Hey Pukkita,
I created the policy from the log
IP > Firewall > Filter > add new chain:forward Dst. Address: 10.0.0.201 Prot: 6(tcp) Desport: 80 Out Interface: ether6 action:accept. (do not declare the In interface because I want to be reachable from the outside)
It start catching the package (when try to get this web from the public IP), but still unreachable… 
Any idea?
Did just change the Browsend and works?
Looks like the same that is happening to me… (with the diference im with http, and he is with https)
Sorry Alxis
I just saw your post
Have you been able to resolve your problem?
If not let me know pls
I’m having the same problem. My $40 routers from walmart do a better job setting up port forwarding with harpin.
Why on earth would hairpin not work by default? We’re setting up port forwarding to access a machine from outside the LAN. Would it ever make sense to deny the same request because someone happens to be inside the LAN?
Hi, I wasent able to made in my work (i recieve some UTM unit).
I have to try if it works in my home Mikrotik (for using XBONE Streamming.
Because walmart device is a (sort of) “firewall” and has predefined lan/wan sides and his job is to facilitate non professional users.
Mikrotik/ros is a (multi purpose) router which can handle many network scenarios; skilled enough people can fine tune configuration to achieve what they want/need without precooked hidden rules.
Hi Zizobaddy,
Now I am having the same issue in another RB (in my home).
I really don’t know what i am doing wrong. Tried changing the “in. interface” and “dest address” but nothing works…
The weirdest thing, is that the RB see the packages (in the Firewall Nat) but don’t link the connection
I will copy here the print asked in some previous post.
/ip address print detail
0 ;;; default configuration
address=192.168.88.1/24 network=192.168.88.0 interface=WAN
actual-interface=WAN
1 address=192.168.0.1/24 network=192.168.0.0 interface=CAIB LAN
actual-interface=CAIB LAN
2 address=192.168.10.1/24 network=192.168.10.0 interface=2nd Floor
actual-interface=2nd Floor
3 D address=A.B.C.D/24 network=A.B.C.0 interface=WAN
actual-interface=WAN
/ip route print detail
0 ADS dst-address=0.0.0.0/0 gateway=A.B.C.D
gateway-status=A.B.C.D reachable via WAN distance=0
scope=30 target-scope=10 vrf-interface=WAN
1 ADC dst-address=A.B.C.0/24 pref-src=A.B.C.D55 gateway=WAN
gateway-status=WAN reachable distance=0 scope=10
2 ADC dst-address=192.168.0.0/24 pref-src=192.168.0.1 gateway=CAIB LAN
gateway-status=CAIB LAN reachable distance=0 scope=10
3 ADC dst-address=192.168.10.0/24 pref-src=192.168.10.1
gateway=2nd Floor gateway-status=2nd Floor reachable distance=0
scope=10
4 ADC dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=WAN
gateway-status=WAN reachable distance=0 scope=10
/ip firewall export
add address=192.168.0.0/24 list=“CAIB LAN”
add address=192.168.0.1 list=“CAIB RB”
add address=192.168.0.5 list=XBONE
add address=192.168.0.15 list=ALIEN
add address=192.168.0.10 list=BMU
/ip firewall nat
add action=masquerade chain=srcnat comment=“Gateway CAIB”
out-interface=WAN src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment=“Gateway Analia”
out-interface=WAN src-address=192.168.10.0/24
add action=masquerade chain=srcnat out-interface=WAN
add action=dst-nat chain=dstnat comment=“XBONE STREAMMING” protocol=tcp
src-port=5050 to-addresses=192.168.0.5 to-ports=5050
add action=dst-nat chain=dstnat protocol=tcp src-port=4838
to-addresses=192.168.0.5 to-ports=4838
add action=dst-nat chain=dstnat protocol=udp src-port=5050
to-addresses=192.168.0.5 to-ports=5050
add action=dst-nat chain=dstnat protocol=udp src-port=4838
to-addresses=192.168.0.5 to-ports=4838
add action=dst-nat chain=dstnat comment=“ALIEN STEAM” protocol=udp
src-port=4380 to-addresses=192.168.0.15 to-ports=4380
add action=dst-nat chain=dstnat protocol=tcp src-port=4380
to-addresses=192.168.0.15 to-ports=4380
add action=dst-nat chain=dstnat comment=TEST dst-port=3389 log=yes
protocol=tcp to-addresses=192.168.0.228 to-ports=3389
I Just testing with the last roule named “TEST” to remote desktop a local computer in the network
Thanks.
