Port Forwarding

RouterOS General
1

I need to do port forwarding on Mikrotik 2.9
I need to forward ports 80 and 3389 to the inside network.
I have one public IP address and the following NAT rules on this router

[admin@X] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=OUT src-address=10.0.0.0/8 action=masquerade

1 chain=srcnat out-interface=OUT src-address=172.16.0.0/16 action=masquerade

2

You can find it here:
http://www.mikrotik.com/docs/ros/2.9/ip/nat

 chain=dstnat dst-address=[your public IP] protocol=tcp dst-port=80 
 action=dst-nat to-addresses=[your loal IP] to-ports=80
3

It isn’t working. PUBLIC_IP is the IP address of outside interface

[admin@X] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=ADSL src-address=10.0.0.0/8 action=masquerade

1 chain=srcnat out-interface=ADSL src-address=172.16.0.0/16 action=masquerade

2 chain=dstnat dst-address=PUBLIC_IP protocol=tcp dst-port=3389 action=dst-nat to-addresses=10.10.10.3 to-ports=3389

4

Check you firewall rules, because NAT rules are correct. Also check, if your windows remote desktop is configured properly.

5

I do not have any Firewall rules configured. Only this that come with Mikrotik by default if they are any. Do I need to open port 3389

6

Maybe stupid questions, but for sure:

  1. what address do you type in to RDP client window?
  2. Can you log incoming packets to your Mikrotik? Are packets really accepted and forwarded by Mikrotik?
7

WITHOUT dst-address=PUBLIC_IP_OF_THE_ROUTER everything works just fine
WHYYYYY

[admin@X] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=ADSL src-address=10.0.0.0/8 action=masquerade

1 chain=srcnat out-interface=ADSL src-address=172.16.0.0/16
action=masquerade

2 chain=dstnat protocol=tcp dst-port=3389 action=dst-nat
to-addresses=10.10.10.3 to-ports=3389
[admin@X] ip firewall nat>

8

Could you please answer my previous questions?

9

Could you please answer my previous questions?

10

Everything is working. Why to log anything. And the address is the public IP of the router

11

The question is why it works without DST-ADDRESS=PUBLIC_IP

12

zack,
dst-port forward all traffic, which has required destination-port (it does not matter, what packet destination address is).
if you will have dst-address, proper destination address for correct forwarding required.
router will redirect packets with dst-address and dst-port.

13

Sorry but when I put dst-address=public_ip which is IP address of Mikrotik outside interface and it isn’t working. Maybe it’s a bug or…

14

I do not have any problems with traffic redirection, if dst-address is configured.

15

When I make port forwarding let say on port 27015 all traffic is forwarded to this IP not just that to port 27015. Can you tell me why

16

Sometimes when I add rule like this:

ip firewall nat add chain=dstnat protocol=tcp dst-port=23 action=dst-nat to-addresses=10.10.10.203 to-ports=23

everything stops working. All traffic is forwarded to 10.10.10.203 in this example. When I make trace i se traffic going to my gate where I make NAT and port forwarding and then going back to 10.10.10.203

But sometimes everything is working ???

I have this topology

10.10.10.0 NETWORK – RouterA — RouterB — RouterC — RouterD(NAT)
RouterD have only one public IP

17

You wrote: “when I put dst-address=public_ip which is IP address of Mikrotik outside interface and it isn’t working”

What does it exactly mean “it isn’t working”?

Packets do not arrive to your public interface?
Packets arrive to public interface and Mikrotik handles them incorrectly?
Packets arrive to public interface, Mikrotik handles them correctly and there is other error?

This is why I asked you to log packets in case when it is “not working”…