Three different ways to configure source NAT on Mikrotik routers

Source NAT on Mikrotik can be configured in different ways, depending on the desired result. However, I have noticed that many routerOS users tend to use the same method when configuring source NAT on Mikrotik. This is not good. In this post, I will share with us on three of the many ways to configure source NAT on a Mikrotik router.

Source NAT on Mikrotik can be implemented by using three of these attributes which I am going to go over one after the other: source address, in-interface or out-interface, source address-list. Each of these methods will successfully masquerade your internal addresses and use your WAN IP as the source IP for all internet-bound traffics, howbeit, in slightly different ways. This difference in implementation method could work both for/against the user, depending on network design and desired result.

source NAT on Mikrotik

Configuring source NAT on Mikrotik using the in/out interface

Using this option allows you to instruct the router to masquerade the internal IP addresses for packets entering or exiting the interface specified as in or out. With this method, the source IP addresses may not be listed; the router simply masquerades source IPs using in or out interfaces as attributes.

Source NAT implementation using this option can be considered the easiest. However, it will pose some challenges to ptp tunnels, gre tunnels and ipsec vpn. To allow vpn communications for local area networks configured on the router, user will have to exclude lan-to-lan communication from the source NAT rule.

This method for implementing source nat on Mikrotik can be configured on a Mikrotik router using the command below.

/IP firewall nat

add chain=srcnat in-interface=ether2 action=masquerade comment=nat_based_on_in_interface

add chain=srcnat out-interface=ether1 action=masquerade comment=nat_based_on_out_interface


Configuring source NAT on Mikrotik using source address

This option allows a user to specify the local subnet as a determining attribute for what IP addresses should be masqueraded. It provides a level of security because network administrators can exclude the subnets they do not want to access the internet. These subnets will only be able to carry out LAN-to-LAN communications using private IPs.

To configure source NAT on Mikrotik using this method, an administrator can enter commands similar to the ones below.

/IP firewall nat

add chain=srcnat src-address= action=masquerade


You may also like: How to configure Mikrotik site to site Ipsec VPN to connect your branch offices to HQ


Configuring source NAT on Mikrotik using source address-list

I consider this method the most secured way of configuring source nat on Mikrotik routers. It provides some level security by allowing an administrator to build a list of source IP addresses that should be included in the masquerade rule. These users will ultimately be provided access to the internet. This method may appear less simpler than the previous ones discussed above, depending on the user.

To configure source nat on Mikrotik using this method, user needs to build a manual/dynamic  source address list, then use this address list to configure source NAT. See steps below.

Building a manual source address list

/IP firewall address-list

add address= list=internet_users

add address= list=internet_users

As shown above, addresses can be added one after the other or in groups.


To see how to build a dynamic source address-list, click here.


After building the list, user can configure source NAT using the source address list created above as an attribute to determine whose source IP address should or should not be masqueraded. See below.

/ip firewall nat
add chain=srcnat src-address-list=internet_users action=masquerade

In conclusion, while methods 1 and 2 work, method 3 gives you control over which IP addresses should be allowed through to the internet. The source address-list could also be used to match the source addresses of hosts not to be included in the firewall masquerade rule. When done this way, users whose source IPs are captured in the source address list will be denied internet. When used with dynamic source address list, a group of users can be denied internet access at specified periods during working hours.

For more on Mikrotik source NAT, please read mikrotik documentation here.

If you enjoyed this tutorial, please subscribe to this blog to receive my posts via email. Also subscribe to my YouTube channel, like my Facebook page and follow me on Twitter.

Spread the love

Leave a Comment