I’m trying to configure port forwarding from the public side of my RB 750 to a private NAT. I have seen various pages that discuss this, but cannot find step by step instructions. For example, this link provides an example firewall rule for port forwarding:
However, I do not know how to enter such a rule into the RB 750. I have successfully logged in to the RB 750 through the Winbox console, but don’t know what steps to take from there.
Thanks, but I do not know what steps specifically to take to implement this. The instruction in the link says only what rule to add, but does not specify the exact steps to add a rule. If I am logged in to Winbox, what exactly do I click on to make this happen?
Hmm, I’ve added the rule but no luck. Are there any special considerations if the port I’m forwarding is 80, since the Mikrotik unit itself seems to handle port 80? Also, should I be able to test this by entering the WAN IP address from a device that is actually on the local (NAT) network? (I’ve tried it from an external address, and that doesn’t seem to work either.)
I see on the “General” tab that there is check box for Protocol and Dst Port. What is that for?
Be sure that the IP you are forwarding to is on the same subnet as the LAN of the 750. Also the device you are forwarding to needs to have a default gateway set as the 750 otherwise it doesn’t know how to reply back to the world.
I wound up adding the rule from the console and included the destination address to avoid internal traffic from being forwarded. So, this is what I now have:
=====================================
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade out-interface=ether1-gateway
This still does not work (i.e. I could not access the Web server on 192.168.88.10 through the WAN side of the router.)
In my configuration, the 750 has WAN address 68.194.23.14 and, NAT address 192.168.88.1. The node with address 192.168.88.10 is running a Web server on port 80 and is configured to use 192.168.88.1 as the gateway.
ok, so what logic does the router use to determine whether an inbound packet with a destination port of 80 should be forwarded? of course, i don’t want packets send from the LAN to a WAN address to be forwarded.
if you only have one IP you will have to disable mikrotik default web gui via IP → Services, then click disable on http
ok, thanks. (or, i can just change the port used by mikrotik for the web gui, right?)
I’m having the same problem. I finally did get it to work, but I somehow borked my settings and can’t find the correct settings again.
I found several links for help and the only consistency I see is the inconsistency of the answers, i.e to include or not include the “dst-address”, to use “dst-address” (singular) or “dst-addresses” (plural), to use or not use “disable=no”
Configuration:
Using Level 4 on standalone PC.
WAN: 192.168.1.3 ether2
LAN: 192.168.3.1 ether1
VNC host (server) computer on 192.168.3.100, VNC port 5901 (the LAN side).
VNC viewer on 192.168.1.10 (the WAN side)
Tested so far:
Verified VNC properly by placing VNC host on the 192.168.1.x network and it works.
Changed VNC host to x.x3.100 and does not work.
Initial to start line rules:
add chain=dstnat dst-address=192.168.1.3 action=dst-nat to-addresses=192.168.3.1
add chain=srcnat action=masquerade out-interface=ether2
Then added each one of the lines below (while removing the previously unsuccessful line before adding the next).
Using “to-addresses” and “to=ports” where both are pluarl.
add chain=dstnat dst-address=192.168.1.3 dst-port=5901 action=dst-nat to-addresses=192.168.3.100 to-ports=5901 protocol=tcp
Using “to-address” only as plural, and “to=port” singular
add chain=dstnat dst-address=192.168.1.3 dst-port=5901 action=dst-nat to-address=192.168.3.100 to-ports=5901 protocol=tcp
Using “to-ports” only as plural, and “to=address” singular
add chain=dstnat dst-address=192.168.1.3 dst-port=5901 action=dst-nat to-addresses=192.168.3.100 to-port=5901 protocol=tcp
Using “to-address” and “to=port” where both are singular.
add chain=dstnat dst-address=192.168.1.3 dst-port=5901 action=dst-nat to-address=192.168.3.100 to-port=5901 protocol=tcp
My current (and still not working) print out is:
/ip firewall nat> print
0 chain=dstnat action=dst-nat to-addresses=192.168.3.1 dst-address=192.168.1.3
1 chain=srcnat action=masquerade out-interface=ether2
2 chain=dstnat action=dst-nat to-addresses=192.168.3.100 to-ports=5901 protocol=tcp dst-port=5901
Edited to correct typo errors in to-address values.
