How To: MikroTik Router With NAT And VPN Access (CLI)

How To MikroTik Router With NAT And VPN Access

This technical guide will show you how to setup a Mictrotik router with 1:1 NAT translation and secure VPN access, over the command line.

1. Performing Initial Setup

Inital setup must be done over the command line interface (CLI)

Login on the system by the default admin and password.

The first thing to do is identify the network interfaces by running the following command:

[admin@Mikrotik] > interface ethernet print Flags: X - disabled, R - running, S - slave # NAME MTU MAC-ADDRESS ARP 0 R ether2 1500 00:00:00:00:00:00 enabled 1 R ether1 1500 00:25:90:60:4C:A8 enabled

Now we can associate what network card will be LAN and WAN

To avoid confusion, you can rename the interfaces to something more appropriate. In this case ether2 will be LAN and ether1 will be WAN.

The following command will rename the interfaces.

 [admin@Mikrotik] > interface set 0 name=LAN
[admin@Mikrotik] > interface set 1 name=WAN

The numeric Value 0 represent the # on the list
Run the following command to confirm the change is completed.

[admin@Mikrotik] > interface ethernet print Flags: X - disabled, R - running, S - slave # NAME MTU MAC-ADDRESS ARP 0 R LAN 1500 00:00:00:00:00:00 enabled 1 R WAN 1500 00:25:90:60:4C:A8 enabled

2. Change Admin Password

Performing this step is recommended because if the admin password default is blank you can easily be
a target of a brute force attack if you are managing the administration from outside the network.

To perform this change do this:

 [admin@Mikrotik] > user set 0 password=MY-NEW-PASSWORD

3. Add default VPN Pool range

Use the following to set the IP address range for your VPN pool:

/ip pool
add name=VPN-Address-Pool ranges=

4. Set the default VPN Profile to use the DNS and Local-Address for VPN

The following commands will set the default VPN profile to use google’s DNS and the local address for the VPN (in this case we have used

/ppp profile
set *0 dns-server= local-address= remote-address=\

5. Enable L2TP Server with IPSec

Now enable the L2TP VPN server with IPSec by issuing the following commands:

/interface l2tp-server server
set default-profile=default enabled=yes ipsec-secret=8793679Ghhjg8ghgjf \

6. Adding additional IP addresses

Additional IP addresses can now be added to the relevant interfaces (the WAN interface would be assigned to your public IP address, and the LAN interface to your private IP):

/ip address
add address= comment="Management / Masquerhade" interface=\
 WAN network=
add address= comment="Extra IP" interface=WAN network=\
add address= comment=Mikrotik-ip interface=LAN network=\

7. Configure Firewall Rules

At this stage we need to configure the filtering rules for the firewall. This will allow access to the network with the VPN for the relevant protocols and configure 1:1 NAT:

/ip firewall filter
add action=accept chain=forward comment="Allow HTTP/HTTPS" dst-address=\ dst-port=80,443 in-interface=WAN protocol=tcp
add action=accept chain=forward comment="Allow SSH" dst-address=
 dst-port=22 in-interface=WAN protocol=tcp
add action=accept chain=forward comment="Allow ICMP/PING" dst-address=\ in-interface=WAN protocol=icmp
add action=drop chain=forward comment="Block All" dst-address= \
/ip firewall nat
add action=src-nat chain=srcnat comment="1:1 NAT Outgoing Traffic" \
 out-interface=WAN src-address= to-addresses=
add action=dst-nat chain=dstnat comment="1:1 NAT Incoming Traffic" \
 dst-address= to-addresses=
add action=masquerade chain=srcnat comment="Send all traffic to internet" \
 out-interface=WAN src-address= to-addresses=

8. Add Default  Gateway

The following command will set the default gateway IP address:

/ip route
add comment="Default GW" distance=1 gateway=

9. Configure router local services

We now need to configure the router services, in this case we will disable telnet and ftp and enable SSH on port 750:

/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=750
set api disabled=yes

10. Set L2TP Username, Password and IP Address

Now that we have our server successfully configured, we can create a test user for the VPN server. The following commands will add the user “testuser” with the password “password”, and specify their IP address as

/ppp secret
add name=testuser password=password remote-address=

Congratulations! You can now access with the username and password set in step 10.