Hi I have a multiple devices in LAN, everything with web interfaces at port 80 (home automation, etc).
Inside the LAN – works fine.
But just can't connect to anything over the internet (WAN).
How can I forward ports (probably) to make it work? And connect to the different devices?
Thanks. Sorry for a poor English.

I can only forward port 80 and acess to one device.

that is normal with port forwarding and is a limitation of public IP address.
one can only port forward ONE port to ONE LANIP.
Imagine being the router, how does the router know which IP to send port 80 to???
What can be done and what people do in the instance where they need multiple access is

a. port map, in other words come in on the WAN side on port 8080 for example and translate to port 80. In this manner the router will be able to keep track
of which external WANIP came in on which port yy , which was then mapped to port xx and sent to LANIP zzz etc........
b. get a block of public IP addresses from an ISP provider (and use one to one mapping)

So the external users need to know which IP address Your WANIP and which port they should come in on.
I use dyndns services vice IP address.

that is normal with port forwarding and is a limitation of public IP address.
one can only port forward ONE port to ONE LANIP.
Imagine being the router, how does the router know which IP to send port 80 to???
What can be done and what people do in the instance where they need multiple access is

a. port map, in other words come in on the WAN side on port 8080 for example and translate to port 80. In this manner the router will be able to keep track
of which external WANIP came in on which port yy , which was then mapped to port xx and sent to LANIP zzz etc........
b. get a block of public IP addresses from an ISP provider (and use one to one mapping)

So the external users need to know which IP address Your WANIP and which port they should come in on.
I use dyndns services vice IP address.

Thanks.
Teach me to to configure A. please. Tried to translate port say 8080 to 80 with no luck.

You can set up different ports on WAN side being forwarded to different internal IP addresses (regardless of port) in the following manner: In WebFig you should open IP -> FIrewall ... select NAT. Then you can create new NAT rule ... be sure to select dstnat chain, TCP as Protocol, Dst. Port set to desired WAN port, select appropriate In. Interface ... then way down select dst-nat as Action, set correct To Addresses (enter LAN host address) and To Ports (port on that LAN host). And optionally add comment.

Do not use Quick Set for this kind of non-trivial setting!

You can set up different ports on WAN side being forwarded to different internal IP addresses (regardless of port) in the following manner:

Code: Select all

/ip firewall nat
add action=dst-nat chain=dstnat comment="inbound port 80 goes to LAN host 1 port 80" dst-port=80 \
   in-interface="your WAN interface name goes here" protocol=tcp  \
    to-addresses="LAN host 1 address goes here" to-ports=80
add action=dst-nat chain=dstnat comment="inbound port 88 goes to LAN host 2 port 80" dst-port=88 \
   in-interface="your WAN interface name goes here" protocol=tcp  \
    to-addresses="LAN host 2 address goes here" to-ports=80
...

In WebFig you should open IP -> FIrewall ... select NAT. Then you can create new NAT rule ... be sure to select dstnat chain, TCP as Protocol, Dst. Port set to desired WAN port, select appropriate In. Interface ... then way down select dst-nat as Action, set correct To Addresses (enter LAN host address) and To Ports (port on that LAN host). And optionally add comment.

Do not use Quick Set for this kind of non-trivial setting!

More carefull will be edit LAN servers http ports to another ones and make translations from Internet to all on public 80 port to other local ports 81, 82, 83, 84. Because in public world in browsers, http port is 80 by default. Browsers won't understand your requests on not 80 port.

Lets make this clear.
a. the OP has several servers using the same port on his LAN
b. Port forwarding the same incoming port to different LANIPs on the same subnet (via one public IP) is not possible.

The options are:
1. Change the port on his server if that is an option (standard fare for gaming servers for example)
2. Get a block of public IPs, one to one matching Public IP to Server IP, no limit other than the number of public IPs made available (could have 20 servers with same port).
However
3. Is what is most likely and that is port translation. It needs to be stated due to a previous post, that ANY BROWSER can be used to access ANY Port, and one is not limited to port 80.
(an IP address 24.666.788.23:8080) in the browser would go to that IP looking for port 8080, not 80.)

A. Basic port forward, incoming port and mapped port are the same....
http://www.icafemenu.com/how-to-port-fo ... router.htm

B. Have a look at this video which covers translating the port, incoming port is mapped to a different port.
https://www.youtube.com/watch?v=y47y73zCrEU

++++++++++++++++++++++++++++++++++++++++++++++
My MAIN CONCERN however is not the port forwarding rule, its security for the port fowarding!!

C. What I would ask the Gurus here is clarity on
i. is a firewall rule needed for each port forwarding rule and if so what would it look like????

My MAIN CONCERN however is not the port forwarding rule, its security for the port fowarding!!

C. What I would ask the Gurus here is clarity on
i. is a firewall rule needed for each port forwarding rule and if so what would it look like????

.
Any port forwarding should be subject to same security concerns. It doesn't matter if you forward standard http port (80) to LAN host (same standard port) or if you forward arbitrary port for arbitrary service to LAN host (again arbitrary port). The only difference is that when forwarding standard ports, they might get probed (with malicious intent) more often than some arbitrary port ...

mkx, I ask the question because on my current router (Zyxel) I do the following
a. Virtual server(port forward rule), identify incoming interface - WAN, destination IP on the LAN - r.r.r.r, the incoming port XXXX, the mapped port YYYY (or could be a service, group of services etc).

