I’m in italy and i have Sky Wifi as ISP, with the ISP router.
i connected a hap lite to ether1, configured ether1 as WAN interface, configured DHCP, bridge configuration, and other things that i’m posting, and enabled the DMZ on the ISP router for the Mikrotik router at ether1. So there should not be port forwarding issues.
i have one device on my LAN that i need to forward. I set up DSTNAT with port 80, in interface ether1 (also tried WAN [interface list]), action dst-nat to LAN ip and port 80, but the port remains closed.
The DSTNAT configuration is not working (i disabled it after testing - it’s not working if enabled)
i am doing something wrong?
# may/06/2025 16:51:27 by RouterOS 6.49.17
# software id = 5GF6-7WS3
#
# model = RB941-2nD
# serial number = HHE0
/interface bridge
add admin-mac=xxxxxxxxxxxx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid="xxxxxxx" wireless-protocol=802.11 wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk comment=defconf \
disable-pmkid=yes mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server config
set store-leases-disk=2h
/ip dhcp-server lease
add address=192.168.88.253 mac-address=xxxxxxxxxx server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=bridge \
protocol=tcp to-addresses=192.168.88.253 to-ports=80
/system clock
set time-zone-name=Europe/Rome
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
what you intend for “is reachable via routing”? i need to forward a web configuration page of that device. if i connect on my lan to 192.168.88.253 the page displays normally. it does not happen outside, via port forwarding. the port is not open.
I am not sure if i’m behind a CGNAT, but when i was doing the port forwarding from the ISP router, that worked.
The problem is on the hap.
Also there is a DMZ configured on the IP of the hap, that is 192.168.0.4, the only IP on the ISP router (ether1). The others device are routed via the hap’s bridge DHCP server, but can obviously communicate to the ips of the router on ether1 (if i go on the isp router IP of the hap, 192.168.0.4 i am automatically redirected to 192.168.88.1 that is the IP of the hap on the hap bridge.
can be this configuration the cause of the problem?
I don’t believe, because there is the DMZ, maybe there’s missing some firewall rules?
let me know
And thank you for the help
P.S i have not a static IP. Is dynamic. But i’m using a DDNS
Being “behind CGNAT” would mean that your ISP is giving you a private IP address on your WAN connection. It sounds like this is clearly not the case.
Hopefully this is just a side-effect of you testing random things, but although you said you tried various in-interface or in-interface-list settings all related to the WAN port, in your exported config, that dst-nat rule is trying to match on in-interface=bridge, which will not work.
If you change that properly to in-interface=ether1 and it still doesn’t work, I would try two things:
Disable the rule, then enable IP > Services > www. Disable all of your IP > Firewall > Filter rules on the “input” chain temporarily, then try to get to http://your.public.ip/ again from the outside. Instead of port 80 getting forwarded to your 88.253 host, the MikroTik itself should answer the request and display the first page of its web interface. If it DOESN’T, then that likely means the DMZ setting on your upstream router is not doing what you think it should be doing.
If test #1 above works, then disable IP > Services > www, re-enable your dst-nat rule, temporarily disable ALL rules under IP > Firewall > Filter, then test again. If it now works, then one of your firewall rules is what is causing the problem. Enable them again one at a time, re-testing each time after enabling each one. Eventually you should find the culprit, and at that point hopefully it should be obvious by reading it why it is causing the issue, and what to do about it / how to re-write that filter rule to address it.
FIGURING OUT WHAT kind of connection your ISP device is getting certainly is key!!
Check IP DHCP Client for your WANIP?
a. confirm you are getting private WANIP on the MT device ( should be a private IP from the ISP router LAN side )
CHECK IP Cloud
b. check the IP address you get from IP CLOUD enabled?
FROM BROWSER
c. is the this the same IP at your computer when you ask, whats my IP?
FROM ISP ROUTER
d. if you can reach and configure the ISP router a bit, does it show what its pubic IP is, and if so does it match B or C??
CELLPHONE
e. can you go to cellular service for example or friends home and Ping any of the IPs noted in b,c,d ??
This should help you figure out if you indeed have a public IP that is reachable, probably your ISP IP address.
If so, there is no reason to suspect that DMZ is not working assuming you had to forward ports 1-65000 or something or is it straight checkbox approach?
What if you dont invoke bridge mode and simply port forward port 80 to the WANIP of the MT ( aka its LANIP on the ISP LAN )
You are sure there is no bridge option??
NEXT The config, pretty plain vanilla but one should change the default rule in the forward chain from: add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
TO, the following three rules: add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”
a. Check IP DHCP Client for your WANIP? Yes i confirm that the WANIP is a single IP that is exclusive for the ISP ROUTER lan (192.168.0.4) - the only ip on that lan b. check the IP address you get from IP CLOUD enabled? What is ip cloud??? c. is the this the same IP at your computer when you ask, whats my IP? same as b, can’t compare e. can you go to cellular service for example or friends home and Ping any of the IPs noted in b,c,d ?? tomorrow at my home will do this test, will ping you asap
On my ISP router, there is only a DMZ-checkbox that can be activated to enable DMZ to a single IP of one device in the ISP LAN, in this case, the MT WANIP (192.168.0.4 - The IP on the ISP router LAN)
Otherwise i can also do port forwarding 1-65000 for every device i want, i also tried this with conf 192.168.0.4 fwd port 1-65000 TCP/UDP and didn’t work.
Also Looking at my config, expecially the firewall rules, there is something that may cause this problem?
a) yes
b) don’t know what “ip cloud” is
c) yes
d) yes, but near the ip, it says “shared via MAP-T”
e) i tried ping the ip from my mobile phone network (that matches on a,c,d) with this result (obviously the IP has been censored by me):
Host Name or IP Address: 101.58.XX.XX
Time: 2025-05-11 15:15:01 +0000
PING 101.58.xx.xx (101.58.xx.xx): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
MAP-T is a technology that ISPs can use to route IPv4 traffic over a native IPv6 network statelessly (no tunneling/encapsulation), while also (optionally) allowing one IPv4 address to be shared amongst multiple users (as an alternative to a CGNAT that still gives ISPs the same benefits as CGNAT). If an ISP implements IPv4 address sharing with MAP-T, then you will be allocated a specific range of external TCP/UDP ports that you can use on the WAN side for IPv4 traffic. Your router will NAT from your original LAN source IP+port to the shared WAN IP by selecting one of the available ports allocated to you.
What this means is that if your ISP is doing IPv4 address sharing with MAP-T, you are never guaranteed to be able to use the specific port# that you want to use. This would likely be why you aren’t getting an answer from port 80 externally: you haven’t had that port# allocated to you on the particular IPv4 address you have been assigned. Either they are starting contiguous port block allocation at port 1024 (so nobody who is sharing that IP can use it…this is the most likely scenario), or someone else happened to get that port allocated to them.
When was the last time that you tried forwarding directly from the ISP router? My guess is that perhaps your ISP recently made a change (maybe they weren’t using MAP-T at all before and started using it recently, or maybe they didn’t implement IPv4 address sharing with MAP-T until recently), and that you last tried the direct port forward from their router before that change. You should re-test this again to make sure it actually still works.
