We have a customer that has four ports that need forwarded. They had a rb133c with 2.9.51, and I followed the examples and it worked great. Thanks to a lightning strike they are now using a rb411 with 3.10 and I can’t get the same setup to work??? Am I missing something between
The rules have not changed between 2.9.x and 3.x for nat. There are some additional options, but nothing else has changed. For example, to forward port 80 on the public interface to port 80 on 192.168.1.1, you’d use:
/ip firewall nat
add chain=dstnat in-interface=PUBLIC protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.1.1 to-ports=80
The only thing I did not have is the in-interface, but that also did not make a difference. Any other ideas?
how do you test this? also what do you understand by “forward ports”? (I know some people have different understanding of this)
Some ideas:
- Post your configs as they are now. (just “/ip firewall nat export” will do)
- Ensure you can ping from the router that does the NAT to the private device you are forwarding traffic to.
/ip firewall nat
add action=masquerade chain=srcnat comment=“” disabled=no src-address=
192.168.1.0/24
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=5631-5632
protocol=tcp to-addresses=192.168.1.190 to-ports=5631-5632
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=5631-5632
protocol=udp to-addresses=192.168.1.190 to-ports=5631-5632
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=3389
in-interface=wlan1 protocol=tcp to-addresses=192.168.1.1 to-ports=3389
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=3389
in-interface=wlan1 protocol=udp to-addresses=192.168.1.1 to-ports=3389
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=3390
protocol=tcp to-addresses=192.168.1.110 to-ports=3390
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=3390
protocol=udp to-addresses=192.168.1.110 to-ports=3390
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=3391
protocol=tcp to-addresses=192.168.1.112 to-ports=3391
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=3391
protocol=udp to-addresses=192.168.1.112 to-ports=3391
I only tested in-interface on 192.168.1.1, this config worked well on 2.9.51
The above rules (and your others) really need to have either in-interface OR dst-address parameters. The in-interface will be the PUBLIC interface and dst-address would be the PUBLIC IP. This is needed because the way the rules are written, if the client software also uses 5631 (for example), then the router will try to do the dst-nat when it is leaving the router toward a client as well.
/ip firewall nat
add action=masquerade chain=srcnat comment=“” disabled=no src-address=
192.168.1.0/24
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=
66.170.x.x dst-port=3389 in-interface=wlan1 protocol=tcp to-addresses=
192.168.1.1 to-ports=3389
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=
66.170.x.x dst-port=3389 in-interface=wlan1 protocol=udp to-addresses=
192.168.1.1 to-ports=3389
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=3390
protocol=tcp to-addresses=192.168.1.110 to-ports=3390
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=3390
protocol=udp to-addresses=192.168.1.110 to-ports=3390
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=3391
protocol=tcp to-addresses=192.168.1.112 to-ports=3391
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=3391
protocol=udp to-addresses=192.168.1.112 to-ports=3391
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=5631-5632
protocol=tcp to-addresses=192.168.1.190 to-ports=5631-5632
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=5631-5632
protocol=udp to-addresses=192.168.1.190 to-ports=5631-5632
I changed to include dst-address=public and still no change. Any thing else? (Look only at 192.168.1.1)
That configuration is correct. If it’s still not working, then upgrade to the latest MT version. If it doesn’t work after that, then submit a supout.rif to support@mikrotik.com
Thanks for your help