Hi folks,
How should the NAT rule for port forward look like, when I want to access the routers WebFig from WAN, but using e.g. 65000 as destination port (instead of 80) and then the rule should forward it to 80?
Simply change the web port on ip/services from 80 to 65000
but is better you access to config panel with a VPN…
A simple port scan detect web services on port 65000…
Yes, I usually use VPN for that.
But I was just curious if it is possible to somehow forward the port instead of changing the ip/services setting.
Yes is possible, just for test…
/ip firewall nat add action=dst-nat chain=dstnat dst-address=<WAN PUBLIC IP> dst-port=65000 protocol=tcp to-ports=80
Depending on how is configured your firewall you must also set:
/ip firewall filter add action=accept chain=input dst-address=<WAN PUBLIC IP> dst-port=65000 protocol=tcp
I prefer
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat
The actual default firewall setup already has a rule like that. So you only need to specify incoming port mappings.
However, likely those people who think it is a good idea to allow admin access from outside already have butchered the default firewall beyond recognition…
Well, thanks, but I did exactly that steps few days ago, but it is not working.... no idea why, so far. 
@pe1chl: And again, this is not my preferred way to access the router remotely, I just check that for test purposes.
Not sure what you mean, I dont access the router via port forwarding and winbox nor should you using webconfig. Use a VPN then access the router.
I’ve said before that I basically use VPN, but I guess there’s no harm in trying out a few things for learning purposes out of interest in Router OS
Like pouring sand in the Vaseline.
However, the suggested solution is not working…
Show all your exported config, without omit anything and censore, but not delete, with *** the private data, like serial numbers, emails and public IPs.
I exported the config and hided private data ****.
Should I paste it here in text or attach somewhere as file?
paste text on forum between
your export hereblocks
# dec/30/2022 12:58:47 by RouterOS 6.49.7
# software id = ************
#
# model = RB962UiGS-5HacT2HnT
# serial number = *************
/interface bridge
add admin-mac=XX:xx:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country= disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=MyNet station-roaming=enabled \
wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country= disabled=no distance=indoors frequency=\
auto installation=indoor mode=ap-bridge ssid=MyNet station-roaming=\
enabled wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=internet.viva
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=******* \
wpa2-pre-shared-key=*******
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=dhcp ranges=192.168.0.100-192.168.0.150
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE dns-server=192.168.0.1 local-address=192.168.89.1 \
remote-address=
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes ipsec-secret=*********** use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
192.168.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
add disabled=no
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=WinBox dst-port=8291 protocol=tcp
add action=accept chain=input comment=\
"GUI: accept new,established,related,untracked" connection-state=\
established,related,new,untracked dst-address=XX.XX.XX.XX dst-port=65000 \
protocol=tcp
add action=accept chain=input comment=\
"SSH: accept new,established,related,untracked" connection-state=\
established,related,new,untracked disabled=yes dst-address=XX.XX.XX.XX \
dst-port=22 protocol=tcp
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade Hairpin NAT" \
dst-address=192.168.0.0/24 src-address=192.168.0.0/24
add action=dst-nat chain=dstnat comment=www dst-address=XX.XX.XX.XX \
dst-port=65000 protocol=tcp to-ports=80
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/ip ssh
set allow-none-crypto=yes always-allow-password-login=yes forwarding-enabled=\
both
/ppp secret
add name=*** password=
/system clock
set time-zone-name=Europe
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
…
…
…
…
I haven’t noticed anything strange in the rules,
except the useless addon “connection-state=established,related,new,untracked”