It appears you are specifying src-port instead of dst-port in the nat matching rules. The source port of the host coming in from the internet is difficult to match on because it is normally different every time a new connection is made.
Here is a good illustration of src-port vs dst-port and how they differ based on which side of the TCP conversation you are on.
Hi IPANetEngineer,
Thanks for your explanation, but could you tell why this setting is not working.
Here is an screen shot of my Nat settings:
in the 8th rule: to-address=192.168.0.5 to-port=22
Try to set Out-Interface to be WAN, instead of In-Interface that was now.
You need a dst-address in that rule. It should be the ip for WAN.
Hi all,
Try add dns static that map your local server, webserver -->192.168.0.252
But, must activate router as dns server
Then access web from local client will be destin to local server ip instead of the public
Sent from my Lenovo S920 using Tapatalk
Hi
this is the rule
ip firewall nat add chain=dstnat dst-address=A.B.C.D protocol
=tcp dst-port=8000 to-addresses=192.168.0.5 port=22
Remember A.B.C.D is the public ip given to you by ur ISP
However i prefer to use netmap instead of dst-nat
Hi Zizodabby,
I had already test that, but doesn’t work too. but I will test again when go home (erasing all the rules and creating a new one)
Are there something more that have to be configured to able that, I dont know, maybe the connection is nos being allowed in another menu.
Just to know: I have a public DHCP provided from my ISP, are there any way to have this rule set to a port or some alias to the WAN address, because if the public IPs change, I will have to change the rule.
Thanks.
Hi IPANetEngineer,
Thanks for your explanation, but could you tell why this setting is not working.
Here is an screen shot of my Nat settings:
in the 8th rule: to-address=192.168.0.5 to-port=22[/quote]
Hi
this is the rule
ip firewall nat add chain=dstnat dst-address=A.B.C.D protocol
=tcp dst-port=8000 to-addresses=192.168.0.5 port=22
Remember A.B.C.D is the public ip given to you by ur ISP
However i prefer to use netmap instead of dst-nat[/quote]
Hi Zizodabby,
I had already test that, but doesn’t work too. but I will test again when go home (erasing all the rules and creating a new one)
Are there something more that have to be configured to able that, I dont know, maybe the connection is nos being allowed in another menu.
Just to know: I have a public DHCP provided from my ISP, are there any way to have this rule set to a port or some alias to the WAN address, because if the public IPs change, I will have to change the rule.
Thanks.[/quote]
Hi
I use Net-map personally
Below is the rule
NB:
Ensure your wan ip is a live/public IP (contact your ISP) also use whatismyip.com to check if it same as what you have as NAT
add action=netmap chain=dstnat dst-address=PUBLIC-IP-FROM-ISP dst-port=8081 protocol=tcp to-addresses=192.168.0.5 to-ports=8081
If this doesn’t work then im sure its ur Public IP
You need to enable the to port in filter forward chain. Dst nat rule changes packet header but does not allowing the packet to pass the firewall.
Hi
this is the rule
ip firewall nat add chain=dstnat dst-address=A.B.C.D protocol
=tcp dst-port=8000 to-addresses=192.168.0.5 port=22
Remember A.B.C.D is the public ip given to you by ur ISP
However i prefer to use netmap instead of dst-nat[/quote]
Hi Zizodabby,
I had already test that, but doesn’t work too. but I will test again when go home (erasing all the rules and creating a new one)
Are there something more that have to be configured to able that, I dont know, maybe the connection is nos being allowed in another menu.
Just to know: I have a public DHCP provided from my ISP, are there any way to have this rule set to a port or some alias to the WAN address, because if the public IPs change, I will have to change the rule.
Thanks.[/quote]
Hi
I use Net-map personally
Below is the rule
NB:
Ensure your wan ip is a live/public IP (contact your ISP) also use whatismyip.com to check if it same as what you have as NAT
add action=netmap chain=dstnat dst-address=PUBLIC-IP-FROM-ISP dst-port=8081 protocol=tcp to-addresses=192.168.0.5 to-ports=8081
If this doesn’t work then im sure its ur Public IP[/quote]
Hi,
I apologize about the post. the Connection was working, but all the test I made was from my internal network. Some friend could access from outside to mi internal ssh server, and I made the same test (using my Works VPN), and it is working right now.
Only have to test if the streaming of my XBONE to my work, and its all done.
Thanks to everyone.
Good to hear
Dont forget to give karma
Glad you figured it out 
dst-nat can get tricky sometimes