How To Setup A MikroTik Router With NAT And VPN Access (GUI)

How To Setup A MikroTik Router With NAT And VPN Access

This technical guide will show you how to setup a Mictrotik router with 1:1 NAT translation and secure VPN access.

1. Performing Initial Setup

Inital setup must be done over the command line interface (CLI)

Login on the system by the default admin and password.

The first thing to do is identify the network interfaces by running the following command:

[admin@Mikrotik] > interface ethernet print Flags: X - disabled, R - running, S - slave # NAME MTU MAC-ADDRESS ARP 0 R ether2 1500 00:25:90:60:4C:A9 enabled 1 R ether1 1500 00:25:90:60:4C:A8 enabled

Now we can associate what network card will be LAN and WAN

To avoid confusion, you can rename the interfaces to something more appropriate. In this case ether2 is will be LAN and ether1 will be WAN.

The following command will rename the interfaces.

 [admin@Mikrotik] > interface set 0 name=LAN
[admin@Mikrotik] > interface set 1 name=WAN

The numeric Value 0 represent the # on the list
Run the following command to confirm the change is completed.

[admin@Mikrotik] > interface ethernet print
Flags: X - disabled, R - running, S - slave
 0 R LAN 1500 00:25:90:60:4C:A9 enabled
 1 R WAN 1500 00:25:90:60:4C:A8 enabled

1.1 Change Admin password

I recommend perform this step because the admin password default is blank you can easily be
a target of a brute force attack if you are managing the administration from outside the network

To perform this change use the following commands:

[admin@Mikrotik] > user set 0 password=MY-NEW-PASSWORD


1.2 Adding IP Address to Mikrotik


The following commands will add your static public IP address to the WAN interface and a private IP address for the LAN interface, where is the public IP address :


[admin@Mikrotik] > ip address add address= comment="Management" interface=WAN

 [admin@Mikrotik] > ip address add address= comment=Mikrotik-ip

1.3 Add Default Gateway

The following command will set the gateway IP address, where is the public IP address:

[admin@Mikrotik] > ip route add comment="Default GW" distance=1 gateway=

You able to access the Mikrotik router through Winbox , if you are outside from the network use the public ip address, or if you are in the network use the internal ip address.


1.4 Adding Additional IP Addresses

When connected through Winbox, in the menu go to IP > Addresses. Then click the + button, add the IP address and set the interface to add it to as shown below:



2. Natting

In this section we will set up 1:1 Network Address Translation (NAT). NAT refers to when a private IP address is mapped to an external private one, so in this case will be mapped to where (our public IP address)

Go to the Menu, and in IP > Firewall go to the “NAT” tab. This must be set for both the Incoming and the Outgoing. Select “Add”:


2.1 Incoming Traffic

Here you want to select “dstnat” in the Chain section, and then fill in the public IP address in the Dst. Address section.

Then, go to the “Action” tab and select “dst-nat” in the Action field and finally entering the internal private IP address in the “To Addresses” field.


This completes the ruled for the inbound traffic, now to setup the rules for the outbound traffic.


2.2 Outgoing Traffic

Select “Src-nat” in the Chain section, followed by the private IP address in the Src. Address field, followed by the WAN interface in the Out. Interface section:


In the “Action” tab, select “Src-nat” in the Action field, and enter the public IP address in the To Addresses field as shown below:

This concludes the outgoing and incoming firewall rules – we can now move on to the final firewall rules.


2.3 Allowing computers inside the network to access the internet

The following rules will allow all computers inside the network to access the internet.

Add a new firewall rule and navigate to the General tab. Select “src-nat” in the Chain field, and in Src. Address select the network range that will be allowed to access the internet. In this case, /16 is used as we are going to use another subnet for the VPN. In the Out. Interface section, select the WAN interface for the public IP address.

Finally,on the Action tab, select “src-nat” in the Action field, and your public IP address in the To Addresses field.

This concludes the firewall rules for configuring NAT.


3. Configuring L2TP Server

In this section we will setup and configure L2TP Server for secure VPN access to our network.


3.1 Configure VPN Address Pool

In the Menu, go to IP > Pool. Configure the IP address pool as shown below:

Make sure to reserve 1 IP address from the selected range, in this case we will reserve


3.2 Set Up VPN Profile

In the Menu, go to the PPP section.

Modify the Default Profile, selecting the reserved IP address from step 3.1 in the Local Address field, and selecting the VPN Pool in the Remote Address field as shown below:


3.3 Enable The L2TP Server

In Menu go to PPP once more, and click the L2TP Server button:

Here you will need to select Enabled, select the “default” profile in the Default Profile field, and select IPSec with the secret key for your setup.

Make sure to also set “ip address” in the Caller ID Type field.


3.4 Create VPN Users

In this section we will create a user to enable access to the VPN

In Menu go to PPP, and select the “Secrets” tab. Click the + button to add a new user.

Fill the username and password in the relevant fields, select l2tp as the service and the default profile from step 3.2:

OPTIONAL STEP: If you’d like to give the user a static IP address enter it in the “Remote Address” section as we have done above.

You can now access the VPN with the username, password, and pre-shared key.


4. Filtering Rules

In this section we will configure the last firewall rules to set what is allowed to enter or leave the network

Remember that the filtering rules depend on the number of the rule, so 0 would be the first firewall filtering rule.

In the Menu, go to IP > Firewall, and navigate to the Filter Rules tab. Click + to create a new rule.

In the Chain field, select “forward”. Select the internal private IP address in the Dst. Address field, and finally select the Protocol and Destination Ports for traffic to be processed. Select WAN for In. Interface as shown below:

Finally on the Action tab select “accept” for the Action field:

This firewall rule will accept TCP traffic to ports 80 and 443 for HTTP and HTTPS.

NOTE: This step must be repeated for each port you’re going to accept traffic to


In this example we will block all traffic except the ports 80 and 443 that we have specified above.

So, we must create a new rule with the following:

And set the Action field to “drop”.

In this example we will allow traffic that comes in the WAN Interface to the destination Nat) with protocol TCP 80 ,443,22 and allow ICMP. All other traffic will be dropped by the firewall.


Congratulations! Your Mikrotik router is now set up with 1:1 NAT and secure VPN access.



Looking for the perfect server to set this up on? Look no further!

With our powerful UK Dedicated Server plans, you’ll be online in no time – with the latest hardware, and superfast network speeds.