I need help on port forwarding. I need to access to dhcp server,
I have a
I have setup as the photo and i want to have VPN via zyxel .
First of all i enable the DDNS from mikrotik.I change the IP service for mikrotik from port 80 to port 81 and after i port forwarding\natting on Mikrotik the port 80 to Zyxel
but not working.
If you test it from internet, it should work. If from LAN, then it can’t because of in-interface-list=WAN (but you can safely remove that). Do you have public address? It won’t work without one, DDNS does not magically get through NAT.
I attach you the exported file.
Also about the port 80 and 81 i make it because i want to test if i natting right the port 80.Now in the exported file i change it.
My main purpose is to nat ports 500 and 4500 from mikrotik to zyxel.
I attach you also the log file from nating port 500 mikrotik.rsc (2.99 KB)
Dstnat rule for port 4500 is wrong, it should have chain=dstnat, not chain=dst-nat. This way you created new custom chain, which is not used by anything.
And last filter rule is not needed, accept is default action if nothing else matched before. So accept as last rule is useless, whatever gets to it would be accepted anyway. But it’s not breaking anything.
The rest looks fine. Posted screenhot also shows that there’s some incoming traffic and it gets forwarded to internal VPN server, so you should look there, what exactly the server thinks about it.
You can try to additionally forward ESP packets (protocol=ipsec-esp), but they shouldn’t be used if there’s NAT.
This rule does nothing (delete the orange bit)
/interface list member
add comment=defconf interface=ether1 list=LAN
add comment=defconf interface=lte1 list=WAN
add list=LAN
Nothing wrong for neighbours discovery to put in your LAN. Typicall one puts in the base or management interface (trusted interface).
/ip neighbor discovery-settings
set discover-interface-list=none
Sob comments, and verified by independent eyes
This rule covers port forwarding sufficiently but its not complete…
add action=accept chain=forward connection-nat-state=“” log=yes
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
However as pointed out this is a duplicate rule already covered prior by the default dstnat rule which also blocks all WAN to LAN traffic,
So you could simple delete this incomplete rule as its not required.
As pointed out second dst nat rule is incorrect in format. should be dstnat
add action=dst-nat chain=dst-nat dst-address-list=MyDDNS dst-port=4500
in-interface-list=WAN log=yes log-prefix=marios_1 protocol=udp
to-addresses=192.168.88.254 to-ports=4500
Note: If the TO PORTs is the same as DST-PORT, then the to-ports is not required!
Correct last filter rule does nothing… delete
add action=accept chain=forward connection-nat-state=“” log=yes
In summary, I see nothing that should be preventing success if the changes already suggested are made.
The issue is most likely your setup on the Zyxel Router.
Since you are using that as a router I am assuming you have assigned the Zyxel ROuter a WANIP of 192.168.88.254/32 (also its LANIP on the MT LAN).
I dont think you need any Static routes on the MT router but not sure…
