Mikrotik / Fortigate Forwarding issues

RoBoTaToX89 · September 26, 2023, 11:05am

Good Day Everyone I hope i am in the right place to be posting this if not please let me know where i can speak.

I have the following setup (ISP Mik DMZ) to (Personal Mik) to Fortigate Firewall

I have the Portforwarding setup on personal Mik and Fortigate

Remote Desktop Protocol

i have setup dstnat with dst.address as my public IP protocol 6 dst.port 15000
action dst-nat to.address local IP to.port 15000

on the firewall i have given the port forwarding rule as
External IP - static IP
Mapped IP - Local IP

Port Forwarding enabled with
External Service Port 15000
Map to Port 3389

Now internally i connect to my fortigate ddns server abc.fortigate.com:15000 and it asks me to username and password

from my phone i connect and it says unreachable

i have a feeling i am missing something on the mikrotik side of things but im too new to mikrotiks to figure it out

Any guidance will be well appriciated

RoBoTaToX89 · September 26, 2023, 11:26am

Onsite this works flawlessly my issue is offsite, trying to connect outside the network with RDP

RoBoTaToX89 · September 26, 2023, 1:34pm

Hi there

Just to add to my confusion i have various specific ports that map to various Servers on the firewall side of things,

i have about 6 different servers port 13200, 13300, 13400, 13500 each point to a different server and configured in the firewall to point to a server with port 3389

on the mikrotik i have placed those specific servers with their ports , I am able to connect to them internally but i am unable to connect outside of the network.

but outside of the network if i PING my ddns address i get my public IP so why is it not working? im so unsure and lost at the same time

anav · October 17, 2023, 3:57pm

Well not sure what you are asking…
First ISP modem/router you need to port forward the incoming ports to the LANIP of the Second Router on the ISP modem/routers private subnet.
This LANIP is also the WANIP of the second router.

IF the second router is a MT device, then you need to
a. ensure there is a forward chain rule allowing port forwarding
b. a dst-nat rule that recognized the incoming port and sends it to the LANIP of the fortigate router on the MTs (second router) private subnet ( also the WANIP of the fortigate),

Note: that for the MT device the incoming dst-port can be translated to a different TO port before it hits the fortigate router.

This is a typical triple NAT scenario, where the ISP has its own private network, the MT has its own networks and then the fortigate which has its own network behind it.