[ASK] Port forwarding newbee question

RouterOS Beginner Basics
1

Hi,

I’ve read multiple posts on how to port forward on RouterOS. I have a Hap2 and have added the port forwarding rules. By reading previous topics I learned that I probably need to add a rule to the firewall too, but I can’t seem to figure out which one. I use basic setup for my hap2 (Configured through Quickset), and I added a port forward for TCP port 6281 to my local NAS (for Synology Hyper Backup).

This is my config:

# mar/27/2020 15:49:22 by RouterOS 6.46.4
# software id = Q1T7-S5C8
#
# model = RBD52G-5HacD2HnD
# serial number = A6470XXXXX
/interface bridge
add admin-mac=74:4D:28:8C:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country=netherlands disabled=no \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge name=\
    2.4ghz ssid="Everyday I'm Buffering" wireless-protocol=802.11 \
    wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=netherlands disabled=no distance=indoors \
    installation=indoor mode=ap-bridge name=5ghz ssid=\
    "Everyday I'm Buffering" wireless-protocol=802.11 wmm-support=enabled \
    wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.3-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=2.4ghz
add bridge=bridge comment=defconf interface=5ghz
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.253 client-id=1:78:f2:9e:90:b9:d9 mac-address=\
    78:F2:9E:90:B9:D9 server=defconf
add address=192.168.88.252 client-id=1:0:11:32:1c:1e:6c mac-address=\
    00:11:32:1C:1E:6C server=defconf
add address=192.168.88.251 client-id=1:0:15:17:cb:ba:d6 mac-address=\
    00:15:17:CB:BA:D6 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat in-interface=ether1 log=yes protocol=tcp \
    src-port=6281 to-addresses=192.168.88.252 to-ports=6281
/ip ssh
set forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name="Mikrotik hap AC2"
/system leds settings
set all-leds-off=immediate
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

So I want port 6281 TCP forwarded to internal IP 192.168.88.252 (my NAS). I have a dynamic IP from my ISP. My ISP modem is set in bridge mode so my Hap2 does all the routing.

Thanks for any help :slight_smile:

2

When dst-port is 6281… and not src-port…
Also since you have a dynamic IP, which is on your ISPs router, i see nothing static configured on your Mikrotik, or any PPPoE Client, you must first DMZ all the traffic from your ISPs router to Mikrotik OR port forward the port 6281 FROM your ISPs Router to Mikrotik and THEN from Mikrotik to your NAS… 2 Steps…
You can always use the Cloud DNS of your Mikrotik Device…
Now as far as the Firewall is concerned, in your case you dont need to create a rule for that…

3

(1) First you need to fix this rule
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=
192.168.88.0
to
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0

(2) Then address the destination nat rule
add action=dst-nat chain=dstnat in-interface=eth1 log=yes protocol=tcp
src-port=6281 to-addresses=192.168.88.252 to-ports=6281
to
add action=dst-nat chain=dstnat in-interface=wan log=yes protocol=tcp
dst-port=6281 to-addresses=192.168.88.252

Note: to port not required if no diff from destination port, and I always use wan but perhap eth1 would also work…

4

Thanks! Will try! Is this option also changable from the webfig? Haven’t had any experience with Winbox yet.

5

All is working now! The sollution was your first fix. I don’t know why it was on ether2 since all the ports are bridged. But all is working now. Thank you guys so much!