Port Forwarding over PPPoE

HaiderIT · August 31, 2021, 7:53am

hi everyone
i have a Mikrotik access internet via PPPoE
and i connect a DVR to it’s network
i try to forward DVR port through NAT rule but its not working
i searched for this issue but i didn’t find the solution for this, all topics talk about static ip, public ip no one talk about pppoe port forwarding. the only one i found is this:
ip>firewall>NAT>General>
Chain:dstnat
protocol:tcp
Dist.port:my DVR port
ip>firewall>NAT>Action>
Action: dist-nat
To Address: my DVR address
To Port: my DVR port
and this is not working for me. anyone can help me please??

mkx · August 31, 2021, 8:30am

PPPoE doesn’t make NAT any different. The idea is this: WAN interface has public (or “public”) IP address. WAN interface is often a physical port (e.g. eth1 with DHCP client running), but can be tunnel interface such as pppoe-out1. MT default configuration handles this case just fine, you only have to make sure pppoe-out1 interface is member of WAN interface list (/IP firewall address-list).

There are a few generic problems with DST-NAT (not tied to particular WAN access technology), including

public IP address is not really public. The easiest way to determine if that’s the case, is to visit some well known web page which displays your public IP address (e.g. https://www.whatismyip.com/) and compare the address displayed with address your router is using. If they are not the same that means your ISP is already performing NAT and quite likely doesn’t forward ports to your router.
ISP runs some firewall even for public IP addresses
you’re testing your DST nat using a device which is actually inside home LAN. To make this happen, you need to implement hairpin NAT (if the manual is not descriptive enough for you, google posts in this forum or open a new thread).

anav · August 31, 2021, 12:53pm

Echo mkx, all good info.

If you post your config
/export hide-sensitive file=anynameyouwish we may be able to spot the problem area.

HaiderIT · September 1, 2021, 6:13am

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=6003 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.0.41 to-ports=6003

My WAN access over PPPoE
My Local LAN 192.168.0.0/24
192.168.0.41 is my DVR ip
6003 DVR port for mobile application

mkx · September 1, 2021, 9:18am

What does check about how public is your WAN IP say?

The DST-NAT rule you posted is fine … when you try to test it from outside (i.e. no hairpin NAT involved).