2

I want to limit TCP/UDP ports which can be used for masquerade NAT on my Mikrotik router. For example, I want to use only 40000-65535 TCP ports range and 20000-65535 UDP ports range for masquerade. Other ports will be used for DNAT from WAN.

In general I have 2 questions:

  1. How can I strictly specify ports range which can be used for masquerade NAT firewall rule?
  2. If no restriction specified does Mikrotik can skip using in masquerade ports which router opened itself (SSH, Telnet, WinBox, etc.)?
Nikita Petrov
  • 19
  • 3

1 Answers1

0

You can create 2 additional NAT rules for TCP/UDP. Set the first to match TCP packets going out to WAN and set the action to src-nat; Then specify the correct public address and port range. Do the same for UDP, then have the standard masquerade rule underneath to catch anything else.

It will not use open ports for NAT, and while I don't know the exact port range it uses, it will certainly not use low port numbers like 22/23. Not sure if it's clever enough to automatically avoid ports you have dst-nat rules set up for though.

USD Matt
  • 5,381
  • 15
  • 23