How to Set Up Windows Server 2016 NAT
Network Address Translation (NAT) allows multiple devices on a private network to share a single public IP address when connecting to the internet. Windows Server 2016 supports NAT in two ways: through the Routing and Remote Access Service (RRAS), which provides enterprise-grade NAT with logging and policy control, and through the newer Windows NAT (WinNAT) feature available via PowerShell, primarily used in container and virtualization scenarios. This guide covers both approaches, with a focus on RRAS-based NAT for typical corporate internet sharing scenarios.
When to Use Windows Server NAT
Windows Server NAT is appropriate for scenarios where you need internet access sharing for a private subnet, lab environments, virtualization hosts (Hyper-V with isolated networks), or branch office internet breakout without a dedicated router. For high-throughput production environments, dedicated NAT hardware or purpose-built firewall appliances are generally preferred. Windows Server NAT is best suited to medium and small deployments or virtual lab environments.
Prerequisites
Verify that the server has two network interfaces — one connected to the external (internet-facing) network with a public or ISP-assigned IP, and one connected to the internal private network. Assign static IPs to both adapters:
Get-NetAdapter | Select Name, Status, InterfaceDescription
Get-NetIPAddress -AddressFamily IPv4 | Where-Object { $_.PrefixOrigin -ne "WellKnown" } | Select InterfaceAlias, IPAddress, PrefixLengthStep 1: Install the Remote Access Role with Routing
NAT via RRAS requires the Routing feature within the Remote Access role:
Install-WindowsFeature RemoteAccess -IncludeManagementTools
Install-WindowsFeature Routing -IncludeManagementToolsVerify the installation is complete:
Get-WindowsFeature RemoteAccess, Routing | Select Name, InstallStateStep 2: Configure RRAS for LAN Routing
Initialize RRAS to function as a LAN router, which is the prerequisite for enabling NAT:
Install-RemoteAccess -VpnType RoutingOnlyVerify RRAS started successfully:
Get-Service RemoteAccess | Select Status, StartType
netsh ras show typeStep 3: Enable NAT Using netsh
The most reliable way to configure NAT on Windows Server 2016 is using netsh commands. First, install the NAT routing protocol:
netsh routing ip nat installAdd the external (internet-facing) interface as the NAT public interface:
netsh routing ip nat add interface "Ethernet" mode=fullAdd the internal (private network) interface as the NAT private interface:
netsh routing ip nat add interface "Ethernet 2" mode=privateReplace “Ethernet” and “Ethernet 2” with your actual adapter names as reported by Get-NetAdapter.
Step 4: Configure NAT with Basic DHCP Allocator
RRAS NAT includes a basic DHCP allocator and DNS proxy that can serve private clients without needing a full DHCP server. Enable these services:
# Enable DHCP allocator on NAT
netsh routing ip nat set global tcptimeoutmins=1440 udptimeoutmins=1 loglevel=ERROR
# Configure the address range the NAT DHCP allocator assigns to clients
netsh routing ip dnsproxy install
netsh routing ip dnsproxy set interface "Ethernet 2"Step 5: Configure NAT Using PowerShell and the Routing Module
An alternative approach for Hyper-V and container scenarios uses the WinNAT PowerShell module. This is particularly useful when configuring NAT for Hyper-V internal virtual switches:
# Create an internal Hyper-V switch (for Hyper-V hosts)
New-VMSwitch -Name "InternalNAT" -SwitchType Internal
# Assign an IP to the new virtual adapter
$ifAlias = (Get-NetAdapter | Where-Object { $_.Name -like "*InternalNAT*" }).Name
New-NetIPAddress -IPAddress "192.168.100.1" -PrefixLength 24 -InterfaceAlias $ifAlias
# Create the WinNAT NAT network
New-NetNat -Name "LabNAT" -InternalIPInterfaceAddressPrefix "192.168.100.0/24"
# Verify the NAT network
Get-NetNat | Select Name, InternalIPInterfaceAddressPrefix, ActiveStep 6: Configure Static Port Mappings (Port Forwarding)
Port forwarding redirects inbound connections on a specific public port to an internal host. For RRAS-based NAT:
# Forward external TCP port 8080 to internal web server on port 80
netsh routing ip nat add portmapping "Ethernet" tcp 0.0.0.0 8080 192.168.1.100 80
# Forward RDP port to an internal machine
netsh routing ip nat add portmapping "Ethernet" tcp 0.0.0.0 3389 192.168.1.50 3389
# View current port mappings
netsh routing ip nat show interface "Ethernet"For WinNAT, add static mappings using PowerShell:
# Add a port mapping for WinNAT
Add-NetNatStaticMapping -NatName "LabNAT" -Protocol TCP -ExternalIPAddress "0.0.0.0" -ExternalPort 8080 -InternalIPAddress "192.168.100.10" -InternalPort 80
# View all static mappings
Get-NetNatStaticMapping | Select NatName, Protocol, ExternalPort, InternalIPAddress, InternalPort | Format-TableStep 7: Configure Windows Firewall for NAT
Enable IP routing at the OS level and configure firewall rules to permit forwarded traffic:
# Enable IP routing in registry
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesTcpipParameters" -Name "IPEnableRouter" -Value 1
# Allow forwarded traffic
New-NetFirewallRule -DisplayName "NAT Forward Inbound" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 8080 -Profile Any
New-NetFirewallRule -DisplayName "NAT Forward RDP" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 3389 -Profile AnyStep 8: Verify NAT Operation
Test that NAT is working correctly by checking connectivity from an internal client and monitoring NAT translations:
# View active NAT mappings and session statistics
netsh routing ip nat show global
netsh routing ip nat show interface "Ethernet"
# Monitor NAT with WinNAT
Get-NetNatSession | Select NatName, Protocol, InternalIPAddress, ExternalIPAddress | Format-Table
# From an internal client, verify internet connectivity
Test-NetConnection -ComputerName "8.8.8.8" -TraceRoute
# Check routing table to confirm default route is through NAT gateway
Get-NetRoute -AddressFamily IPv4 | Where-Object { $_.DestinationPrefix -eq "0.0.0.0/0" }Windows Server 2016 NAT provides a flexible, manageable solution for network address translation without requiring additional hardware. Whether used for internet sharing in small office scenarios or for lab and container networking in virtualized environments, the combination of RRAS and WinNAT covers a wide range of NAT deployment requirements.
