How to Configure NAT in MikroTik for Public and Private IP Ranges

by

Network Address Translation (NAT) is an essential feature in MikroTik routers that enables devices to communicate with external networks while managing IP address translation. If you have both public and private IP subnets, it’s crucial to configure NAT properly to ensure public IPs route normally while private IPs access the internet via NAT.

In this guide, we’ll configure NAT in MikroTik to:

  • Bypass NAT for a public subnet (103.0.113.0/26) so that public IPs are routed directly.
  • Enable NAT (Masquerade) for private IP ranges (192.168.x.x, 10.x.x.x, 172.16.x.x) so that internal devices can access the internet.
Table of Contents Hide
1) Step 1: Understanding the Setup
2) Step 2: Configure NAT Rules in MikroTik
3) Step 3: Verify NAT Configuration
4) Summary

Step 1: Understanding the Setup

IP RangePurpose
103.0.113.0/26Public subnet, no NAT required (routed normally)
192.168.0.0/16Private LAN, requires NAT for internet access
10.0.0.0/8Private enterprise/cloud network, needs NAT
172.16.0.0/12Private VPN/corporate network, requires NAT

Step 2: Configure NAT Rules in MikroTik

1. Exempt Public Subnet from NAT

This rule ensures that devices with public IPs in 103.0.113.0/26 can be routed normally without NAT modification:

/ip firewall nat add chain=srcnat src-address=103.0.113.0/26 action=accept comment="Bypass NAT for Public Subnet"

2. Enable NAT (Masquerade) for Private IP Ranges

To allow private IPs to access the internet via the router’s WAN, apply masquerading:

/ip firewall nat add chain=srcnat src-address=192.168.0.0/16 action=masquerade comment="NAT for Private 192.168.x.x Network"
/ip firewall nat add chain=srcnat src-address=10.0.0.0/8 action=masquerade comment="NAT for Private 10.x.x.x Network"
/ip firewall nat add chain=srcnat src-address=172.16.0.0/12 action=masquerade comment="NAT for Private 172.16.x.x Network"

Step 3: Verify NAT Configuration

After adding the rules, check your NAT table:

/ip firewall nat print

Ensure that:

  • The bypass rule for 103.0.113.0/26 is above any masquerade rules.
  • The masquerade rules cover the private IP ranges properly.

To confirm NAT is working correctly, test connectivity:

  • Check if a public IP (e.g., 103.0.113.1) is reachable without NAT: ping 8.8.8.8 src-address=103.0.113.1 If successful, NAT is not interfering with public IP routing.
  • Check if a private IP gets internet access: curl ifconfig.me It should return the router’s public IP, confirming NAT is working.

Summary

By properly configuring NAT, you ensure that: ✅ Public IPs (103.0.113.0/26) are routed directly without NAT. ✅ Private IPs (192.168.x.x, 10.x.x.x, 172.16.x.x) use NAT to access the internet. ✅ Traffic flows efficiently without unnecessary translation.

This setup is ideal for ISPs, data centers, and businesses using MikroTik routers to manage multiple IP ranges.

Let us know if you need further guidance on MikroTik configurations! 🚀

Leave a Comment