port forwarding how to ??

foffa · August 21, 2007, 3:43am

hello there evrey one mikrotikky

i have a bad problem with mikrotik
i want to make port forward from mikrotik soo i did like that

1- i make the mikrotik pc as (dmz-host) in the router i am good in this i think

2- i tried to forward a tcp port from internal network ip- to external network all ips
but alwayes nat error in my app

now what i have to do exactlly ???

sergejs · August 22, 2007, 1:10pm

What exactly you want to achieve ?
If you are aware of scenario you want to achieve, NAT rules are not hard topic to understand.
To make Public address link to local these rules should be used,
http://wiki.mikrotik.com/wiki/How_to_link_Public_addresses_to_Local_ones

foffa · August 22, 2007, 5:20pm

thanks for reply

but what i want to do exactly is open port for example 5060 tcp to ip 10.0.0.50
and also 5060 udp to ip 10.0.0.50

i need all trafic from and to the router throw this port to be forwarded to ip 10.0.0.50

like normal routers (port forward)

i opend all trafic from the router to the mikrotik pc
thank in advance

sergejs · August 23, 2007, 11:55am

Documentation describes it, it is not very hard option,
‘ip firewall nat add action=dstnat chain=dst-nat dst-address=public_address_of_the_router dst-port=5060 protocol=tcp to-addresses=10.0.0.50’,
the same rule for UDP.

foffa · August 25, 2007, 5:24pm

public_address_of_the_router

this means the mikrotik router

or the external router ???

sergejs · August 29, 2007, 6:22am

It means the address of the MikroTik router (public).

lahoras · September 2, 2007, 5:49pm

Hello, I’m trying do this to works with echolink software, but dosen’t work, I’m conect to an adsl line with mikrtik pppOe client and my public IP is dynamic so as public address assign 0.0.0.0/32 is this a mistake?, can you help me?, you can more details about echolink software on http://www.echolink.org.

thanks you very much and wait for feedback.

ARIEL

sergejs · September 3, 2007, 12:25pm

Well, you may use specific port application that is destined to public (PPPoE client) interface.

lahoras · September 3, 2007, 9:35pm

Hello, thanks for feedback, this are my nat rules

3 chain=dstnat dst-address=172.18.1.2 protocol=tcp dst-port=5200
action=dst-nat to-addresses=192.168.0.2 to-ports=5200

4 chain=dstnat dst-address=172.18.1.2 protocol=udp dst-port=5198-5199
action=dst-nat to-addresses=192.168.0.2 to-ports=5198-5199

Echolink software request tcp 5200 port and udp 5198 y 5199 ports,
my problem is that I want skip NAT of ADSL modem, else I have to NAT, DSL modem can works as bridge, and I need pppOe client on MIKROTIK.
Which dst-address I have configurate using PPPoE client on MIKROTIK?, y I chosse 0.0.0.0 dosen’t work, can you let me an example?, thank you very much.

king regadrs

ARIEL

sergejs · September 4, 2007, 5:25am

You may specify the address for public interface, as traffic is appeared on this interface.
As well it is possible to run the configuration without dst-address, just forward ports for the packets appeared at the public interface.

lahoras · September 4, 2007, 9:27am

sergejs, I can’t specify address on public interface becouse is a dynamic, however I test it but dosen’t work, I can understand why not run ok.
can you check if your suggest rules may be this?.

5 chain=dstnat in-interface=ether2 protocol=tcp dst-port=5200 action=dst-nat
to-addresses=192.168.0.2 to-ports=5200

6 chain=dstnat in-interface=ether2 protocol=udp dst-port=5198-5199
action=dst-nat to-addresses=192.168.0.2 to-ports=5198-5199

On ether2 is my PPPoE client.

kings regards.

