DST-NAT Not working

jaevans · October 13, 2025, 2:17pm

I’ve been trying to setup dstnat without any thing working, I’ve been using Mikrotik for 15+ years and it’s pretty simple so not sure what is going on.

Hardware is Mikrotik Hex RB750Gr3 on 7.20.1, it was on 7.20 and was having same issue.

I’ve tried removing all firewall filters and just creating the NAT rules.

/ip firewall nat
add action=src-nat chain=srcnat comment="VL100-MGMT Outbound" dst-address=0.0.0.0/0
src-address=10.1.40.0/24 to-addresses=MyStaticIP

add action=dst-nat chain=dstnat comment="NAT RD Plex Server" connection-type="" dst-address=MystaticIP dst-port=3389 protocol=tcp to-addresses=10.1.40.16 to-ports=3389

When I had filter rules enabled no traffic is counted when trying to access and the NAT rule has no traffic counted.

When using filter rules I allowed port 80 as input and I was able to get to the page and traffic was counted.

If I VPN in I’m able to access all devices directly so my IP and port info is correct.

Any thoughts on this, I’ve tried multiple rules to multiple devices and nothing works when forwarding accessing services on the router itself.

Thanks Jason

anav · October 13, 2025, 2:21pm

without seeing the complete config, not going to waste my time guessing
/export file=anynameyouwish ( minus router serial#, any public WANIP information, keys, dhcp lease lists )

lurker888 · October 13, 2025, 3:29pm

Without the full config we can only guess, but I have a pretty good guess.

After going through dstnat, the packets still have to go through filter/forward. It’s easiest to just allow all dstnatted packets with a rule like this:

add chain=forward action=accept connection-nat-state=dstnat

This isn’t unsafe: creating the dstnat explicitly authorizes this. No dstnat, not allowed.

CGGXANNX · October 13, 2025, 3:43pm

Open your DSTNAT rule in WinBox and click this triangle arrow to properly clear the Connection Type condition:

Or run this command in the Terminal:

/ip firewall nat set [find comment="NAT RD Plex Server"] !connection-type

Please note that connection-type="" is a condition that would never match.

jaevans · October 13, 2025, 9:41pm

Excellent catch!!

connection-type="" was the issue. I must have clicked that in Winbox and didn’t notice the blank and didn’t even see it when I pasted the export.

Thanks I knew it had to be something simple that I was just overlooking.