Forwarding ports when WAN port is VLAN taggen

I’ve had my MikroTik router for some time but ran it in behind my router from my ISP because it needed VLAN 101 tagging on the WAN port and I couldn’t figure it out.
Got help in this thread http://forum.mikrotik.com/t/vlan-tag-wan-port/184198/1 and had everything solved.
After I removed my ISPs router, which ran in bridged mode, none of my port forwarding rules work. I can’t access my Jellyfin server, or anything else I have on my network, from outside the LAN network.
I’m assuming I’m missing something with the VLAN configuration/tagging but I can’t figure out how to set it up so that the Port Forwarding works with WAN tagged as VLAN 101.

Do I need to tag all other ports to the same VLAN as the WAN port?

/interface list member
add interface=VLAN-101 list=LAN

These are screenshots of what I’ve been doing on the Port Forwarding.

This is the firewall rule to let it forward to port 4000.




I have a list of allowed IP addresses that can connect, everything else gets blocked.

The VLAN interface should be part of the WAN interface list:

/interface list member
add interface=VLAN-101 list=WAN

Thank you for your answer.
What you suggest is what I did (in the post I referred to) to make my WAN port VLAN 101 tagged. After I did that none of my port forwarding rules work which is why I ask if I should add all my LAN ports to the same VLAN (VLAN-101). I think I remember trying that and afterwards not being able to log in to the MikroTik router.

I have made a backup of my router configuration so it’s not a big deal, just wanted to ask before I go full bore on the idea.

I just saw the mistake in the NAT rule - the to-addresses parameter should be set to the LAN address of the Jellyfin, not the WAN

I cannot believe I missed that.
Everything works like a charm now. I was SO focused on everything else that I didn’t notice.

I’m so sorry for that mistake and for taking up your time with such a numbskull question… I’m embarrassed.

No need to be sorry. Everyone makes mistakes. There is also no such thing as a “dumb question”, so no worries about it

Regardless you saved my day and a whole lot of headache

Last question. I JUST figured out how to mark my posts as solved on the old site, how do I do it here?

There should be a “Solved” indicator but I don’t think it has been imported yet

OK, that’s just as well because I just tried to access my network from my phone (forgot to turn off my 5G connection which is why it worked) and it seems I’m unable to access it anyway.
Do you have any ideas?

Can’t edit my post. What I meant to write is that I forgot to turn off wifi on my phone, which is why it worked. On 5G it doesn’t and my son cannot connect either.

I’ll probably have to look at the full config to tell what a possible problem could be:

/export file=anynameyouwish (minus sensitive info like serial number, passwords, etc.)

You paste the command in the terminal, pull over the .rsc file from Files on the computer, open it with Notepad and redact out all aforementioned sensitive info

# 2025-06-17 11:02:15 by RouterOS 7.19.1
# software id = KRNN-FC6P
#
# model = RB750Gr3
# serial number =(redacted)
/interface bridge
add admin-mac=(redacted) auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=ether1 name=VLAN-101 vlan-id=101
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=17.125.0.10-17.125.0.200
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=VLAN-101 list=WAN
/ip address
add address=17.125.0.1/24 comment=defconf interface=bridge network=17.125.0.0
add address=(redacted) interface=ether1 network=89.0.0.0
/ip dhcp-client
add comment=defconf interface=VLAN-101
add disabled=yes interface=ether1
/ip dhcp-server network
add address=17.125.0.0/24 comment=defconf dns-server=17.125.0.1 gateway=\
    17.125.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=17.125.0.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Jellyfin dst-port=4000 \
    in-interface-list=WAN protocol=tcp to-addresses=17.125.0.43 to-ports=\
    30013
add action=dst-nat chain=dstnat comment="File Browser" dst-port=30044 \
    in-interface-list=WAN protocol=tcp to-addresses=17.125.0.43 to-ports=\
    30044
add action=dst-nat chain=dstnat comment=Pi-hole dst-port=20720 \
    in-interface-list=WAN protocol=tcp to-addresses=17.125.0.43 to-ports=\
    20720
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Copenhagen
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I’m starting to think that your router could be behind CGNAT and therefore it would not be possible to do port forwarding without your ISP’s support, as I don’t see any mishaps in your configuration

Excerpt from my ISP:

As a standard solution with us, your internet connection is given a private IP address via CGNAT (Carrier-Grade Network Address Translation). CGNAT is the “shell” that protects your connection from the public network. CGNAT makes it possible to extend networks even if there is a shortage of IPv4 addresses. Most often, a standard IP address is quite fine, but in some cases it may be necessary to have a public IP. For example, for online gaming or remote access to devices (for example, if you host your own server), and in some cases for older VPN types.

Seems like I’m behind CGNAT. I’ll contact them and ask them about it. All port forwarding worked on the router from the ISP but I guess they ahve some special configuration on their device.

