A Simple port forward

Hi All,

I am quite new to using a MikroTik router. I have managed to initialy setup my Mikrotik and setup my Lan network with some statics on my devices, I have managed to setup an l2tp VPN and have applied SSH Brute force prevention and other little bits, but i am having trouble setting up a basic port forward to one of my devices from my WAN. I have Closed http off as i have setup https on www-ssl. Can anyone please point me in the right direction, I have tried a few tutorials but do not seem to be able connect to the device. Internally can connect so i know the port on the device is correct.

Thanks in advance.

Basic port forwarding command is:

/ip firewall nat
add chain=dstnat dst-address=<public address> protocol=tcp dst-port=<public port> \
    action=dst-nat to-addresses=<internal address> to-ports=<internal port>

Depending on specific conditions, other variations are possible.

Connections must be also allowed through firewall filter, but you don’t need to worry about it if you use default config.

https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Forward_all_traffic_to_internal_host

There are several ways to do this. This is one example. I prefer this method so that I don’t have to keep readjusting my firewall filter.

/ip firewall filter
add action=accept chain=input comment="Accept established related" connection-state=established,related
add action=accept chain=input comment="Allow LAN access to router and Internet" in-interface=bridge-LAN
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward comment="Accept established related" connection-state=established,related
add action=accept chain=forward comment="Allow LAN access to router and Internet" connection-state=new in-interface=bridge-LAN
add action=accept chain=forward connection-nat-state=dstnat comment="Accept Port forwards"
add action=drop chain=forward comment="Drop all other forward"

Noticed the sixth line.

Now, for your Nat rules

/ip firewall nat
add action=masquerade chain=srcnat comment="Default masq" out-interface=ether-WAN
add action=dst-nat chain=dstnat dst-port=123 in-interface=ether-WAN protocol=tcp to-addresses=192.168.1.2 to-ports=321

Notice I have in-interface set. Very important.

I found this post on google and i want to do a simple port forward aswell. I followed pcunite example but it doesnt work.

I have a hAP ac with default configuration and I’m trying to open ports so people from the outside can join my quake 3 server.

export compact gives this

# aug/15/2018 15:19:11 by RouterOS 6.43rc51
# 
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# 
/ip firewall filter
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=input comment="Accept established related" connection-state=\
    established,related
add action=accept chain=input comment="Allow LAN access to router and Internet" in-interface=\
    bridge
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward comment="Accept established related" connection-state=\
    established,related
add action=accept chain=forward comment="Allow LAN access to router and Internet" \
    connection-state=new in-interface=bridge
add action=accept chain=forward comment="Accept Port forwards" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all other forward"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface=ether1-WAN out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=27960 in-interface=ether1-WAN protocol=tcp to-addresse
    192.168.6.3 to-ports=27960
add action=dst-nat chain=dstnat dst-port=27960 in-interface=ether1-WAN protocol=udp to-addresse
    192.168.6.3 to-ports=27960