Has anyone here gotten port forward to work?

RouterOS Beginner Basics
1

Hi All,
I read this manual page http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT and use the DST NAT example on a newly reset RT480 using all default setting and add this NAT rule:

/ip firewall nat add chain=dstnat dst-address=192.168.1.23 dst-port=80 dst action=dst-nat protocol=tcp to-address=192.168.88.68 to-port=1234

192.168.1.23 is my RT WAN IP and 192.168.88.68 is my inside LAN web server host.

My firewall filter rules are default as:

0 D ;;; special dummy rule to show fasttrack counters
chain=forward

1 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

2 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related

3 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1

4 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related

5 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related

6 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

7 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat
in-interface=ether1

What else do I need to do in order to get the port forwarding to work?

2

If your goal is to take tcp packets going to 192.168.1.23:80 and forward them to 192.168.88.68:1234, then you have it set up correctly.

Two most likely problems:

  1. You’re testing it from LAN (192.168.88.x) => read about “hairpin NAT”
  2. The 192.168.1.23 is really your WAN address => make sure that router with real public address forwards port to you
3

Unfortunately, it does not work and that why I posted here for help!
I tested hitting http://192.168.88.68:1234 and the server responded. But http://192.168.1.23:80 (from a client within 192.168.1.0/24 network) then it goes nowhere.

4

Making sure of one thing - the IP address 192.168.1.23 - is it assigned to interface ether1 or is there a pppoe interface (or any other interface)
If the IP isn’t directly on ether1 itself, then the rules in your firewall need to change ether1 → whatever interface has that IP address.

Pretty sure that’s not the case, but I wanted to “clear the air” on that topic.
Can you ping 192.168.1.23 from the other .1.X device?
If you allow Winbox in the input chain of the firewall for interface ether1, can you then log into the Mikrotik on 192.168.1.23 from another host in 192.168.1.X ?

If the answers to these questions is no, then something on the WAN network is filtering traffic towards the Mikrotik, and it’s not your NAT rules at all.
You NAT rule is correct - and the firewall rules will allow pinholes to be forwarded, so the router’s configuration is pretty much right… for pinholes, but the context of things around the Mikrotik might not be correct - does the web server running on port 1234 send IPv4 literals to the client, causing the client to attempt connecting to 192.168.88.x? This is a likely issue… Usually, web-based services work best when using hostnames (not required but it gets around the vaguaries of “inside nat / outside nat” point of view, etc.