I’m in the process of evaluating Mikrotik as a replacement for the brands we currently use for our clients. I’ve managed work out most of the device and am quite happy with the RouterOS. I’m just having some trouble understanding some bits to do with port forwarding and hoping I can get some help here.
I have the need to do the following:
accept traffic from an [external address] on a [specific external port] to a [wan ip alias] and router that traffic to an [internal address] and a [specific internal port]
The rule needs to be set in such a way that only traffic from the external address can access the ports. Any information would be gratefully appreciated.
For the rest, use of “external” and “wan” may be it a little unclear:
If [external address] means address of client (I guess, because there’s [wan ip alias] as different thing), it’s src-address=[external address].
Then [specific external port] is what made me unsure. If it’s the most usual “port where client is connecting to”, it’s dst-port=[specific external port]. If if would be relatively unusual source port, i.e. “port where client is connecting from”, it would be src-port=[specific external port]. But then you’d be missing dst-port, because forwarding all ports from WAN address to single internal port would be really unusual.
For [wan ip alias] it’s best when it’s static address, then it’s simple dst-address=. If the address is dynamic, often used is in-interface=, it’s not completely correct, but works fine in most cases. Other way is to use dst-address-type=local, which refers to any of router’s own addresses. And if it would conflict with a port you need accesible on different address, e.g. admin access on port 80, you’d also need to exclude it by adding dst-address=! (“!” means “not”).
Step One: Create the Destination Nat rule for the specific server. This is also where you apply limitations on the external allowed WANIP!
/ip firewall nat
add chain=dstnat action=dst-nat dst-port=[specific external port] protocol=tcp source-address-list=ServerPurpose1access to-addresses=[internal LAN IP address] to-ports=[specific internal port]
Step Two: Create a Firewall Rule (forward chain) to ensure Dst Nat rules are permitted across the router.
/ip firewall filter
add chain=forward action=accept in-interface=etherWan (or if dual wan in-interface-list=WAN) connection-state=new connection-nat-state=dstnat
What is not clear is what you mean by External WANIP alias?
For example if you simply mean that you give users a DYNDNS type name such as “myserver.homeip.net” for them to use so that they punch this in the browser http://myserver.homeip.net:[specific external port], and this is resolved by DYNDNS to your actual WANIP (which is associated with your wan port etherWan), then you are good to go.
Be advised that limiting access to specific external WANIPs is not foolproof security wise and its very much advised to provide any service with some sort of encrypted username and password access as soon as they hit your server (be it secure FTP or whatever)…
If your server does not have a lockdown of repeated attempts at entry, then there is probably a way ON ROUTER OS to lock out a WANIP after x repeated attempts at connecting but that is beyond my abilities but EASY for sob to provide!!
Nah, Sob thinks that anti-bruteforcing on RouterOS is not worth it. You can’t recognize failed login attempts anyway, only thing you can do is just counting connections. If you’re worried about someone getting in by guessing password, just use twenty characters long passwords and attackers’ chances to succeed are near zero. If you really want to limit connections, take a look at “connection-limit” matcher (I don’t remember ever using it, but it’s in the manual).
Only thing I add is that dst-address= can be also used for dynamic addresses with the help of dhcp lease script. It’s relatively new, so I keep forgetting about at.