Ok, I’ve got the beginnings of my church network up and running. The server is functional, as is one of the cameras and one of the access points. They’re all talking together fine. I’ve got SafeDNS filtering set up at the router to protect the entire network. It’s time to configure port forwarding.
I have found some online tutorials on configuring port forwarding under Winbox. But, before I get started, I’d like to see if there is some customization that I can make to the interfaces. For example, they’re all listed as “ether1” to “ether10” (I’m using an RB3011). The WAN link is currently on ether1. So far, so good. But I’m trying to think ahead; suppose that some day I go to a dual WAN setup for redundancy? Ideally, I’d like to not have to redo all of the rules if I make such a change in future.
It seems that there should be some way to designate an interface as “WAN” and then set up a port forwarding rule for “All WAN.” But I haven’t found it yet. Any suggestions before I dive in?
Rather than going by interface you could go by dst-address, this would scale with multiple WAN as you can create an address list called “WAN-IP’s” and add them to that.
An example of dst-address NAT;
Good start, Steve, but at least as of the present I’m on a dynamic IP. Now, my ISP has been pretty good about not changing it capriciously, but…how would you suggest coping with that?
Make sure your routeros is relatively recent and stay with me through this explanation…
Go into IP>Cloud and activate it and update the DDNS. Once updated copy the DDNS name.
Go into IP > Firewall > Address-Lists and create a list called “wan-ip” with the address being the host name from step 1
-On hitting ok the mikrotik will resolve the DDNS host name for you below and put a D next to it showing it is dynamically added.
Go back into your previously mentioned NAT rules and remove the dst-address and go into the advanced tab and use dst-list and choose step 2’s “wan-ip”
***Also doing it via dst-ip address is a good way to get yourself setup for hairpin NAT as you can’t do that (easily) if you name interfaces the connections should be coming down as with LAN>LAN via host name the connections never leave the router.