I see manual on your site: http://wiki.mikrotik.com/wiki/Forwardin ... nternal_IP
/ip firewall nat add chain=dstnat dst-address=69.69.69.69 protocol=tcp dst-port=59000 \
action=dst-nat to-addresses=192.168.1.101 to-ports=3389

This does not work!

Only when I added an additional Firewall Filter Rule
chain=forward
dst.address=192.168.1.101
protocol=6(tcp)
dst.port=3389
action=accept

it working.

Nat rule by itself works correctly as it should.
If you have any drop rules in filter forward chain that is not a problem of NAT rule, but misconfiguration of your firewall.

If you have any drop rules in filter forward chain that is not a problem of NAT rule, but misconfiguration of your firewall.

All sets of Firewall Filter Rules have a "input drop" and "forward drop" at the end. This is "best practices", not a "misconfiguration".

Default drop is fine, "misconfiguration" is just the part where you did not add accept rule(s) for forwarded ports. NAT itself only changes addresses, it does not allow packets to go through forward chain, you have to do that manually.

If you want simple solution, you can allow all forwarded ports at once:

If you want simple solution, you can allow all forwarded ports at once:

Code: Select all

/ip firewall filter
add chain=forward connection-nat-state=dstnat

A rule that does that is present by default in the forward chain.
Maybe he dropped it?
Anyway, the request appears to be without merit.

I think this request is justified, better documentation is always good. Look at it this way, if you need to search manual/wiki for how to forward port, you can probably benefit from small note saying that just NAT alone is not enough.

In that case we would need to add those ridiculous notes all over the place. Instead users should read, for example, first time configuration examples or other firewall configuration examples where it is explained how firewall and nat works. And there are a lot of such articles already.