MikroTik 1:1 NAT

A question for the MikroTik experts. Probably a simple question but being new to MikroTik I want to make sure I get this right.

I have a customer requiring a Dual WAN setup. The customer has three devices:
- PIX Firewall (airCloud Public IP1)
- Exchange Server (airCloud Public IP2)
- Barracuda AntiSpam (airCloud Public IP3)

We are installing an RB532 configured as follows:
Eth1 - WAN1 airCloud Wireless
Eth2 - WAN2 airCloud DSL service
Eth3 - LAN Customer Network

When WAN1 is up (default route is responding to ping), Eth1 and Eth3 are bridged. If WAN1 goes down, WAN2 goes active. (We know this all works correctly from another similar installation)

In this case I need to do a 1:1 NAT that maps three DSL IP’s bound to Eth2 to the three airCloud IP’s on the PIX, Exchange, and Barracuda servers.

My question is: How would you do it? I’m pretty confused as to what to assign under


I’m using WinBox primarily.

Any help would be greatly appreciated! I have to install this Thursday and I want to be sure I have it right.

Side Note:
We have already taken care of the mail DNS through multiple MX records with priority.

Thanks in advance


I think you should simply add two NAT rules for every NAT 1:1 association as follows:

rule #1:
chain: srcnat
scr-address: private IP on eth2
action: netmap
to-addresses: public IP on WAN2

rule #2:
chain: dstnat
dst-address: public IP on WAN2
action: netmap
to-addresses: private IP on eth2

If the three IP (public and private) are consecutive, you only need these two rules (using proper ranges, look at RouterOs 2.9 manual, page 409), otherwise you will need 2x3 rules.


Hi Jerry,

Do you need any more information on this?


Actually, as busy as I have been I have not touched it. Hoping to work on it tonight.


Two rules per IP you want to assign.

Lets Say you want an outside address of
and your inside

NAT RULE under IP -> Firewall -> NAT:

Chain =Dstnat
Dst Address =
To Address:
to Ports = 0-65535

2nd Rule
Chain= srcnat
Src Address =
to Address=
to ports= 0-65535

You can also make this particular to one port access if you like by assigining a port and the protocl typ[e if you like. But this will set up one Ip address one to one NAT.