Concur one is opening the door for that port on the router and thus security on the server is critical. I would not recommend an unencrypted server login.
Next I apply FW Rule as this applies some level of packet inspection that improves security (dont know exactly what........)

b. From WAN interface, source ANY, destination LANIP r.r.r.r, services incoming port YYYY, ALLOW, LOG

Note:1 Typically I only create holes (port forwarding) for KNOWN IPs, meaning I will control access further via FW rules, and thus my source is typically a single IP or a group of allowed IPs and not ANY[ (better security).
This is the key difference between a port forward rule and FW rule, in that one can narrow down the source information - best practice!!

Note:2 On my router, the FW rule IS APPLIED to the mapped port not the incoming port!! The router processes the POrt Forwarding RULE First, and then it is sent to the FW rules.
The Port Forward Rule says, Hey I have this traffic on port XXXX, which I am going to change the destination port to YYYY, and its supposed to go to LANIP r.r.r.r. and by the way its from IP z.z.z.z The FW rule says, okay I am expecting traffic on port YYYY for LANIP r.r.r.r but only for Source IP of z.z.z.z. Great, I will inspect the packets to make sure they are of sufficient quality/structure (?) and pass it on to the LANIP r.r.r.r

Q1. Which order does the MIKROTIK router process port forward rules and FW rules.
Q2. If the question makes no sense in terms of MIKROTIK routing let me ask it more clearly
What port should I apply a FW Rule to in the MIKROTIK schema: the incoming port or the mapped port?

Q1. Which order does the MIKROTIK router process port forward rules and FW rules.
Q2. If the question makes no sense in terms of MIKROTIK routing let me ask it more clearly
What port should I apply a FW Rule to in the MIKROTIK schema: the incoming port or the mapped port?

Q1: from top, so if you do /ip firewall filter print. it start from item 0
Q2; anything you like but in your case it would be easy to apply to Distination port to your incoming port.
It make it more secure, you can accept connection from known IP or known MAC address. This may not be possilbe in your case.

I'd use VPN, much better than opening ports.

I've a site that I cannot use VPN into it, I did set up port forwarding but I only enable them when I need access. so the only port open on WAN interface is 8391, Winbox. and you can put Brute Force Protection in place so that frequent connection attempts to port 8091 will be blocked for xxx minutes

Okay thanks, I will have to play to see what the list shows me later.
As per the VPN suggestion, many folks are not adept or comfortable in setting up VPNs, especially those converting from more consumer type products to the mikrotik.
The concept of port forwarding is very familiar but the additional FW rule may not be.
I call it root crawl before run.
√Crawl

I like the idea of Brute force protection, how easy is that to implement lets say for a the port forward scenario above?

this is what I use so 1st connection is accepted but source IP is on stage1 list, expires in 1 minute, 2nd connection get it to stage2. so on so on.
so multiple failed authentication will finally get the source IP into the black list.

you would apply this to the forward chain, maybe less stages but the idea is the same

That was fast...........
I kinda see what your doing but I need more coding comments per section to understand what is functionally being done at each line.

I was looking for some generic concept and came up with this..........

RAW Rule [ Drop the address list early no need to reach connection state ]

add action=drop chain=prerouting src-address-list=server_blacklist action=drop \
comment="drop server brute forcers"

IP FILTER [ identify addresses that attempt more than 10 incorrect logins per minute and add these addresses to a server blacklist, and stays on list for 24hours ??? ]

add chain=output action=accept protocol=tcp content="Server Login incorrect" dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content=" Server Login incorrect" \
address-list=server_blacklist address-list-timeout=24h

By the way your first rule I would change to this:
IP RAW
add action=drop chain=prerouting src-address-list=winbox_blacklist comment="Winbox Brute Force Protection"

Thanks everyone.
Let me explain the details.
I have three Arduino-based LAN-thermometers, that have a web-interface and after I print http://192.168.0.6/ I see a response in the desktop/mobile browser:

Room #2

Temperature =
24.70 *C
Humidity =
41.90

No HTML, just plain text: client.println("Temperature = ");/

// **** ETHERNET SETTING ****
byte mac[] = { 0x8A, 0xF3, 0xDA, 0x0D, 0x78, 0xAA }; //some random MAC, unique for any LAN device
IPAddress ip(192, 168, 0, 7);
EthernetServer server(80);

And so on.
I do remember every IP: http://192.168.0.5/ , http://192.168.0.6/ , http://192.168.0.7/.

The task is to access any of the thermometers from outside world (off home, for example). Like my.real.ip:1337 - router - forvard to 192.168.0.5:80, my.real.ip:1234 - router - forvard to 192.168.0.6:80.
Is it possible?

Yes

No luck.

Test and working fine
http://94.19.6.110:1337/

Result:
ASIC Room: Sensor #1

Temperature =
24.90 *C
Humidity =
46.20

Test and working fine
http://94.19.6.110:1337/

Result:
ASIC Room: Sensor #1

Temperature =
24.90 *C
Humidity =
46.20

ucBrowser = no luck;
default Android browser = wortks fine.
Interesting. Thanks.

ASIC Room: Sensor #1

Temperature =
24.70 *C
Humidity =
47.10

working fine from my side of the world.

By the way I have very similar scenario. I have a septic tank that reports out all the time including alarms.
When it alarms the home station sometimes wants to check in on the control box to see all the parameters being reported by the system.
So I have the luxury of limiting the access by FW to a few WANIPs and on a specific port.

I also have a solar panel that sends data out onto the net. I am not sure (but I dont think external access is required)
For both pieces of equipment they are on what I call a DMZ type LAN or separate LAN from my main LAN.

Its seems what you setup seems to be working!!