最後更新: 2016-09-14



# list

/ip firewall nat

# Stats

/ip firewall nat print stats

# Port mapping/forwarding

Public IP:
Local IP:

/ip firewall nat add chain=dstnat dst-port=1234 action=dst-nat protocol=tcp to-address= to-port=1234



Chian: dstnat

Protocol: tcp

dst-port=1234 => "必須填 !!!"


Action: dst-nat

to-address => LAN_IP_ADDR

to-port => Server_Listen_Port


Hosts behind a NAT-enabled router do not have true end-to-end connectivity. Therefore some Internet protocols might not work in scenarios with NAT.

To overcome these limitations RouterOS includes a number of NAT helpers, that enable NAT traversal for various protocols.

Helper: ftp, pptp, sip ...

/ip firewall service-port enable pptp

PPTP uses port 1723 as well as protocol 47. Not port 47, but protocol 47. You need to allow this thru the forward chain. Also, turn on the IP services (helper) for pptp - it will allow nat traversal of GRE. Its the only way to have more than 1 PPTP behind a NAT.



accept - accept the packet. Packet is not passed to next NAT rule.
add-dst-to-address-list - add destination address to Address list specified by address-list parameter
add-src-to-address-list - add source address to Address list specified by address-list parameter
dst-nat - replaces destination address and/or port of an IP packet to values specified by to-addresses and to-ports parameters
jump - jump to the user defined chain specified by the value of jump-target parameter
log - add a message to the system log containing following data: in-interface, out-interface, src-mac, protocol, src-ip:port->dst-ip:port and length of the packet. After packet is matched it is passed to next rule in the list, similar as passthrough
masquerade - replace source address of an IP packet to IP determined by routing facility.
netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks
passthrough - ignore this rule and go to next one (useful for statistics).
redirect - replaces destination port of an IP packet to one specified by to-ports parameter and destination address to one of the router's local addresses
return - passes control back to the chain from where the jump took place
same - gives a particular client the same source/destination IP address from supplied range for each connection. This is most frequently used for services that expect the same client address for multiple connections from the same client
src-nat - replaces source address of an IP packet to values specified by to-addresses and to-ports parameters




假設有 NAT

/ip firewall nat
add chain=dstnat dst-address= protocol=tcp dst-port=80 \
  action=dst-nat to-address=
add chain=srcnat out-interface=WAN action=masquerade

hairpin loopback

/ip firewall nat
add chain=srcnat src-address= \
  dst-address= protocol=tcp dst-port=80 \
  out-interface=LAN action=masquerade

設定 Example