There are only to-addresses and to-ports. Using the singular works because RouterOS lets you abbreviate commands once they’re unique. There is nothing else that starts with ‘to-address’ so it’s a valid abbreviation of ‘to-addresses’, the same goes with ‘to-ports’. The only reason you’d use ‘to-ports’ is when you want to translate the ports. When the destination port is 5900 and you want it to be forwarded to port 5901 you’d specify to-ports. If you don’t want to change the port you can either specify the same to-ports, which is a null action but - depending on code - might take resources, it’s definitely not necessary. Actions simply specify what you want the router to do. Specifying a destination NAT action with a to-address means “change the destination IP address in the layer 3 header of this packet”. You usually do want to specify the dst-address (there is no such qualifier as dst-addresses, that’s an invalid command) so that you only NAT relevant packets directed at the router IP that need to be forwarded to a device behind it. If you don’t, any outbound VNC connections traversing the router that machines behind it make on that port will also be destination NAT’d unless you start qualifying in-interface, which would cause the connection to fail. The router will very literally interpret what you’re telling it to do.
Order matters within a chain, and once packets match a rule that rule will be executed and processing stops (unless passthrough=yes is specified). Any VNC packet that comes to your router and needs forwarding will be directed to 192.168.3.1. Look at the first rule in the dstnat chain. It says to translate the destination address of any packet (absolutely any IP packet) directed at 192.168.3.1 to 192.168.1.3, which is also a router IP address according to your details. The VNC packet will match that as, so the router will perform the translation and stop processing. That translation, though, makes absolutely no sense to perform as the router doesn’t care what interface it receives a packet for itself on in this instance - it doesn’t run a VNC server. But it does what it’s told, and never has a chance to get to the VNC specific rule. Remove that first dstnat rule and you’ll be up and running. You can, as explained in the paragraph before, remove the ‘to-ports’ option from that second rule as the dst-port and to-port are the same, so no port translation is needed.
To summarize, remove all your NAT rules and use the below instead:
Though I personally favor not using masquerade (magically pick an IP address on the outbound interface) and rather use a specific src-nat whenever you have static IP addresses, which 192.168.3.1 appears to be. Whenever you can explicitly state something rather than let the machine decide something itself you should. The joke goes somewhere along the lines of ‘whenever a machine can do something for you automatically, that automatically should mean that you’re not going to use it’. So I like the below even better:
This is my final and working very well rules:
[admin@MikroTik] /ip firewall nat> print
0 chain=srcnat action=src-nat to-addresses=192.168.1.3 out-interface=ether2
1 chain=dstnat action=dst-nat to-addresses=192.168.3.100 protocol=tcp dst-port=5901
I am new to mikrotik and i want to do port redirection.
I have a /30 network for connecting to ISP, and a /29 peering network for bussiness purposes.
The /29 peering network is routed directly from ISP so there is no need for NAT. I have just added a static route to my gateway, and internet is working.
My problem is that i cannot find a way to redirect a port. e.g. I have an ssh server with one of those /29 IPs. I want from outside to ssh in 2222 port, but mikrotik redirects traffic to 22 port. Is that possible?
First, it’s bad idea to stick your problem to another thread, even if you feel it’s similar. It only creates confusion. And if on top of that the thread is several years old, it does not help.
About your problem, you can redirect pretty much anything to anywhere. If it comes to your router, you’re free to rewrite addresses or ports any way you like. If I’m understanding you correctly, you want to redirect incoming port 2222 to 22 for address which is not on router itself. It’s no problem, just use: