Port Forwading

lyberis1979 · April 1, 2015, 6:58am

Dear All Good Morning

For the past few days im trying to set my web server to be accessible via internet but with no success, i have tried a numerous o f examples with no success.

I know that’s to be a one and simple thing “101 of mikrotik” if you have any ideas please.

The internal web server is on 192.168.50.13:443 -->to public ip 84.254.36.85:443

hossain2004a · April 1, 2015, 10:16am

For example, If I’m gonna devote “9988” for accessing my web server via remote computer I should do:

ip firewall nat 
add chain=dstnat protocol=tcp dst-port=9988 action=dst-nat to-addresses=192.168.50.13 to-ports=443

And there are some config which you should do in your modem setting: e.g. forward all incoming port to MT.

lyberis1979 · April 1, 2015, 11:14am

Thank you very much my friend. I will try it and post the results

Cheers

deanMKD1 · April 1, 2015, 11:50am

First. You need to set NAT rule. Go IP>Firewall>NAT and add new NAT rule. Configure your IN Interface with your interface connection. Mine in ether1-gateway

then go to Action tab and set like this..

Now you can be able to access your webserver.

lyberis1979 · April 1, 2015, 12:11pm

It worked GREAT

Thanks again.

If in can ask an other question, lets say that we have the scenario of multiple IP’s from my ISP “Pool” and i want to signed them in different host systems.

Thanks Again for your patience

deanMKD1 · April 1, 2015, 11:38pm

You meen dynamic IP from your ISP? Then use IP CLoud. Its VPN service from Mikrotik. With that host, you can access your mikrotik from everywhere.

ZeroByte · April 2, 2015, 12:58am

I suppose you have “5 usable public IP” addresses from the ISP, e.g. 192.0.2.42-46 and the mikrotik is .42, but you want to send .43 to an internal host for ALL ports (so the host can run anything it wants - it essentially has a public IP on it)

You do the same thing as the first rule you already did - but with a few changes-
add dst address = 192.0.2.43 (or whichever of the public IPs you want to map to the internal host)
remove protocol, dst port, and in interface
On the action page, change the “to address” to be whichever internal IP you want and remove the to ports.

For each additional public IP you map through the firewall, copy this second rule.

This method is 1:1 nat - where you assign an IP address entirely to one internal host.
If you specify certain ports in the General tab, and different IP/ports in the Action tab, then you can use 1 IP address but send the different services to different hosts. (so one public IP can appear to be your mail server, dns server, and web server, but behind the firewall, they are 3 different computers)

Finally, you need to configure Interfaces > Ethernet - edit the ether1 gateway interface, and make sure arp = proxy-arp, and then create a static route in IP > Routes
destination = 192.0.2.40/29 gateway=Ether2 Lan-Master (or whatever interface is the LAN)

This last two steps makes sure that the Mikrotik will answer ARP requests for all of the public IP addresses, and not just its own.

If you have filter rules in your firewall, then make sure that they allow connections to your shiny new servers on the ports you need, but not on anything else.