How To Setup A MikroTik Router With NAT And VPN Access (GUI)
This technical guide will show you how to setup a Mictrotik router with 1:1 NAT translation and secure VPN access.
1. Performing Initial Setup
Inital setup must be done over the command line interface (CLI)
Login on the system by the default admin and password.
The first thing to do is identify the network interfaces by running the following command:
[admin@Mikrotik] > interface ethernet print Flags: X - disabled, R - running, S - slave # NAME MTU MAC-ADDRESS ARP 0 R ether2 1500 00:25:90:60:4C:A9 enabled 1 R ether1 1500 00:25:90:60:4C:A8 enabled
Now we can associate what network card will be LAN and WAN
To avoid confusion, you can rename the interfaces to something more appropriate. In this case ether2 is will be LAN and ether1 will be WAN.
The following command will rename the interfaces.
[admin@Mikrotik] > interface set 0 name=LAN [admin@Mikrotik] > interface set 1 name=WAN
The numeric Value 0 represent the # on the list
Run the following command to confirm the change is completed.
[admin@Mikrotik] > interface ethernet print Flags: X - disabled, R - running, S - slave # NAME MTU MAC-ADDRESS ARP 0 R LAN 1500 00:25:90:60:4C:A9 enabled 1 R WAN 1500 00:25:90:60:4C:A8 enabled
1.1 Change Admin password
I recommend perform this step because the admin password default is blank you can easily be
a target of a brute force attack if you are managing the administration from outside the network
To perform this change use the following commands:
[admin@Mikrotik] > user set 0 password=MY-NEW-PASSWORD
1.2 Adding IP Address to Mikrotik
The following commands will add your static public IP address to the WAN interface and a private IP address for the LAN interface, where 0.0.0.0 is the public IP address :
[admin@Mikrotik] > ip address add address=0.0.0.0/24 comment="Management" interface=WAN [admin@Mikrotik] > ip address add address=192.168.1.1/24 comment=Mikrotik-ip interface=LAN
1.3 Add Default Gateway
The following command will set the gateway IP address, where 0.0.0.0 is the public IP address:
[admin@Mikrotik] > ip route add comment="Default GW" distance=1 gateway=0.0.0.1
You able to access the Mikrotik router through Winbox , if you are outside from the network use the public ip address, or if you are in the network use the internal ip address.
1.4 Adding Additional IP Addresses
When connected through Winbox, in the menu go to IP > Addresses. Then click the + button, add the IP address and set the interface to add it to as shown below:
In this section we will set up 1:1 Network Address Translation (NAT). NAT refers to when a private IP address is mapped to an external private one, so in this case 192.168.1.1 will be mapped to where 0.0.0.0 (our public IP address)
Go to the Menu, and in IP > Firewall go to the “NAT” tab. This must be set for both the Incoming and the Outgoing. Select “Add”:
2.1 Incoming Traffic
Here you want to select “dstnat” in the Chain section, and then fill in the public IP address in the Dst. Address section.
Then, go to the “Action” tab and select “dst-nat” in the Action field and finally entering the internal private IP address in the “To Addresses” field.
This completes the ruled for the inbound traffic, now to setup the rules for the outbound traffic.
2.2 Outgoing Traffic
Select “Src-nat” in the Chain section, followed by the private IP address in the Src. Address field, followed by the WAN interface in the Out. Interface section:
In the “Action” tab, select “Src-nat” in the Action field, and enter the public IP address in the To Addresses field as shown below:
This concludes the outgoing and incoming firewall rules – we can now move on to the final firewall rules.
2.3 Allowing computers inside the network to access the internet
The following rules will allow all computers inside the network to access the internet.
Add a new firewall rule and navigate to the General tab. Select “src-nat” in the Chain field, and in Src. Address select the network range that will be allowed to access the internet. In this case, /16 is used as we are going to use another subnet for the VPN. In the Out. Interface section, select the WAN interface for the public IP address.
Finally,on the Action tab, select “src-nat” in the Action field, and your public IP address in the To Addresses field.
This concludes the firewall rules for configuring NAT.
3. Configuring L2TP Server
In this section we will setup and configure L2TP Server for secure VPN access to our network.
3.1 Configure VPN Address Pool
In the Menu, go to IP > Pool. Configure the IP address pool as shown below:
Make sure to reserve 1 IP address from the selected range, in this case we will reserve 192.168.2.1.
3.2 Set Up VPN Profile
In the Menu, go to the PPP section.
Modify the Default Profile, selecting the reserved IP address from step 3.1 in the Local Address field, and selecting the VPN Pool in the Remote Address field as shown below:
3.3 Enable The L2TP Server
In Menu go to PPP once more, and click the L2TP Server button:
Here you will need to select Enabled, select the “default” profile in the Default Profile field, and select IPSec with the secret key for your setup.
Make sure to also set “ip address” in the Caller ID Type field.
3.4 Create VPN Users
In this section we will create a user to enable access to the VPN
In Menu go to PPP, and select the “Secrets” tab. Click the + button to add a new user.
Fill the username and password in the relevant fields, select l2tp as the service and the default profile from step 3.2:
OPTIONAL STEP: If you’d like to give the user a static IP address enter it in the “Remote Address” section as we have done above.
You can now access the VPN with the username, password, and pre-shared key.
4. Filtering Rules
In this section we will configure the last firewall rules to set what is allowed to enter or leave the network
Remember that the filtering rules depend on the number of the rule, so 0 would be the first firewall filtering rule.
In the Menu, go to IP > Firewall, and navigate to the Filter Rules tab. Click + to create a new rule.
In the Chain field, select “forward”. Select the internal private IP address in the Dst. Address field, and finally select the Protocol and Destination Ports for traffic to be processed. Select WAN for In. Interface as shown below:
Finally on the Action tab select “accept” for the Action field:
This firewall rule will accept TCP traffic to ports 80 and 443 for HTTP and HTTPS.
NOTE: This step must be repeated for each port you’re going to accept traffic to
In this example we will block all traffic except the ports 80 and 443 that we have specified above.
So, we must create a new rule with the following:
And set the Action field to “drop”.
In this example we will allow traffic that comes in the WAN Interface to the destination
192.168.1.1(1:1 Nat) with protocol TCP 80 ,443,22 and allow ICMP. All other traffic will be dropped by the firewall.
Congratulations! Your Mikrotik router is now set up with 1:1 NAT and secure VPN access.
Looking for the perfect server to set this up on? Look no further!
With our powerful UK Dedicated Server plans, you’ll be online in no time – with the latest hardware, and superfast network speeds.