Ariel

sergejs · September 4, 2007, 9:35am

Is it possible to reach your router from the remote networks ?
Probably rules are not working because you are trying to connect to address that is dynamic (and already changed).

lahoras · September 4, 2007, 11:38pm

sergejs, thank you for feedback, the problem is only if I implement pppOe client, but only with echolink aplication, with emule for example that requier one tcp an udp port wroks fine.
Actualy I have a ADSL line from my ISP, and they give a modem/router zyzel that can operate on bridge mode or routing, the idea is eliminate router funtion becouse with this configuration there are two NATS, only port are forwarding correctly if modem works on router.

Yes I can navigate on all sites, use mail client programs, but only echolink soft dosen’t work if I implement PPPoE client on mikrotik over adsl modem in bridge mode.

Sorry for my possible mistakes I’m a benginner with mikrotik and think is a great tool.

ARIEL

sergejs · October 9, 2007, 12:13am

These rules are looking fine to me,
5 chain=dstnat in-interface=ether2 protocol=tcp dst-port=5200 action=dst-nat
to-addresses=192.168.0.2 to-ports=5200

6 chain=dstnat in-interface=ether2 protocol=udp dst-port=5198-5199
action=dst-nat to-addresses=192.168.0.2 to-ports=5198-5199
If packet are arrived at Ether2 and 192.168.0.2 has software application that is listening for these ports.

Yes I can navigate on all sites, use mail client programs, but only echolink soft dosen’t work if I implement PPPoE client on >>mikrotik over adsl modem in bridge mode.

Which bridge mode are you talking about ?

derr12 · June 18, 2010, 6:20pm

Hi there, I am also unable to get echolink software to work for one of my internet subscribers, they are on the other end of a 2.4ghz link. goes like this mikrotik - ubiquity AP - engenious 2610 (bridged) - router.

he has two of these links to his home.

I had the rules set for the customers assigned public IP to forward all traffic to his local ip at first (1-1 nat) but that stopped working after i upgraded from router OS 3.3 to 4.5 on my rb450g. I have now set these rules up:

6 ;;; kennedy #1
chain=dstnat action=dst-nat to-addresses=10.0.0.83 to-ports=5200
protocol=tcp dst-address=139.142.249.85 dst-port=5200

7 ;;; kennedy1 udp
chain=dstnat action=dst-nat to-addresses=10.0.0.83 to-ports=5198-5199
protocol=udp dst-address=139.142.249.85 dst-port=5198-5199

8 ;;; kennedy 1 src nat.
chain=srcnat action=src-nat to-addresses=139.142.249.85
src-address=10.0.0.83

9 ;;; kennedy #2 1-1
chain=dstnat action=dst-nat to-addresses=10.0.0.82 to-ports=5200
protocol=tcp dst-address=139.142.249.189 dst-port=5200

10 ;;; kennedy #2 udp
chain=dstnat action=dst-nat to-addresses=10.0.0.82 to-ports=5198-5199
protocol=udp dst-address=139.142.249.189 dst-port=5198-5199

11 ;;; kennedy 2 src nat
chain=srcnat action=src-nat to-addresses=139.142.249.189
src-address=10.0.0.82

have i goofed something?

derr12 · June 18, 2010, 6:43pm

scratch that, i said it stopped working when i upgraded from 3.30 to 4.5, I checked with the customer, it has not woked since we put the mikrotik router up in that site.

shelbynetworks · March 7, 2011, 3:53pm

I cannot get port forwarding to work with ppp-client interface either? Modem in bridge mode>gives static public IP to mikrotik>everything works; except we cannot manage our devices on port 80 that live behind the customer interface. Works fine when not pppoe-client(i.e. ISP assigns static(cable, T1, etc); in this ex. use 192.x. as public:

add chain=dstnat dst-address=192.x.x.x protocol=tcp dst-port=8004 action=dst-nat to-addresses=10.6.60.4 to-ports=80

I have even natted the entire interface:

/ip firewall nat add chain=srcnat out-interface=pppoe-out1 action=masquerade comment= “NAT entire interface so that monitoring will work”

Should I bridge the ether interface the pppoe-client lives on to the client to get the NAT to work?

thx