Mikrotik to Mikrotik winbox port forwarding

RouterOS Beginner Basics
1

Hi,
I am having a problem with port forwarding from mikrotik to mikrotik to open winbox interface.
I have my public IP and when I enter :8291 it enters my main mikrotik router, but when I enter :8295 with nat rule to forward it to my :8291 it cannot connect. I’ve done telnet to that port and it is opened and it works. The problem is only when I try to access it through winbox.
Thanks for your help :smiley:

nat rule:
add chain=dstnat dst-address=myIP dst-port=8295 protocol=tcp action=dst-nat to-addresses=myInternalIP to-ports=8291

2

Is the router with DST rule the gateway for the internal router ?
If not then the packet incoming to the internal router has source IP from WAN so this router sends the answer to it’s GW and the traffic coming back to the Winbox is not coherent with outgoing one.

BTW: Look at RoMON https://wiki.mikrotik.com/wiki/Manual:RoMON

3

Yes the main router is internet gateway for all other routers in the network. I am using them as wifi access points right now. I can telnet the port but i cannot open it with winbox.

4

I’ve done telnet from my main router :8296 and I got

telnet: Unable to connect to remote host: Connection refused

, but when I do the same thing from my mikrotik router i get inside the console of my router.

5

please look at my post where I had the same problem you describe.

http://forum.mikrotik.com/t/can-i-configure-wlan-wap-ac-through-router-hex/108448/1

In short I used this article titled Access “hidden” mikrotik device by Winbox https://shop.duxtel.com.au/article_info.php?articles_id=6 as a guideline.

6

why you don’t use RoMON? it is made for that. With it you can access any RB behind your RB gateway without port forwarding

7

Someone can consider romon as blackbox opening unknown holes into the network. Therefore the dst natting can be much more clear and manageable.

8

I’m assuming you are attempting this from the internet? Is there any firewall rule that would be blocking it?

BTW, my opinion is to not use the standard ports for WinBox. I use non-standard ports for all the services on the router that are accessible from the internet. I have a firewall rule that specifically drops attempts to access the router on the “standard” ports - solely for the purpose of seeing the number of packets attempting to access them. The WinBox port does not get as many attempts as FTP, SSH, and Telnet, but it gets quite a few. I also have other security in place to prevent access.