTik Router
Before going to apply single IP NAT strategy in our MikroTik Router, we have to complete MikroTik Router basic configuration without NAT configuration. If you are a new MikroTik user, study my previous article about MikroTik Router Basic Configuration using Winbox and complete basic configuration of your MikroTik router without NAT configuration. Because single IP NAT strategy will be applied in NAT configuration.
If you have completed MikroTik Router basic configuration according to my article, follow below steps to apply single IP NAT strategy in MikroTik RouterOS 7.
- Go to IP > Firewall menu and click on NAT tab and then click on PLUS SIGN (+) to create a new NAT rule. In New NAT Rule window click on General tab and then select srcnat from Chain drop-down box.
- Now click on Advanced tab and type ipblock1 or your own string as you like in Src. Address List input box.
- Click on Action tab and choose masquerade from Actiondrop-down list and then click Apply and OK button.
- Now click on Address List tab in Firewall window and click PLUS Sign (+) to create a new list. Choose ipblock1 or your provided string from Name drop-down list and type the IP address on which you want to allow internet in Address input box and then click Apply and OK button.
- Do step 4 every time you want to allow an IP address to access internet through your router.
After this configuration, we can see that IP addresses which are listed in Address List panel can access internet trough our MikroTik router. But other IP addresses of our network cannot access internet through our MikroTik although these IP address are obtained by IP devices from our DHCP Server.
If you face any confusion to follow above steps properly, watch the below video carefully on Single IP Internet Access Strategy in MikroTik Router.
The trick named Single IP NAT Strategy to prevent unauthorized internet access in our network has been explained step by step in this article. A video tutorial has also been uploaded to remove any confusion to apply Single IP NAT strategy in MikroTik Router.
However, if you face any problem to apply Single IP NAT strategy in MikroTik Router, feel free to discuss in comment or contact with me from Contact page. I will try my best to stay with you.
Why not a Cup of COFFEE if the solution?
Can someone use this steps to allow some ips in an ISP solution. Like in the settings where I was told to help manage their network, the have like range of ip in static mode, say from 2-50, but each ip must be assigned to any user who connected to their network. In the network, they use mac filtering from the radio/wireless side, but assuming a user with some tech experience, was assigned ip of 192.168.30.5 with a bandwidth of 512kbps, but he goes an change his ip to 192.168.30.7 which has not being assigned to anyone and it has no limitation. Will asigning ip address list help reduce such person from messing up the network.
Dear,,
so nice,,very good explanation,,,,but if some one assign manual IP address that has in NAT list and i do not want to use internet by that user. so how can i restrict a user from assigning listed NAT IP address…means from listed NAT IP,,an IP address already added for specific user…
Thanks
Thats Great,,,Thank U Boss….
thank u so much
What if I have different ip pools (10.10.10.0/24, 10.20.10.0/24 & 10.30.10.0/24), how can i allow a mac address to connect to the internet with different ip pools? thanks
IP can be assigned in different ways such as DHCP and PPPoE. But single IP NAT strategy help you to prevent unwanted network access through your router.
I HAVE ONLY STATIC WAN IP,USERID AND PASSWORD ,SO I CAN CONFIGURE MY ROUTER1100AH
WITHOUT GATEWAY
Without gateway router configuration impossible. If you have static IP, why do you need userid and password? userid and password is normally required for PPPoE connection. If you have PPPoE WAN, you can configure your WAN as PPPoE client.
If the intent is to give or deny permissions, FILTER rules are designed to do that:
/ip firewall filer
add chain=forward in-interface=lan out-interface=wan src-address-list=ipblock1 action=accept
add chain=forward in-interface=lan out-interface=wan action=drop
Thanks. It is an alternative solution that can be applied.
Hi Sayeed,
I am a new working on Mikrotik router and I am really enjoying and learing a lots from your articles. I am trying to learn a lot by your articles. Thanks to give us more solution in this way.
Would like to suggest one thing, Please record audio also when you make video.
Thanks for your suggestion. I usually describe all things in article. So feeling no interest in audio. However I am trying but still my environment is not suitable for audio recording because I do video in my office which is a open space.