I would like to know how to port forward a port on mikrotik (4011igs)
In the previous setup i had a router in cascade with this mikrotik and the port forward steps were actually easy: i had to forward the ports on the first huawei router and the add DST-nat rules on mikrotik and it worked. Trying this last step with the new setup (only the mikrotik) doesn’t work. I only see and receive packets from outside but the outsider doesn’t get any response from my network. Any ideas?
EDIT: I was actually trying from the same host of the service but pointing to the external ip of my network didn’t work. Tried actually with a different host and it works. Any idea? Sorry for the miscomprehension
Yes, if you are attempting to reach your server from an external connection such as LTE on your iphone it should work.
If you attempt to reach your server via its LANIP from the same subnet it should work
If you attempt to reach your server from from the same subnet but using the public IP of your connection (as in via a dyndns name for example) it will not work.
If you desire folks on your subnet (on same subnet of server) to reach the server via its wanip address then you need hairpin NAT.,
Your internet setup is confusing. Does it come on from the ISP on vlan385 via PPPOE?
You seem to be missing the defintion for this on /interface internet where is ether1? /interface internet ???
Instead you have these two settings visible.
/interface vlan
add interface=ether1 name=vlan1 vlan-id=835
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1
use-peer-dns=yes user=barbara.noro@tiscali.it
Its still a very odd setup because mine is very different but similar, standard fibre connection coming in via vlan 34
/interface ethernet
set [ find default-name=ether5 ] comment=Port5 name=Bell_eth5 speed=100Mbps
/interface vlan
add interface=Bell_eth5 name=vlanbell vlan-id=34
In summary if it works for you, great LOL. Perhaps in your scenario the PPPOE has to reside on the vlan vice the other way round ??
To be honest I could not find a reason in your config why port forwarding would not work in general.
The only issue would be how you attempted to test your port forwarding.
If you wish to check your server from within the same subnet of your server (and not use the servers LANIP, but instead use your routers WANIP, (via dyndns name for example) then you would need to setup hairpin nat.
Yes, that’s actually the scenario. Tested it all and all goes like you said.
I’m not fully understanding what you mean with “/interface internet”. So: my internet connection is coming from a vlan (835) on the pppoe client. Then i added the pppoe-out1 to the WAN interface list and that’s all i did for the basic config. I am not using the SFP port even if it’s fiber: before the router there is an ONT that converts fiber to ethernet and enters port ether1
To be honest I could not find a reason in your config why port forwarding would not work in general.
The only issue would be how you attempted to test your port forwarding.
If you wish to check your server from within the same subnet of your server (and not use the servers LANIP, but instead use your routers WANIP, (via dyndns name for example) then you would need to setup hairpin nat.
Actually, as i said in the last quote, port forwarding works with the scenario you described (statement 1/2) but the third does not. I will now try what you said with the hairpin NAT
Thanks in advance
EDIT: Opening quick set i can see an “internet tab” configured like this:
I am actually trying to do “hairpin NAT” following this guide https://wiki.mikrotik.com/wiki/Hairpin_NAT
I am prompted to write the “dst-address” for the dstnat nat rule. What should i write? My external IP address changes every reboot of the router.
Hi Tommy,
No worries, as i stated depends on isp connection, since you have a dyanmic the following applies.
There are two methods one can use… the alternate uses the IP cloud and your dydns name that MT gives thru the cloud.
Regardless of which option you choose (or if isp is static or dynamic) you need to add the following masquerade (sourcenat rule)
add action=masquerade chain=srcnat comment=“Mikrotik Hairpin NAT” dst-address=192.168.88.0/24 protocol=tcp src-address=192.168.88.0/24
For Dynamic ISPs the following applies.
Method 1:
Modify Existing DST nat rules
add chain=dstnat action=dst-nat dst-address=**!**192.168.88.1
dst-address-type=local protocol=tcp dst-port=9000 to-address=192.168.88.50
Method 2:
Use the MT cloud service*** and slightly alter dstnat rules (works for internal and external users as well).
*** Requires
a. Turn on mikrotik cloud service
b.Go to IP-> Firewall-> Address lists, create an entry with whatever name you wish e.g “cloudDNS” and at the address type the cloud DNS of your Mikrotik…
This will automatically resolve the name to your Public IP address…
Hello!
I tried with both methods 1 and 2 and got the same result as the one at beginning. I try to connect to DVR on port 9000 with host1 and i can actually see that the packet was being sent.
Then it should give back an answer to HOST1 from DVR to start the connection between the 2 devices but this doesn’t happen if i try to contact it from local network.
Perhaps there is something funky happening at the DVR (server)??
Try adding the vlan to the interface list=WAN as well…
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN add interface=vlan1 list=WAN
This would ensure these rules also contain the vlan…
/ip firewall filter
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
My problem was that I was port forwarding a web server application that was hosted on a vlan on my network. The router was able to see the client.
Howerver, whenever i tried to access the application, it would ‘partially’ work, ie, I would be able to access the login page, but when i tried to login, i always got the error, “server returned an empty response”.
Adding the Vlan interface to the masquerade list, solved the problem!
