I want to allow access from the internet to local machine to specific port
Example
My public IP is 24.24.24.24 and I want to allow access to this IP and Ports: 192.168.88.15:8080 ; 192.168.88.16:22 ; 192.168.88.17:4000
My router has the default configuration
I try several commands but could not access
Did you read this manual ? There are is pretty clearly explained how to configure dst-nat.
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Destination_NAT
I try this post but i unbale to access the web server
This is my configuration
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix=“” ipsec-policy=out,none
1 chain=dstnat action=dst-nat to-addresses=192.168.88.15 dst-address=“Public IP” log=no log-prefix=“”
2 chain=srcnat action=src-nat to-addresses=“Public IP” src-address=192.168.88.15 log=no log-prefix=“”
Please post your config and we will have you sorted in no time.
/export hide-sensitive file=anynameyouwish
also confirm whether ISP WANIP is static/fixed or dynamic.
and which is your case?
a. servers are only for external users OR
b. will also use internal users and thus
i. will your users access the server by the LANIP or
ii. users will access the server by WANIP
Sorry for the delay
My public ip address is dynamic.
I attach my mikrotik configuration in the part of ip firewall and i attach image of my current configuration and the current public ip address.
In the ether 1 i have 100.70.1.181/20 (from my ISP)
In the rest of my ports and wifi the ip is the default 192.168.88.1/24
Any help will be appreciated
config.rsc (5.27 KB)
In summary, this is not your complete config, and thus cannot provide full feedback.
(1) Can you explain the purpose of this first rule in your input chain? If you think it has something to do with port forwarding you are mistaken and should be removed ASAP as a security risk and shows you have no clue as how to config the router yet. The input chain is for traffic TO THE router, and since you put that rule before the rule that says nobody except LAN users can access the router, everybody on the internet can access your router on port 80.
/ip firewall filter
add action=accept chain=input dst-port=80 protocol=tcp
Your NAT rule is lacking in one regard, missing destination port and if the to-port is the same as destination port its implied and need not be written.
otherwise seems okay, although convention is to use in-interface-list=WAN (especially if you have a pppoe type connection) for the dstnat rule.
I prefer it as I can see consistency between my masquerade rule and dstnat rule.
(2) /ip firewall nat
add action=dst-nat chain=dstnat in-interface**-list=WAN** protocol=tcp
dst-port=80 to-addresses=192.168.88.250
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
(3). What is the purpose of all the address list entries but not used in firewall rules.
What are they for and what do you hope to accomplish with your mangle rules???
Address as per above falls within the CGNAT range and no matter what port forwarding you do on your device, it will not work as you are being NATed at the ISP side
Well thats good to know? So a. its a fixed IP and b. its not a public IP.
Your options are:
a. contact the ISP and ask them to put the arris modem/router Into bridge or passthrough mode so your router gets the public IP,
b. (i) not as good but perhaps they or you can make the IP given to your router (on the router/modems lan subnet) as a DMZ (forward all ports).
(ii) You will still need the public IP that the ISPs modem/router gets from the ISP if you want people to be able to reach your servers.
Your masquerade rule should be setup for fixed wanip (static) that your router gets
add chain=srcnat action=src-nat to address=fixedwanip
DSTNAT RULEs
add chain=dstnat action=dst-nat protocol=tcp dst-port=xxxx dst-address=fixedwanip
to address=ipofserver
https://setuprouter.com/router/arris/tg862/port-forwarding.htm
The Arris modem is in bridged mode.
I see this in the ip firewall conections when i ping the public ip.
on this screen it is better appreciated
