I was tired of my linksys and D-link routers dying so a friend recommended trying the Mikrotik RB751 in my house. I have it set up and internet is working on all our laptops but some of the games we play need us to open ports. I can find lots of threads on forwarding ports, but not on just opening ports. Any help???

open ports is the same as forward ports. you need to use NAT. do you use Winbox, or Webfig for configuration?

basically a rule like this needs to be created:
this will "open" the port 1234 for the internal IP 192.168.1.1, this you can also create in Winbox/Webfig, just note the names of the parameters in the above code.

Thank you. Seems to be working

Hello I am real noob at Mikrotik.

I tried as support suggested to forward port 80 to an internal webserver using

/ip firewall nat add chain=dstnat dst-port=80 action=dst-nat protocol=tcp to-address=192.168.11.118 to-port=80

Two issues:
1) cannot reach the internal webserver from outside(internet side)
2) Can no longer use WebFig.

What am I doing wrong?

Thanks in advance.

Running RB750GL with routeros 5.8

Does your ISP allow inbound port 80? Ours doesn't because they don't want us having web servers at home.

Your nat sends everything destined for port 80 to your web server. You can use a different port for webfig. Set it under /ip services.

Does your ISP allow inbound port 80? Ours doesn't because they don't want us having web servers at home.

Thanks for your reply. I had a buffalo router running DD-wrt and the webserver was accessible from the internet. My ISP is not blocking port 80.

I will change the IP address for webfig to solve the access problem. Thank you.

A further report:

Changed WebFig to port 8080 and reapplied the Nat rule.

Now I can access the router but no joy in making the Webserver running on port 80 at internal IP of 192.168.11.118 accessible from the internet.

In addition none of the internal clients can access the internet after application of this rule.
Had to undo the rule.

Running a brand new out of the box 750GL with minor changes(Internal IP addresses to use)

Any suggestions?


Thank in advance.

Well for starters your rule is extremely broad, so it applies to ALL TCP port 80 traffic not just inbound. So of course it doesn't work to well for clients behind the router. Narrow it down by including an interface, or the public IP for the router in the NAT rule. When making firewall rules, it is important to not be to broad in what they apply to, or they cause you other problems, or making them too specific and it won't catch what you want.

As for why the rule isn't working from the internet, does your web server have a default gateway set? Do you see the rule increment when you try to use it?

Hi ,

Im trying also to make port forwarding using NAT but its not working I am using routerboard RB951G-2HnD with firmware v 5.26 and all the ports i make is closed ,, so please if any one can help me !!!!

post export

Hi I have almost the same problem with my RB951G-2HnD router, I just want it to allow all ports.

Can someone post the script for my Mikrotik to allow ALL ports especially port 22?

Thank you.

Hi I have almost the same problem with my RB951G-2HnD router, I just want it to allow all ports.

Can someone post the script for my Mikrotik to allow ALL ports especially port 22?

Thank you.

You need to specify which internal device those ports will be directed to. The rule is above, read the topic please.

/ip firewall nat add chain=dstnat dst-port=1234 action=dst-nat protocol=tcp to-address=192.168.1.1 to-port=1234

You need to specify which internal device those ports will be directed to. The rule is above, read the topic please.

Why Mikrotik block ports by default? Ports are dynamically changing so how could you create such multiple nat rule for each port?

You can use UPNP to dynamically "open" ports: http://wiki.mikrotik.com/wiki/Manual:IP/UPnP

Why Mikrotik block ports by default

It does not. To forward ports, you need to tell the router where to forward them. If you have hundreds of internal computers, where will this port 22 connetion go to?

It does not. To forward ports, you need to tell the router where to forward them. If you have hundreds of internal computers, where will this port 22 connetion go to?

I'm sorry but I don't understand the logic. Why on some soho routers, any port is allowed without creating any forward rule or any firewall rule.

What I want is just allow all ports. No blocking at all on ports. I just want to use the Layer 7 protocol blocking of Mikrotik without blocking or affecting any ports. That's all.

apparently the "other" devices uses UPNP that I suggested. or they are meant only for a single computer behind the router.

