and it does not work. I suspect it is because the traffic going back out to the outside client does not appear to be coming from the correct port.
I have masquarading enabled on my network for all other traffic, but masquarade does not allow me to specify a specific outbound port map. I need masquarading because my external IP address may change from time to time.
So, what do I need to map an external port to a different internal port for http traffic? I know this can be done on simple home routers, so I should be able to do it with RouterOS.
This kind of NAT port mapping works for me as expected.
Does this NAT rule’s counter increments when you trying to connect from WAN side?
There is in your LAN server with IP 192.168.1.1 listening on port 80?
Check your settings and post your NAT configuration.
Yes, the rule increments, but the outside client does not connect. If I change the rule (and the inside device so that it listens on the same port number that the outside uses) then the outside client can connect. The problem only occurs if the inside and outside ports are different.
I’ve tried this with a number of different devices and ports, all with the same result.
The configuration is below. 192.168.1.1 was just illustrative, the exact one that is not working below is 192.168.88.30. The devices at .20 and .99 work, the device at .30 works if I connect from the inside to port 80 but does not work if I connect to 10123 from the outside.
In your ds-nat rules there is no ‘dst-address’ (your WAN/public address) defined,
remove rule #5 commented as ‘Loopback’.
Do you have WWW service (port 80) enabled on your router?
/ip service export
If yes, disable it or move to diiferent port, eg. 8080.
What RouterOS version do you use?
I removed the loopback rule.
I disabled the service port 80.
Neither of these changes made any difference. I’m running RouterOS 6.0RC2, but I had the same issue with 5.21.
It does not appear to have anthing to do with a particular port. If I use NAT to forward from an outside port to the same inside port #, it works. If I forward to a different inside port it does not work. Do I need some reverse mapping configured or a configuration in the firewall forward filter rules for a port other than the outside port, plus accept establised and accept related?
Actually the rules are needed to let the traffic through the firewall after the port mapping. But your observation that the NAT takes place before the firewall forward chain is key to getting it to work. When I change the firewall rule to allow port 80 to forward (instead of 10123) I can access from outside! Success.
Sorry to resurrect this old thread, but I’m trying to do a similar thing and having no success.
I currently have working firewall/NAT rules to forward external port 5656 to internal port 5656 on 192.168.1.10. I’d like to also forward external port 21 to internal port 5656 on the same IP. The port forward works for 5656 but only partially works for 21, in that an initial connection is succeeding but then seemingly gets dropped.
Immediate thoughts - Check that you aren’t running port 21 on the router itself (IP Services) and check that you don’t actually need ports 21 & 20 for your application.
Also remember that such NATed traffic also needs to be allowed in the forwarding chain filters.
Thanks for the heads up on the IP services, FTP was indeed running. I disabled it but the problem persists.
My usual method of setting up forwards is to create both the NAT rule as well as the firewall rule to accept the connection, which works fine. I believe all I should need to do in order to have two external ports forward to a single internal port is to create the additional NAT entry, but no matching firewall rule is needed since it’s all hitting the same internal port. Is that correct?
If you are trying to forward two different outside ports to the same inside port on the same inside ip that is an overlap and I don’t believe that will work. I have not met a firewall device yet that allows you to do that.
