I’m very new to the Mikrotik scene and have been lurking on the forum for the last week or two trying to find a solution for my problem.
I have an ISP provided RB952Ui-5ac2nD running Router OS 6.74 and I’m trying to set up some port forwarding rule myself (both because I’d like to learn how and my ISP tech support doesn’t seem all that interested).
I have managed to get some forwarding working, for example I can now use my router’s sn.mynetname.net DDNS to SSH into my sever but only internally on the LAN, not from an outside IP address.
This the problem I’m now trying to solve and figured it’s about time I made an account on the forum to ask the experts.
One other problem I have is that the ISP has blocked my account from using the Terminal so while I work on getting access to that, I’ll do my best to post below what I’ve done so far.
Created NAT rule - Chain:dstnat Protocol:tcp Dst. Port:12566 Dst. Address List: WAN Action: dst-nat To Addresses:192.168.10.114 To Port:22
Address List - WAN = Public(?) IP from router’s DDNS
Created Firewall Rule - Chain:forward Protocol:tcp Dst. Port:12566 Dst. Address List: WAN Action:accept
The ISP has configured the router with a local-bridge (192.168.10.254/24) and vlan (100.65.46.11/24).
One other thing, I’m on rural wireless internet with a dish that plugs into the router, hopefully that doesn’t make too much difference but I’m sure someone more knowledgeable will let me know…
Hopefully this be enough information to give an idea of what I’m going for, once I have terminal access I should be able to post exactly what’s going on.
100.64.0.0/10
100.64.0.0–100.127.255.255 #IP 4194304 Private network
Shared address space[5] for communications between a service provider and its subscribers when using a carrier-grade NAT.
With this IP (100.65.46.11) you are behind NAT out of your control, so you can not reach this IP from internet, so no port forward will work.
And what’s this vlan? And more importantly, do you have 103.5.x.x on router (look in IP->Addresses) or is it just what some “what is my IP address?” online service shows?
IP->Addresses shows this
And here it is in Interfaces ->Interface if that helps?
The WAN IP shows under IP->Cloud in the Public Address field (and also in “what is my IP address services?”).
It still looks like bad news. There’s always public address involved, because other devices on internet can’t reach private addresses. But that public address is on ISP’s router and can be shared by many clients. ISP’s have to do this, because there isn’t enough public IP addresses (IPv4) for everyone. It works for outgoing connections to internet, but not for incoming from internet, because if there’s new connection to this public address and port X, ISP’s router doesn’t know to which client it should send it. It’s not completely hopeless, ISP can configure their router to send all or selected ports to clients. If it’s all, it’s called NAT 1:1. But unless they told you that they do this for you, they most likely don’t.
Thanks for the explanation.
My ISP said something about a VOIP nat rule that I should be able to copy but it was missing in my router (maybe deleted by the installer?)
I asked them to reinstate it when I asked for terminal access so hopefully that will give me some clues?
I was trying to avoid asking for a public static IP (because I thought I could work around it) but that might be the answer after all.
I’ll post an update once I’ve heard back from my ISP and let you know if I need anymore help.
You do not need a static IP, just a public ip, not the one see in your router 100.65.x.x that is private.
If this is an larger ISP, I guess he will not help you and you are stuck behind a nat IP (103.5.x.x)
If you have another system in the world with public IP, you can setup a tunnel from that IP and the get inn behind your router.
