I’m sure you have all tried to link a BT business broadband without using their Hub router. If you have a set of static addresses so that your public IP address doesn’t change from day to day then it’s a little harder.

Our setup tries to make it more understandable, and the process is transferable. It doesn’t matter if you are working in a complex internal network with routed networks, or if you just have one network internally but your leased line provider is giving a set of extra IP addresses as a routed block.

First the issue.

When you set up your router you will have added a NAT masquerade rule so that traffic outbound is NAT’d by the router. That way the information looks like it’s coming from your public address externally rather than an unreachable internal private address.
For novices, remember that the private address ranges are only for internal use AND because they are used inside each building, the internet cannot work out where to send return traffic. As a result, they cannot exist on the internet. Instead you  normally have a single public IP address given by your broadband provider. This is only in use in one place and so return traffic does know how to get back.

The private ranges are:

Image result for ip v4 private address

So to overcome it, you set your router up to NAT every internal data packet. It marks every packet with its own address, and then records which internal private address it came from into its NAT table. This is used to “unmark” the packets as they return.

If you add further public addresses inside your router, then NAT breaks because they are processed as if they are private addresses yet the whole internet knows that they should be directly accessible.

The answer

  • In the Mikrotik firewall NAT menu, add an accept rule for each additional public address (set the chain to srcnat, set the action to accept, set the address list to your additional addresses).
    Make sure that this new rule is above the original Masquerade rule.



  • Now the packets being sent to your router are not processed by the masquerade rule if they are for that address. Instead they are “accepted” into the router and processed normally.
  • Don’t forget of course to add a srcnat rule to send traffic to the correct address





This is needed to make sure that outbound, one particular private address, IE your server or PC, is bound to a chosen public static address.

  • Now add a DSTNAT rule to direct traffic coming from the internet to be delivered to the same private address. Careful that you choose the correct ports, IE 443 for a web server, 587 for a mail server ……





Andisa provides Mikrotik consultancy and we are happy to work remotely on existing networks. If you need more help with any of the topics above, please feel free to call us and arrange a consultancy appointment: 01423 290029


in Mikrotik RouterboardWeb Hosting