1) IMO understanding netfilter is much more complex and specific than general networking knowledge. If a person is not familiar with netfilter, port forwarding on RouterOS is actually harder than most other RouterOS stuff.
Upgraded to v6.48 today, and found the Port Mapping button (it shows up when "NAT" is checked). It's pretty much what I imagined MikroTik should do, a great step forward.
But I will not be using it, because I have my forwards configured as in https://wiki.mikrotik.com/wiki/Hairpin_NAT
(but with address-lists instead of hardcoded addresses) and my forwards don't show up in the wizard. It would be nice if configuration created by this wizard would work exactly as Hairpin_NAT
, e.g. if I map port 80 to a web server in LAN, accessing router's WAN_IP:80 would NAT me to the web server, but accessing router's LAN_IP:80 would open router's web interface.
Another bad - the wizard doesn't allow to specify several ports at once (which I heavily use), and not specify target (internal) port (leave unchanged).
Also a "target" (to-address : to-port) column on WinBox NAT page would be VERY nice, I could see everything I need in a single table (like in a TP-Link), and not have to double-click each rule to check target, and then keep it in my head, or manage comments.
2) TP-Link DMZ page
says it's useful to pass all external ports to an internal sub-router. I most often use DMZ for testing port forwarding before doing it properly, as a time-saving feature.
My current use case for DMZ is actually weird.
I use it to play Mario Kart Wii on Wiimmfi
servers. Up to 12 people gather in a P2P room where everyone is sending data to everyone else. Although it is designed to work through NAT, I get disconnects very often if I NOT use DMZ.
Actually, I have two Wiis for playing Mario Kart with a friend both at 60fps, and the only solution to play together without disconnects every few races was to install a second fiber to get a separate global IP address (my ISP can't do 2 IPs on one fiber), and use my primary internet with DMZ for one Wii, and a separate internet for the second Wii (Wii itself gets the global IP).
If I accidentally leave my DMZ rule disabled, the Wii using it will surely get disconnected first, or even unable to join some rooms altogether.
I understand the disconnects are most probably due to Wiimmfi or other players' NAT misbehavior, but it's really nice to be able to fix it on my side using DMZ, and not deep-dive to sniff how exactly Wii communicates with the several servers and other players.
I've tested MikroTik's UPnP using UPnP Wizard
- it actually does allow to map a port already statically mapped to a different target, but only the rule which is higher in the NAT table works. UPnP rules are added to the bottom, so UPnP-mapped server silently gets no data if this port was already statically mapped.
Also I tried to UPnP-map a TCP port which is already used.
If the port is used by a NATted TCP session from a LAN host, everything works perfectly, mapping is created and connection from WAN is received, the old NATted TCP session doesn't break either.
If the port is used by MikroTik itself (e.g. source port of a Telnet session), UPnP mapping fails.