Hi guys,

I am also a super-rookie when it comes to configuring a MikroTik router. Ive tried to read up on some guides and in the manual, but they all seem to take for granted that you know the basics.

All the commands you post, where are you supposed paste them?

Source of my problem;
I am trying to set up a FTP from a windows 10 computer. I want to create a network harddrive from one of its SSDs for internal use and also have access to this disk even when im at other places. Im trying to use Filezilla, can it do what i want it to do?

Thanks in advance!

commands are expected to be copy & pasted on a New Terminal (CLI)

First thing I'd do: don't use plain FTP. Reasons:

- FTP is a jurassic protocol, you'l have problems depending on your firewall, and most important, on connecting users firewall settings, which you can't control.
- security. Plain passwords over the internet? a no-no...

See https://www.nerdster.com.au/info/knowle ... la-server/ and enable SFTP, disable plain FTP.

Second advice: don't expose port 22 to the internet, but any other port, internet is full of SSH scanners/bruteforcers. Change its port to anything else not used, e.g. 7777

To allow access from the outside, you just need to add a dst-nat rule on IP > Firewall > Nat, that forwards connections (chain=dstnat) to your WAN interface (in-interface) protocol=tcp, port=7777, action=dst-nat to your win10 ip (to-addresses) port 22 (to-ports).

Make sure your outside users use yo.ur.wan.ip:7777 to connect and you'll be fine.

To be fair to FTP (I can't help it, I kind of like it ), it also supports encryption and when configured properly, it works ok with firewalls (except maybe with really paranoid ones). The key to success is to use passive mode and configure internal server to be aware of used public address and port range, which also needs to be configured on NAT router. But yeah, it should be simpler to set up SFTP.

Automatic Import

In RouterOS it is possible to automatically execute scripts - your script file has to be named anything.auto.rsc - once this file is uploaded using FTP to the router, it will automatically be executed, just like with the '/import' command. This method only works with FTP.

Once the file is uploaded, it is automatically executed. Information about the success of the commands that were executed is written to anything.auto.log

source: https://wiki.mikrotik.com/wiki/Manual:C ... Management

Suggestion for Mikrotik: could migrate the automatic import also to sftp or scp.

Hellop Guys,

I have a problem and I hope we can solve I apologize in advance for my english .
So I want to open a port on Mikrotik and have introduced this command to the terminal,

• /ip firewall nat add chain=dstnat dst-port=80 action=dst-nat protocol=tcp to-address=192.168.0.141 to-port=80

The command was accepted in terminal mikrotik ,until everything is fine here
Now I'm opening an internet explorer and introducing WAN IP ie 31.5.xxx.xxx ,and the error appears

This site can’t be reached.
Darn mention that XamPP is running for apache
And the strange thing is that I look inside Winbox at the firewall and see it traffic but the problem is that the website does not start for what reason

Can someone help me solve this problem
thank you for understanding
I'm waiting for a soul-to-mouth response

What happens if you locally point your internet browser to http://192.168.0.141:80 does the apache server answer? post

On Ip this means that it means http://192.168.0.141:80
Is functional but Ip Wan ip exterior does not work

/ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.0.1/24 192.168.0.0 Ether2-Master
1 D 31.5.xxx.xxx/24 31.5.xxxx.x Ether - WAN

You need to setup hairpin NAT
https://wiki.mikrotik.com/wiki/Hairpin_NAT

By default, when you are internal, you can't connect to your internal website via your external IP address.

This is because when you connect to 31.5.xxx.xxx, the packets are redirected to your webserver without changing (NATing) the source and destination addresses. So your web server gets the packet from 192.168.0.x and attempts to reply directly to the computer. Your computer is expecting the reply to come from 31.5.xxx.xxx. Since it is not, it gets dropped. Follow the link above. It explains how both the source and destinations need to be changed and how all traffic to your webserver will have to go through the Mikrotik.

I find hairpin NAT to be tedious. I find it easier to use URLs and override DNS. If www.yourdomain.com points to 31.5.xxx.xxx, you can override the DNS in the Mikrotik to point www.yourdomain.com to 192.168.0.x Then all internal dns queries resolve www.yourdomain.com to your internal IP.