Community discussions

MikroTik App
just joined
Topic Author
Posts: 2
Joined: Fri May 07, 2021 1:33 pm

Forward external IP address of router port 22 to internal machine

Fri May 07, 2021 1:39 pm

I am trying to set up port forwarding as follows:

Let's say the internal address of my router is and the external address is I have a server on the internal network at

When I SSH internally to I want it to SSH onto the router (as it currently does).

When I SSH from the internal network to I want it to forward that request to is a dynamic IP address from my ISP.

I also need SSH to work correctly when connecting outside of the network so that I can connect to remote machines.

How do I achieve this? I've tried all sorts of things but I can't get it to work. I don't know if there is a way to filter based on that dynamic IP address without entering the exact address. I have dynamic DNS setup if that helps.
just joined
Topic Author
Posts: 2
Joined: Fri May 07, 2021 1:33 pm

Re: Forward external IP address of router port 22 to internal machine

Sun May 09, 2021 10:52 pm

User avatar
Forum Guru
Forum Guru
Posts: 12562
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Forward external IP address of router port 22 to internal machine

Mon May 10, 2021 3:03 pm

Hmm this is not a paid service, maybe some people are enjoying the weekend LOL

Well you are running into loopback or what is called in MT jargon, hairpin nat.
The easiest thing to do is to place the server you are trying to reach on a different subent OR put the user trying to reach the server on a different subnet --> solved without any hairpin nat changes.

IF that is not possible or not desired then you have to apply some hairpin nat rules which depend a lot on if your internet connection is dynamic or static.

If creating a new subnet is of no interest, then there are multiple ways to solve your dilemma.
In all cases the first thing you need to do is construct a separate srcnat rule (keep the default one) and it looks like this
add chain=srcnat action=masquerade source-address= destination-address=

Then you need to configure the destination-NAT rule depending upon whether or not you have a static WANIP or a DYNAMIC WANIP.
If you have a static/fixed WANIP then no change to your current destination-nat rule is required.
add chain=dstnat action=dst-nat dst-address=fixedwanip protocol=xx dst-port=yyyy to-addresses=LANIP to-ports (only required if translating to a different port).

If you have a dynamic WANIP then you can do it several ways,
(1) one work around is to use the IP Cloud and free ddns service on the router as per steveOC ( ... &FORM=VIRE)
We are replacing the static wanip (dst-address) by getting the current wanip. Enable the IP cloud, copy the ddns long winded host name on the router and put it in the firewall address list and name the list
"myWANIP". The firewall list will resolve the name to your current wanip.
then your rule becomes
add chain=dstnat action=dst-nat dst-address-list=myWANIP protocol=xx dst-port=yyyy to-addresses=LANIP

(2) Another gucci method, from *****Sob (didnt know he was italian ;-) is similar in that one in effect pulls the active current wanip and sticks into a firewall address list, from the current dhcp client settings via a script.
So put this in for the dhcp client advanced script area.
:if ($bound=1) do={
/ip firewall address-list set [/ip firewall address-list find where comment="wan1ip"] address=$"lease-address" disabled=no
} else={
/ip firewall address-list set [/ip firewall address-list find where comment="wan1ip"] disabled=yes
/ip firewall address-list
add comment=wan1ip disabled=yes list=external_wan
and rule becomes
add chain=dstnat action=dst-nat dst-address-list=external_wan protocol=xx dst-port=yyyy to-addresses=LANIP

The advantage over the DDNS method is that updates are instant.
The advantage of the DDNS method is useful when there's NAT 1:1 and router itself doesn't have public address, plus tis simple and easy to do!!

(3) Finally there is a third method which does not involved extracting any WANIP or mimicking the static WANIP scenario. This involves frick trucking the router by saying look for the interface that is not local as the source of the incoming traffic.
add chain=srcnat action=src-nat dst-address-type=local dst-address=! \
protocol=xx dst-port=yyyy to-addresses=LANIP
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!

Who is online

Users browsing this forum: Baidu [Spider] and 21 guests