nat multiple port in one rules

RouterOS Beginner Basics
1

Hi !
I’d like to set one nat rule with multiple port.

Example :
TCP: 80, 443, 3478, 3479, 3480
UDP: 3478, 3479

I think to do in this way :

/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-port=80, 443, 3478, 3479, 3480 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.0.20 to-ports= ???

But what I have to put in to-ports ? In which way can I map dst-port with to-ports ?
I have tried to put :
to-ports=80, 443, 3478, 3479, 3480

but doesn’t works.

Maybe with a script inside a “for” that keep each port from an array, but i don’t know if is possible :smiley:

p.s : currently i’m doing in this way :
add action=dst-nat chain=dstnat dst-port=3659,14000-14016 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.0.20 comment=ps4-tcp

2

Leave the to-ports blank.
Make sure you do accept dst-natted connections in firewall filter at forward chain.

3

Thanks :slight_smile: The network world is so magic !!! :slight_smile:
I have checked the firewall rules but I don’t understand some default rules.
Those are my firewall filter rules :

/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input in-interface=ether1-gateway

But i don’t understand the following :

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input in-interface=ether1-gateway

Can I ask you to explain to me if that rules are necessary or not ?