Port forward to Static IP

RouterOS General
1

Trying to configure the RB951-2n to forward to a static IP address on Port 5. the aim is to configure new ubiquiti AirGateway with default IP of 192.168.1.1 from WAN side of the Mikrotik

WAN address of the Mikrotik: 192.168.3.100 /24
ether 5 has been given IP address of 192.168.1.2 /24 and master port set to none.


add address=192.168.1.2 interface=ether5-slave-local network=192.168.1.0

this created a new routing table entry:

ADC 192.168.1.0/24 192.168.1.2 ether5-slave-local 0


I have then created NAT rule for port forwarding:


add action=dst-nat chain=dstnat dst-address=192.168.3.100 dst-port=800 log=yes \
    protocol=tcp to-addresses=192.168.1.1 to-ports=443

It’s not working and I am able to ping 192.168.1.1 from RB using the ping tool in winbox.

what did I miss?

2

Hi,
Problem is your ports.
what is port 800 ? and why did you forward it to 443 ??
use port 80

3

You need to be a little more specific about what exactly you do.

You are connecting:

  1. to 192.168.3.100
    a) from internet => impossible
    b) from the same subnet where’s 192.168.1.1 => you need hairpin NAT on your router
    c) from 192.168.3.x => should work()
    d) from some other subnet (not 192.168.3.x) connected to your router => should work(    )

  2. to
    a) from internet => make sure that the port is forwarded from there to 192.168.3.100 (also applies for following 2b and 2c)
    b) from the same subnet where’s 192.168.1.1 => you need hairpin NAT on the router with (or on your router)
    c) from 192.168.3.x => you need hairpin NAT on the router with
    d) from some other subnet (not 192.168.3.x) connected to your router => you need hairpin NAT on the router with (or half-hairpin NAT on your router; just redirecting from , without srcnat part).

(*) Packets have to be allowed in forward chain. It applies in any case.

4

port 800 is just a randomly selected port. Port 443 is the HTTPS port that I am trying to access behind NAT.

5

I am connection from a laptop in 192.168.3.x range which is the Local area network which the RB is connected to.
Have already set up Hairping_NAT:

add action=dst-nat chain=dstnat dst-address=192.168.3.100 dst-port=800 log=yes \
    protocol=tcp to-addresses=192.168.1.1 to-ports=443

I have also tried forward to port 80 or 22, did not work either.

the RB also has Port 2 and Port 3 in bridge, which has LAN address of 192.168.88.0/24 where Port5 is not part of the bridge and been given the address 192.168.1.2/24.

so the network is:
office router (192.168.3.0/24) → RB (192.168.3.100) → AirGateway (192.168.1.1/24)

the aim is to access the AirGateway from a laptop in the office network using https://192.168.3.100:800
instead of having to be plug into the AirGateway directly using https://192.168.1.1

6

Fine, this should be the easy 1c) option.

Few ideas:

  • When you try to connect, do you see your NAT rule being used? Counters should increase and you also have logging enabled, so you should see it too.

  • Does your forward chain (under /ip firewall filter) allow this connection? There is more than just one way, you may not be blocking anything, you can allow it by interface, by address, …

  • What does AirGateway have as default gateway? Is it 192.168.1.2? If not, try to add this rule:

/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.1.1 protocol=tcp dst-port=443
7

This is it! there is no gateway set on the AirGateway, and this nat rule works.

Is this because the TCP packets are masqueraded so that the AirGateway knows where to return the packets?
if yes, is is masqueraded to have 192.168.3.100 or 192.168.1.2?

8

If there’s no default gateway, it knows only how to reach devices in same subnet, i.e. 192.168.1.0/24. It will receive packets from somewhere else, but it can’t send replies, because it doesn’t know where to send them. It also answers your last question.

9

Thank you very much! Really appreciate it.