Ok, first of, I am very sorry for posting this question since you probably awnsered this one a million times before.

I have been plowing through the manual and this forum now for the last three days and I simply cannot find an awnser, or atleast an awnser that I can understand as a total mikrotik newbie.

See i got my router from my ISP since it enables me to connect to a wireless network through out the valley.

I got several PC behind the router, so ofcourse I have DHCP enabled on the router. (router internal ip is 192.168.2.1)

Now I need to open and forward ports to several PC’s for different reasons.

1. • FTP and Torrent server on 192.168.2.252
2. • Gameserver on 192.168.2.253
3. • Workstation on 192.168.2.254

I use the winbox program to communicate with the router and I do understand SOME of it… but the whole forwarding section remains a mystery to me.

This is the scematic of my setup.
[img=http://img50.imageshack.us/img50/7075/mikroteksetupkc1.th.jpg]

Please, please, please, please, please, please, please, please help me with this problem

Let me explain what the idea is:

1. • 192.168.2.252 needs to have port 21 forwarded to this IP from the router.
2. • 192.168.2.253 needs to have port 80, 8085, 3443, 3724 forwarded in order to run my game server
3. • 192.168.2.254 is running just fine.

Could anyone help me step-by-step ?

You could also add me at sebastiaan_bloemhoff@hotmail.com for MSN chat.

Thank you very much for your time.

Simple dst-nat rules:

If something is coming to your public IP address and specific port - you redirect it to the specific local IP address:

http://www.mikrotik.com/testdocs/ros/2.9/ip/nat.php

I understand that part, but i don’t understand what to do.
I have been fiddeling with all kinds of settings, but nothing what I do works.

Especially the game server. People instantly get a disconnect message.

did you see the examples part ?
http://www.mikrotik.com/testdocs/ros/2.9/ip/nat_content.php#6.36.3.3

what exactly is unclear? do you know what ports the game uses? did you write your rules correltly? post them here

I have a similar issue - the 1st rule forwards great, but then I obviously can’t get into router remotely, so I’ve tried adding rules to forward port 8291 (winbox) to the private side IP.

I’ve setup according to example

/ip firewall nat add chain=dstnat dst-address=10.5.8.200 action=dst-nat
to-addresses=192.168.0.109

I’ve added the ‘to-ports’ field for the destination port.
I tried adding the Protocol and Dst. Port also.

The first rule on the list will work fine, but subsequent rules seem ignored.

Ideas?

Paste ‘ip firewall nat export’ or NAT rules you have.

Here are the three rules… Masquerade, then the remote desktop, then finally one to allow me to get into router through winbox from outside. This is my home router…


0 chain=srcnat out-interface=wlan1 action=masquerade

1 chain=dstnat dst-address=12.195.xx.xxx dst-port=3189 action=dst-nat
to-addresses=192.168.254.160 to-ports=3389

2 chain=dstnat dst-address=12.195.xx.xxx dst-port=8291 action=dst-nat
to-addresses=192.168.254.1 to-ports=8291

You must specify protocol together with used src/dst - port.

Added the ports on both ends for both rules…
Works great now.

Thanks

I’ve been battling with this for some time also.
Can you post an export of the rules that you used to fix the problem?
this is what I’ve got and it wont work either.

nov/23/2006 12:47:06 by RouterOS 2.9.27

software id = VB6E-2RN

/ ip firewall nat
add chain=srcnat out-interface=wan action=masquerade comment=“” disabled=no
add chain=dstnat dst-address=193.x.x.78 protocol=tcp dst-port=25 action=dst-nat
to-addresses=192.168.0.1 to-ports=25 comment=“” disabled=no


when I telent to the mailserver I get no response
Please help

25 port number does not forward Telnet traffic.
25 port forwards SMTP traffic, if you want to set redirection for Telnet session, then use port 23 (default port number for the Telnet).

Hi Sergejs, It is intended for smtp traffic, but I use telnet to port 25 to test that the mailserver can respond. Will this export that I posted earlier work for smtp?

DST-NAT changes dst-address of the packet, these rule actually directs packets destined to 193.220.217.78 to 192.168.0.1.
You need to add SRC-NAT rule that will redirect 25 port traffic from 192.168.0.1 to 193.220.217.78
Packets sended from 192.168.0.1 will have 193.220.217.78 src-address.

Hi Sergejs

see the latest try, it still does not accept incoming mails although I’m able to send outgoing smtp.

I have a mailserver on private ip 192.168.0.1, the public ip is 193.x.x.78 i want the mailserver on the private ip to be able to send and receive public smtp and pop emails.


[admin@WAHGICP] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=wan action=masquerade

1 chain=dstnat dst-address=193.x.x.78 protocol=tcp dst-port=25 action=dst-nat
to-addresses=192.168.0.1 to-ports=25

2 chain=srcnat src-address=192.168.0.1 protocol=tcp src-port=25 action=src-nat
to-addresses=193.x.x.78 to-ports=25

3 chain=srcnat src-address=192.168.0.1 protocol=tcp src-port=110 action=src-nat
to-addresses=193.x.x.78 to-ports=110

4 ;;; pop
chain=dstnat dst-address=193.x.x.78 protocol=tcp dst-port=110 action=dst-nat
to-addresses=192.168.0.1 to-ports=110


Your help would be greatly appreciated.

It seems that when I disable masquerade, everything now works.

I’ve got two W3k boxes running remote desktop on the same network. I can access the first one just fine.

I try to add the 2nd one and can’t connect to it.

I know I can’t have the 2nd entry the same as the first, since RDP is using the same port on both machines.

So I tried to redirect port 3390 from remote machine to 3389.

Here are my rules.

1 ;;; NAT Rule to allow RDP from outside network
chain=dstnat dst-address=12.166.5.8 action=dst-nat to-addresses=10.0.0.5
to-ports=3389

2 chain=dstnat dst-address=12.166.5.8 protocol=tcp dst-port=3390
action=dst-nat to-addresses=10.0.0.4 to-ports=3389

Any suggestions.

Thanks