Documentation

Back to Home
June 30, 2025

Internet Access for DHCP Clients Using NAT

Internet Access for DHCP Clients Using NAT on Fortigate, Cisco, and Mikrotik Routers in GNS3

    NAT (Network Address Translation) is a method used to convert private IP addresses into public IP addresses, allowing devices on a local network to access the internet. Private IP addresses are used within local area networks (LANs) and are not routable on the internet. Common private IP address ranges include:

  • 192.168.0.0 to 192.168.255.255
  • 10.0.0.0 to 10.255.255.255
  • 172.16.0.0 to 172.31.255.255

    On the other hand, public IP addresses are globally routable and are used for communication over the internet. There are approximately 3.5 billion IPv4 addresses available worldwide. IP private use beacuse conserve public IP addresses (since they're limited).

NAT serves several purposes in a network:

  1. Security: NAT hides the internal network’s private IP addresses from the outside world, reducing exposure to attacks.
  2. IP Address Conservation: By using a single public IP for multiple devices within the LAN, NAT helps conserve the limited pool of public IP addresses.
  3. Connectivity: NAT allows internal users to access the internet using a shared public IP address.

In this document, we will configure PAT, which translates the private IP addresses of outgoing traffic to a public IP address, enabling internet access for devices on the local network.

Configuring NAT on MikroTik CHR

Step-by-Step Guide:

  • Log in to your Mikrotik Router.
  • Add dhcp-server network (if not already configured) used for  gateways & DNS
ip dhcp-server network add address=lan_ip/mask gateway=your_gt dns-server=8.8.8.8
  • Add address list to to group ip addresses (optional)
ip firewall address-list list=natdhcp address=lan_ip/24
  • Configure NAT
ip firewall nat add chain=srcnat src-address-list=natdhcp out-interface=wan_int action=masquerade

    Now you can try; if it fails, you can try retrieving the DHCP client on the client or restart the router. Some MikroTik devices may delay and it's normal.

Configuring NAT on Cisco 7200

Step-by-Step Guide:

  • Access the router’s CLI.
  • Enter configuration mode:
configure terminal
  • Define the inside and outside interfaces. These interfaces correspond to your LAN (inside) and WAN (outside):
interface fastEthernet0/0
    ip nat inside 
    exit
interface fastEthernet1/0
    ip nat outside
    end
show ip int brief

  • Define the access list (ACL) that identifies the internal addresses to be translated:
access-list 10 permit lan_ip wild_card
  • Create a NAT translation rule. For Source NAT, we use the ip nat inside source command:
ip nat inside source list 10 interface fastEthernet1/0 overload
  • Save the configuration:
write memory

    The internal IP addresses within the range specified will now be translated to the public IP address of the WAN interface. Overload is a more flexible NAT/PAT technique for using one public IP with multiple devices, and is typically used when the public IP is static.

Configuring NAT on FortiGate

Step-by-Step Guide:

GUI

  1. Log in to your FortiGate device.
  2. Navigate to Policy & Objects > IPv4 Policy.
  3. Click Create New to add a new policy.
  4. Set the Incoming Interface to your internal network interface (LAN).
  5. Set the Outgoing Interface to the interface connected to the internet (WAN).
  6. Set the Source Address to the required port/address.
  7. Set the Destination Address to the WAN port.
  8. Under Action, select Accept.
  9. Configure the schedule as per your requirements.
  10. Enable NAT by checking the box.
  11. Apply the changes.

CLI

  1. Log in to your FortiGate device.
  2. Enter configuration mode
config firewall policy
    edit policy_id (number)
        set srcintf lan_port
        set dstintf wan_port
        set srcaddr all or address or address group
        set dstaddr all or WAN port or address
        set action accept
        set schedule always or specify a custom schedule
        set nat enable
        set ippool enable set poolname pool_name (optional)
        end

Now, your internal network traffic will be NATed to the public IP address associated with the WAN interface.

You can watch all the configuration here.

Conclusion

    Configuring NAT on FortiGate, Cisco 7200 and MikroTik CHR allows local devices on your network to share a single public IP address for internet access, ensuring security and saving IP addresses, while enabling internet connectivity.