Community discussions

MikroTik App
User avatar
just joined
Topic Author
Posts: 18
Joined: Mon Mar 19, 2018 10:26 pm

port forwarding issue

Tue May 08, 2018 3:45 am

hello guys
i have a web server in my Lan and i want it to be reachable from outside
i know you can do this in two steps
1/ Add rule allowing access to the server from out outside
/ip firewall nat add chain=srcnat src-address= action=src-nat \
2/Add rule allowing the server to talk to the outer networks having its source address
ip firewall nat add action=dst-nat chain=dstnat \
dst-address= to-addresses=

i did this before and it's works fine...and when i go to it's forwarded my to the server instate of mikrotik webfig
but i don't know what is the issue
server info:

Flags: X - disabled, I - invalid, D - dynamic
0 interface1
1 interface0

firewall nat

1 chain=srcnat action=masquerade

2 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=

3 chain=srcnat action=src-nat to-addresses=

4 chain=dstnat action=dst-nat to-addresses= protocol=tcp
dst-address= dst-port=80,443
Forum Guru
Forum Guru
Posts: 3901
Joined: Thu Mar 03, 2016 10:23 pm

Re: port forwarding issue

Tue May 08, 2018 11:39 am

...and when i go to it's forwarded my to the server instate of mikrotik webfig
From where do you try to connect? From your LAN? If yes, then you need to implement "hairpin-nat" ... search around this forum, it's been described quite a few times.
If you're trying to test from internet, then I wonder how you can do it by accessing private IP address ( If you're doing it from WAN side (e.g. another machine from segment), then we'll have to look into the problem.
Forum Guru
Forum Guru
Posts: 3578
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: port forwarding issue

Tue May 08, 2018 3:13 pm

The link for hairpin nat (sob provided in another thread) is
For the purpose of reaching servers from within ones network but using the public IP address route, vice the direct LANIP.
Your setup is very confusing. Is the lanip of the server or is
A diagram of your setup would be very helpful.

My limited understanding of simple port forwarding is that you need dstnat!
chain=dstnat, protocol (typically tcp or udp), dst port xxxxx, In-Inteface=WAN (or if dual wan in-interface-list=WAN)
source address list (to be used if you have one or more internet external IPs that you can identify which are allowed to access to your server for better security).
action=dstnat (this opens up some additional fields)
to-address= server lanip
(good idea to select log as well).

Your masquerate/sourcenat rules are important such that back and forth traffic is routed properly (private lanip gets public IP associated and return traffic gets back through same wan interface to server). I think you have too many masquerade rules but then again the schematic requested will clear that up.

Hope that helps.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
User avatar
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Mon May 07, 2018 1:05 am

Re: port forwarding issue

Tue May 08, 2018 7:12 pm

You definitely need to give more information here:
  • What are your LAN subnets?
  • Is the address your WAN address?

You need to be careful with Masquerade. Masquerade is basically a fancy source NAT used in topologies where your gateway IP address might change. So if you have a dynamic DHCP, PPPoE, etc address and your address changes, Masquerade will go through all src-nat marked connections from Masquerade and tear them all down. If you are using Masquerade, you should just do something like the following:
/ip firewall nat add chain=srcnat out-interface=(gateway interface) action=masquerade
With the above firewall rule, any traffic leaving your gateway interface port would get source NAT'd to whatever your IP address is for your internet connection. Nothing else should be using Masquerade. If your WAN ip address is, that is an RFC1918 address and it not internet routable so you can't get to it from outside the network without using some type of VPN technology to get inside the network.

If and are both LAN subnets, there is no reason to use NAT at all between them. If there are no forward firewall rules blocking traffic between those subnets you can access from anywhere on the LAN. If you want to be able to connect to from the LAN address for whatever reason you just need to use the following:
/ip firewall nat add chain=dstnat dst-address= protocol=tcp port=80,443 to-addresses=

Who is online

Users browsing this forum: bpwl, dioeyandika, MrStranger and 91 guests