I’ll return once I’ve talked to them.
Thank you for the tip Cat.

OK so, I contacted my ISP, to have CGNAT disabled, and was told that, seeing as I have a static IP address assigned from them, CGNAT is automatically disabled on my connection.

I’ve gone over my configuration several times and I can’t find any errors either.

If you have other ideas I’m all ears, so to speak.

Is the dstnat rule hit (are there any packets coming in)?
Are services running on the corresponding endpoints?

The services are running and mounted at startup via fstab so I’d suspect that all services are running.

Doesn’t seem like anything is hitting the dstnat which is what I’d expect as I cannot access anything from outside my network.

If you have some idea of what’s going on I’ll happily try it out. I’ve saved the current config so it’s a small feat to get it back to where I’m at at this point.

Jellyfin is reporting 3 packets…so…yes, that port forward is working.

It’s been reporting those 3 packets since last night, nothing else has gone through.

/interface vlan
add interface=ether1 name=VLAN-101 vlan-id=101

/ip dhcp-client
set interface=VLAN-101

/interface list member
add interface=VLAN-101 list=WAN

When I set up the router from a fresh configuration and type in those commands, I can access the internet.
When I make NAT rules and try to connect to anything on my network, nothing goes through.

I’ve started fresh out just now, wrote those commands in the terminal, set my IP range for the LAN and used Port Mapping in the “Quick Set” to get the port mapping to work, which it doesn’t .
Here’s the config:

# 2025-05-22 14:35:42 by RouterOS 7.19.1
# software id = KRNN-FC6P
#
# model = RB750Gr3
# serial number = XXXX
/interface bridge
add admin-mac=18:FD:74:4F:61:93 auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=ether1 name=VLAN-101 vlan-id=101
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=17.125.0.10-17.125.0.200
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=VLAN-101 list=WAN
/ip address
add address=17.125.0.1/24 comment=defconf interface=bridge network=17.125.0.0
/ip dhcp-client
add comment=defconf interface=VLAN-101
/ip dhcp-server network
add address=17.125.0.0/24 comment=defconf dns-server=17.125.0.1 gateway=\
    17.125.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=17.125.0.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Jellyfin dst-port=4000 \
    in-interface-list=WAN protocol=tcp to-addresses=17.125.0.43 to-ports=\
    30013
add action=dst-nat chain=dstnat comment="File Browser" dst-port=30044 \
    in-interface-list=WAN protocol=tcp to-addresses=17.125.0.43 to-ports=\
    30044
add action=dst-nat chain=dstnat comment=Pi-hole dst-port=20720 \
    in-interface-list=WAN protocol=tcp to-addresses=17.125.0.43 to-ports=\
    20720
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

This is my fstab file

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# systemd generates mount units based on this file, see systemd.mount(5).
# Please run 'systemctl daemon-reload' after making changes here.
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# / was on /dev/nvme0n1p3 during installation
UUID=67c5d76c-43f9-4aab-b5b3-d8f2febd8655 /               xfs     defaults        0       0
# /boot/efi was on /dev/nvme0n1p1 during installation
UUID=80F0-5A52  /boot/efi       vfat    umask=0077      0       1
# /home was on /dev/nvme0n1p4 during installation
UUID=d621731d-537c-4cbf-a2bb-04d474ccf4e3 /home           xfs     defaults        0       0
# swap was on /dev/nvme0n1p2 during installation
UUID=5428e405-e23b-46c4-bdf7-18f222e5cfdc none            swap    sw              0       0
/dev/sr0        /media/cdrom0   udf,iso9660 user,noauto     0       0
//truenas.local/data/media /mnt/truenas cifs uid=antonio,rw,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm,credentials=/home/antonio/.truenas,domain=mazzocco 0  0
//synology.local/web /mnt/synology cifs uid=antonio,rw,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm,credentials=/home/antonio/.synology 0 0
/dev/sda1 /mnt/data xfs defaults,rw,exec, 0  0
//truenas.local/filebrowser /mnt/filebrowser cifs uid=antonio,rw,iocharset=utf8,file_mode=0777,dir_mode=0777,noperm,credentials=/home/antonio/.truenas 0  0

I was 100% sure I’d used IPs in the file and not host names. The use of said host names made my PC find the mounts as opposed to if I’d used IPs. That said, my TrueNas, which I’d restarted several times, had dropped the IP which had been configured as static in my old router setup. That obviously meant that it couldn’t find the services on the IP I used to use… I’d totally forgotten to think of this before @erlinden said this:

Are services running on the corresponding endpoints?

and I thought a bit further. I’d got so caught up in everything else working before I removed the ISPs router that I was blind to this.

@erlinden @TheCat12 Thank you for your unending patience with me. I’m a bit of an old person ~50 and age is no excuse so I can’t offer any.

Again, thank you for all you insights.