I am using the rule:
/ip firewall nat add chain=dstnat dst-port=55555 action=dst-nat protocol=tcp to-address=192.168.88.251 to-port=55555
Then start my server on .251 such as
nc -l 192.168.88.251 -p 55555And the port is not reachable from the internet. What am I doing wrong?
/ip firewall nat add chain=dstnat dst-address=“your-public-IP” dst-port=55555 action=dst-nat protocol=tcp to-address=192.168.88.251 to-port=55555
Hey. First of all: do you really have an application that listening that port? Because port forwarding via nat doesn’t mean port will be opened from Internet just out of nowhere.
And second - you need to assign destination address, explicitly public one or assign an input interface which has that address, or both with specific address if that interface has a subnet less than /30(<30).
Thanks but I don’t think I can add my public IP since my ISP assigns that dynamically so it is always different.
Yes I tried with an application and also with nc -l. My understanding is that if there’s no application, the client would get connection refused, or a timeout if the rule doesn’t work.
I can’t assign an IP since it’s dynamic but I’ll try now with an interface.
It still doesn’t work but I see the packet count increase when I try to connect to the port.
Use dyndns or write a script which will do this for you 
There is has to be a live server which listening this port behind your router.
Then your NAT rule works correctly. Troubleshoot the server side.
Hello,
if there is a bridge
/interface bridge settings set use-ip-firewall=yes
Could work
I wish conveniences.
Thanks for the replies but it doesn’t work. I installed nginx on my computer, the welcome page is available at http://localhost, and http://192.168.88.251/ . I entered this rule:
/ip firewall nat add chain=dstnat dst-address=“your-public-IP” dst-port=55555 action=dst-nat protocol=tcp to-address=192.168.88.251 to-port=80
Then I enter my public-IP:55555 in my browser, and I get a connection timeout, in the meanwhile in the router NAT page I see the packet count increase for the rule I just created! What now? I tried so far with 2 servers on different ports, and netcat.
don’t listen to noobs, you no need add public ip to nat rule.
you need add firewall rule:
accept
forward
dst.address=your internal ip
protocol=tcp
dst.port=your internal port
Hey, again What you need now is hairpin nat config. Google it Your current dstnat rule in not for you, it is for external requests.
Well, I think every ISP well know private networks of their users, don’t they? )
Are you saying I also have to set up this as a firewall filter rule, in addition to the NAT configuration? Tried and still doesn’t work.
There are two steps. First is dstnat, to change destination to internal address and port. That’s probably already ok, if counter increases. Second is firewall filter, which can stop forwarded packets, so you must make sure it doesn’t. This rule, strategically placed (i.e. before anything that could block those packets), will do it:
/ip firewall filter
add chain=forward connection-nat-state=dstnat action=accept
If not, look closer what happens. You can use Tools->Torch on incoming and outgoing interface and check if packets are arriving and passing through router correctly. Or you can add logging rules to prerouting and postrouting, and you’ll see where it’s going wrong.
The issue is likely that my ISP is NATting my connection, so my IP is not directly reachable from the internet.