Hello everyone, I’ve been trying to port forward all traffic coming onto my network from port 22006 to 192.168.88.247 but can’t seem to set it up correctly. The /ip firewall nat print can be found at https://pastebin.com/vjcBQWE7. I don’t seem to understand src/dst port vs to ports, what does what/which determines what? If I didn’t explain something clearly or more information is need let me know.
I’d say that manual (https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT) has all fields described well, but lets try once more:
chain=dstnat - where to put the rule, dstnat is correct for forwarded ports
protocol=tcp - protocol name
dst-port=22006 - original destion port, this is where clients from internet will be connecting to
action=dst-nat - what to do with connection, in this case change destinations address
to-addresses=192.168.88.247 - new destination address, i.e. your internal server
to-ports=22006 - new destination port (not required when it’s same as original one)
There’s also one important part missing - some specification of original destination address. Because as it is now, rule will match any tcp connection to port 22006, no matter what’s the destination, so not just incoming, but also outgoing ones. Since port 22006 is not used by any standard service, you probably won’t notice. But try that with something like port 80… If you have static public address, use dst-address=. If you have dynamic public address, use dst-address-type=local.
Another step to success is to allow forwarded ports through router. Dstnat doesn’t do it automatically, it only changes destination address. The simplest way is to use common rule to allow all forwarded ports:
/ip firewall filter
add chain=forward connection-nat-state=dstnat action=accept