Filter
Top Products
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers 217
RouterOS v3 Configuration and User Guide
9.4.2 NAT
Description
Network Address Translation is an Internet standard that allows hosts on local area networks to use one
set of IP addresses for internal communications and another set of IP addresses for external
communications. A LAN that uses NAT is referred as natted network. For NAT to function, there should
be a NAT gateway in each natted network. The NAT gateway (NAT router) performs IP address
rewriting on the way a packet travel from/to LAN.
There are two types of NAT:
• source NAT or srcnat. This type of NAT is performed on packets that are originated from a natted
network. A NAT router replaces the private source address of an IP packet with a new public IP
address as it travels through the router. A reverse operation is applied to the reply packets travelling
in the other direction.
• destination NAT or dstnat. This type of NAT is performed on packets that are destined to the natted
network. It is most comonly used to make hosts on a private network to be acceesible from the
Internet. A NAT router performing dstnat replaces the destination IP address of an IP packet as it
travel through the router towards a private network.
NAT Drawbacks
Hosts behind a NAT-enabled router do not have true end-to-end connectivity. Therefore some Internet
protocols might not work in scenarios with NAT. Services that require the initiation of TCP connection
from outside the private network or stateless protocols such as UDP, can be disrupted. Moreover, some
protocols are inherently incompatible with NAT; a bold example is AH protocol from the IPsec suite.
RouterOS includes a number of so-called NAT helpers that enable NAT traversal for various protocols.
Redirect and Masquerade
Redirect and masquerade are special forms of destination NAT and source NAT, respectively. Redirect is
similar to the regular destination NAT in the same way as masquerade is similar to the source NAT -
masquerade is a special form of source NAT without need to specify to-addresses - outgoing interface
address is used automatically. The same is for redirect - it is a form of destination NAT where to-
addresses is not used - incoming interface address is used instead. Note that to-ports is meaningful for
redirect rules - this is the port of the service on the router that will handle these requests (e.g. web
proxy).
When packet is dst-natted (no matter - action=nat or action=redirect), dst address is changed.
Information about translation of addresses (including original dst address) is kept in router's internal
tables. Transparent web proxy working on router (when web requests get redirected to proxy port on
router) can access this information from internal tables and get address of web server from them. If you
are dst-natting to some different proxy server, it has no way to find web server's address from IP header
(because dst address of IP packet that previously was address of web server has changed to address of
proxy server). Starting from HTTP/1.1 there is special header in HTTP request which tells web server
address, so proxy server can use it, instead of dst address of IP packet. If there is no such header (older
HTTP version on client), proxy server can not determine web server address and therefore can not
work.
It means, that it is impossible to correctly transparently redirect HTTP traffic from router to some other
transparent-proxy box. Only correct way is to add transparent proxy on the router itself, and configure it
so that your "real" proxy is parent-proxy. In this situation your "real" proxy does not have to be
transparent any more, as proxy on router will be transparent and will forward proxy-style requests
(according to standard; these requests include all necessary information about web server) to "real"
proxy.
Property Description
action (accept | add-dst-to-address-list | add-src-to-address-list | dst-nat | jump | log | masquerade |
netmap | passthrough | redirect | return | same | src-nat; default: accept) - action to undertake if the
packet matches the rule
accept - accepts the packet. No action is taken, i.e. the packet is passed through and no more rules are
applied to it
add-dst-to-address-list - adds destination address of an IP packet to the address list specified by