Hi,

I have two disjoint networks, one with ip ranges 192.168.101.1 to 192.168.150.255 (ZONE 1) and the other with ip range 192.168.192.1-254 (ZONE 2). These zones are connected using a mikrotik router by connecting the Zone 1 to eth1 and Zone 2 to eth2. I need to forward the ip address of 192.168.192.10:80 to 192.168.192.10:8080 when it is browsed from Zone 1. To this end, I have added the following in the router, however, it does not work. I am a beginner in Mikrotik and cannot figure out the problem.

/ip firewall nat
chain=dstnat action=dst-nat source-address-list=zone1 dst port=8080 protocol=tcp/
to-addressess=192.168.192.10 to-ports=80

* suggest you make a firewall address list for the range required

@anav: Your rule takes connections to <any address>:8080 and forwards them to 192.168.192.10:80, if they come from zone1. The original was better, it didn't limit sources, but it took requests to 192.168.192.10:80 and sent them to 192.168.192.10:8080 as requested.

So it's going to be something else, two thoughts:

- Is this traffic allowed "/ip firewall filter chain=forward"?
- Do devices in Zone 1 have this router as either their default gateway? Or if not, do they have route to 192.168.192.0/24 via this router?

Thats right, the rule I made takes any request from zone one lan users that is headed for port 8080 and sends it to the specific zone 2 IP address and translated to port 80.
I thought that would accomplish the aim LOL.

Without seeing the OPs config......
/export hide-sensitive file=yourconfig15may

We will not be able to progress much further! A diagram would help also.

adding back in the destination address..............
/ip firewall nat
chain=dstnat action=dst-nat source-address-list=zone1 dst address=192.168.192.10 port=8080 protocol=tcp/
to-addressess=192.168.192.10 to-ports=80

You want dst-port and not just port. I also think that you have the ports swapped.

You right are, me Phuck......
/ip firewall nat
chain=dstnat action=dst-nat source-address-list=zone1 dst address=192.168.192.10 dst-port=80 protocol=tcp/
to-addressess=192.168.192.10 to-ports=8080

Why source-address-list or source address at all?
As someone mentioned, he is most likely missing a route at the original zone (or properly configured gateway) towards second zone.

Well without knowing his configuration, NO DIAGRAM, NO CONFIGURATION, what is the point of your postt??
If its two subnets on the same router one needs to ensure fw rules allows crosstalk vice routing solution in my limited experience.

@source address, for security reasons I like to ensure always limiting access to any flow of traffic. It also allows the op to specify which users on the LAN should be able to crosstalk to the other subnet. Although I suppose that could be better served if moved to, or executed by, a firewall rule.