I’ve been in IT for over 10 years and just recently discovered the awesomeness of MikroTik. I recently installed a hAP AC router for my home use and I’ve been blown away by the capabilities and performance of the device. I am running into a road block though. I’m trying to do some port forwarding from my WAN to an ip address on my private network that is behind a NAT. I’ve read the documentation and followed the steps as well as watched a few youtube videos showing the process but for the life of me cannot get it to successfully forward the port. I can access the port no problem from within my lan but cannot access from the wan side of the router. I’m sure it’s something simple I’m missing but I’ve tried just about everything, including disabling on the existing filter rules and I still can’t get this port to forward properly. I’m hoping someone with a lot more experience with RouterOS can help me get this straightened out because otherwise I’m incredibly happy with my new router.
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” out-interface=ether1
add action=dst-nat chain=dstnat dst-address=172.16.0.15 dst-port=8123 in-interface=ether1 protocol=tcp to-addresses=172.16.0.15 to-ports=8123Here’s my NAT rules the masquerade rule was there by default. I’m trying to redirect traffic from the WAN to 172.16.0.15 on port 8123
If you have dynamic WAN address, it’s good idea to use dst-address-type=local for dstnat rules. If you don’t set any specification for dst address, it will dstnat all connections, even outgoing ones, so you won’t be able to connect to port 8123 anywhere else. There’s a good chance you won’t ever need to, but still…
Thanks for that Sob - you just solved a problem for me. Yesterday I changed my internet connection in use from a DSL with Static IPs to a Cable connection with a Dynamic address. I run a web server so I have port 80 forwarded to the server. Could not get to websites from that network.
I hope it will help you
add action=dst-nat chain=dstnat comment=FTP dst-address=MY_PUBLIC_IP dst-port=21 in-interface=WAN protocol=udp to-addresses=MY_PRIVATE_IP to-ports=21
MY_PRIVATE_IP is the IP of the ftp server (private)
Actually I DID have both the destination IP and In-Interface when I had the traffic coming into my static DSL internet connection. However as part of moving stuff over to the Dynamic cable connection, I had to remove the destination IP and In-interface because traffic could have come in via either the DSL or cable connection. Now that the cutover is completed, I was able to put the in-interface back in as the DSL is no longer used for inbound traffic to the web server.
If you have more than one “WAN” interface or more interfaces that you want to nat or masquerade over you can group them in a list and then set in-interface-list.
If you set in-interface, then your outgoing traffic is fine, it won’t match. But setting in-interface conflicts with hairpin NAT setup (when you use public address to access server, which is in same LAN). And in some cases, in-interface is too broad specification. If you have only one public address, you most likely won’t notice any problem. But if you had routed public subnet, then dstnat rule with just in-interface would match traffic to all those addresses. So it’s still good habit to use some way to specify that you’re interested only in traffic to local address(es).