Setting up port forwarding

janib · February 29, 2024, 1:30pm

As a newbie I have followed the manual for setting up my Mikrotik router. I have managed to gain internet access from my two servers connected to the router and access them locally via http and the local ip. I have one service running on http port 9000 one of the servers which I now try to reach through my external/public ip. I have done as described in the manual:

"Port Forwarding
Some client devices may need direct access to the internet over specific ports. For example, a client with an IP address 192.168.88.254 must be
accessible by Remote desktop protocol (RDP).

After a quick search on Google, we find out that RDP runs on TCP port 3389. Now we can add a destination NAT rule to redirect RDP to the client’s PC.
/ip firewall nat add chain=dstnat protocol=tcp port=3389 in-interface=ether1 action=dst-nat to-address=192.168.88.254"

In this case I have done
/ip firewall nat add chain=dstnat protocol=tcp port=9000 in-interface=ether1 action=dst-nat to-address=192.168.88.253

as my server is running on the local ip 192.168.88.253 on port 9000.

After this I would expect to access my server through http://:9000 but I can’t. Locally I can access it through http://192.168.88.253:9000. What I see is that I actually can access :80 which is interesting as I haven’t done any forwarding of port 80, but maybe that is some default behavior.

What am I missing or doing wrong?

baragoon · February 29, 2024, 1:44pm

Hairpin NAT

jaclaz · February 29, 2024, 1:59pm

Shouldn’t it be “dst-port”?
If port number is the same you don’t need “to-ports” but adding it shouldn’t create any problem, and it makes it more readable.

janib · February 29, 2024, 2:14pm

Yes, you are right. Thanks for the input. Applied dtp-port and to-port, but I still can’t access my server on 9000 publicly

janib · February 29, 2024, 2:50pm

I suddenly managed to access my server on public ip :9000 … not sure what made the difference. Anyhow - it works now.

jaclaz · February 29, 2024, 2:57pm

From what I understand from the dstnat rule you posted, you intend any request coming from ether1 to port 9000 to go to 192.168.88.253 (still at port 9000).

Usually these port forwarding rules are IP based, like the example in the page below:

 /ip firewall nat add chain=dstnat action=dst-nat dst-address=<public_ip_address> dst-port=443 to-addresses=<private_ip_address> to-ports=443 protocol=tcp

But how exactly are you doing the test?

If you are trying from another connection through internet it should be enough.

If you are trying from the same network, then you will need additionally hairpin NAT:
https://help.mikrotik.com/docs/display/ROS/NAT#NAT-HairpinNAT