How to Port Forward from Dynamic WAN IP to Internal Address

darkinversion · January 23, 2017, 2:14am

So this question has probably been asked many times before but I have tried several pages with different solutions and none are working for me.

I am really hoping that someone can help me.

I prefer to use the terminal if possible.

I am using my Mikrotik router at home with an ISP that provides dynamic IP’s.
I am working on configuring a test-bed Ubuntu server in a virtual machine before I deploy it to a VPS.

Part of that is setting up a webserver (port 80).

I don’t want the site to be accessible to the outside world all the time, just want to allow someone else to be able to access it for web development and testing.

Thus, I need to open up a random high port (in my case I picked 30080) and forward it internally to a specific IP address for the Virtual Machine on port 80.

I am using the following rule with no results:
/if firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=30080 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.31 to-ports=80

I know that the webserver is running internally because when I browse to it on the LAN at 192.168.88.31 I can access it. However if I visit the same from my external IP I am not getting results.

Can anyone please help me?

Thank you!

gustavomam · January 23, 2017, 11:03am

Hello.

If you are trying to access inside the LAN netwiork connecting with Public IP you won’t acces.

Check your firewall filter rules too

JB172 · January 23, 2017, 11:12am

To achieve this, he need to make a Hairpin Nat http://wiki.mikrotik.com/wiki/Hairpin_NAT

stevh · January 23, 2017, 4:38pm

i have same problem …i have DVR, that i can access it internally but I cant access It
externally
please help
thanks

k6ccc · January 23, 2017, 11:26pm

Do you have a firewall rule that is preventing the external traffic from getting to the server?

effndc · January 31, 2017, 4:53pm

You likely need to add an associated firewall rule above your forward drop rule, perhaps something like:

/ip firewall filter add action=accept chain=forward comment=“Ubuntu Web Server” dst-address=192.168.88.31 dst-port=80 protocol=tcp

This rule allows the the traffic to actually be forwarded to the other side of the firewall, the rule that you have just says it should listen on that port and re-write the packet…but then it can’t actually complete the transmission due to it being dropped in a forward rule.