In this article, we will learn about NAT-PAT operations and will use the services that will be directed from the outside world through a Mikrotik device. These operations are limited and we will ensure that the services that we determine through port forwarding are used only, not accessing the whole network from outside to inside. What? If you say these services, NAT-PAT will help us to use HTTP and RDP services from outside to inside. However, we will ensure that the HTTP service is used by default over certain ports 80, and RDP over 3344, not 3389. The reason why I do this is to understand the subject a little better and to understand it more. Let’s take a look at the NAT-PAT concepts before starting the process.
NAT: stands for
Network Address Translation. In other words, the internal leg interface and the IP leg of the network to the Internet while the external leg interface to the net address can be turned into the net.
Port Address Translation. Used with NAT, but PAT is the process of routing the port from the external network to or from the internal network as the same port.
Now, in our example, there is a Windows Server running IIS service behind our Mikrotik device and this server can only be included in the internal network, but it can serve the outside world. In other words, the response from requests from the outside world to return, IIS service to the user as a result of the structure. In other words, the IP address of Mikrotik’s IP that is open to the outside world will be 80 and we will take that query and convert it to the internal network first, but when the internal network is not the whole network, only port forwarding and then throwing it to the IIS server and returning the index page to the user with the reverse operations.
Let’s turn off the 80 port service that is provided by the Configuration access of the default Mikrotik before proceeding as follows.
Then press + on the
IP-Firewall-NATtab and configure as follows.
Then the appearance will be this way.
You can also do the following via Telnet or SSH.
> ip firewall nat add chain=dstnat in-interface=pppoe-out1 protocol=tcp dst-port=80 action=dst-nat to-addresses
=YOUR SERVER ADDRESS to-ports=80 comment=”” disabled=no
Let us now test the Mikrotik’s external leg and see if we have successfully tested it.
Now let’s realize the RDP scenario. It is the same as the IIS scenario, except that the RDP port will serve as 3344, not 3389. In other words, we will receive 3389 as an external query, but we will forward it as 3344 to the server that provides the RDP service. The same operations as the return will serve as the opposite.
To do this, you need to change the default RDP port on the server to 3344. See the Windows Server RDP 2012 port replacement software. After doing this, press + on the
IP-Firewall-NAT tab in Mikrotik again and configure as follows. As you can see the difference here, we set the port request that comes with 3389 as 3344 for the server that provides the service behind.
And the final view in the rules table will be as follows.
Let’s see that we have successfully tested the Mikrotik’s outer leg by sending a query for the RDP.
I hope it has been a useful article.