Hello everyone.
I am new with MikroTik Router. And english is not my native language, so please be friendly

My config and my problem:
Mikrotik working as basic "DSL router", nothing spectacular
Router ist set up as PPOE Client on Port 1
Port 2-5 are bridges Ethernet Ports

Everything is working fine, except this one: I am not able to do port forwarding...
I tried nearly everything which can be found in the internet and read a lot of forum postings an wiki sites... But know I gave up, I need help.

/ip firewall nat
add chain=srcnat out-interface=ppoe-wan action=masquerade

/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-port=7000 in-interface=ppoe-wan protocol=tcp to-addresses=192.168.1.200 to-ports=7000

I tried those rules above and a lot of similar things - no way, It doesn't work. And yes, I tried from outside the network (know about hairpin nat). My WAN IP is NOT fixed, it's changing.
Andy ideas? Or do you need more information? I really need help to check this out.. please!

Please make sure you have enabed,
/interface bridge settings set use-ip-firewall=yes
if bridge is used on your router.

1. First, enable IP Cloud from WinBox menu.
2. Also here, /ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-port=7000 in-interface=ppoe-wan protocol=tcp to-addresses=192.168.1.200 to-ports=7000

Do you have set static IP on your unit 192.168.1.200? If not please set static IP . Follow my config>





Simply change in-interface ppoe-wan and dest port 7000 in both images.

Please make sure you have enabed,
/interface bridge settings set use-ip-firewall=yes
if bridge is used on your router.

Why does this have to be enabled, as far as it seems to me it is just a plain router, with incoming on pppoe.

1. First, enable IP Cloud from WinBox menu.
2. Also here, /ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-port=7000 in-interface=ppoe-wan protocol=tcp to-addresses=192.168.1.200 to-ports=7000

Do you have set static IP on your unit 192.168.1.200? If not please set static IP . Follow my config>





Simply change in-interface ppoe-wan and dest port 7000 in both images.

Why does Cloud needs to be enabled, has nothing to do with port forwarding.
Also your pictures are not adding any value, they are just another view of adding a NAT rule with different in-interface and dst-port.


I think it just because your are missing an allowance rule on you firewall filter rules.
If you have applied the default rules, only outgoing traffic is allowed.
Please share your current /ip firewall filter rules.
Possibly you will succeed by adding

ros code

/ip firewall filter
add chain=forward in-interface=pppoe-wan dst-address=192.168.1.200 protocol=tcp dst-port=7000

- Sorry for double post, Admin authorization took long, I thought this was an error. see answer below:

Hi Guys.
Thanks for helping me, and sorry for answering so late.
1. Firewall is enabled on bridge.
2. For sure static IP for destination is configured
3. My NAT rule seems nearly the same as that one from deanMKD posted
4. I added a firewall rule as Rudios posted, still no luck (but I think that something like this should be the solution.)

Attention!!!
192.168.1.200 and Port 7000 were just examples.
Port fo forward is: 8083, local destination IP address is 192.168.0.5

This are my rules (not finished yet), still working on understanding how mikrotik works...
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=accept protocol=tcp dst-address=192.168.0.5
in-interface=pppoe-WAN dst-port=8083 log=no log-prefix=""

1 ;;; no ping on wan
chain=input action=drop protocol=icmp in-interface=pppoe-WAN log=no
log-prefix=""

2 ;;; Drop Invalid connections
chain=input action=drop connection-state=invalid log=no log-prefix=""

3 ;;; Allow Established connections
chain=input action=accept connection-state=established log=no
log-prefix=""

4 chain=input action=accept src-address=192.168.0.0/24
in-interface=!pppoe-WAN log=no log-prefix=""

5 ;;; Drop everything else
chain=input action=drop log=no log-prefix=""

6 ;;; drop invalid connections
chain=forward action=drop connection-state=invalid log=no log-prefix=""

7 ;;; allow already established connections
chain=forward action=accept connection-state=established log=no
log-prefix=""

8 ;;; allow related connections
chain=forward action=accept connection-state=related log=no
log-prefix=""


NAT rules:
Flags: X - disabled, I - invalid, D - dynamic
1 chain=dstnat action=dst-nat to-addresses=192.168.0.5 to-ports=8083
protocol=tcp in-interface=pppoe-WAN dst-port=8083 log=no log-prefix=""

2 chain=srcnat action=masquerade out-interface=pppoe-WAN log=no
log-prefix=""

I hope someone can help me getting this to work

Are you trying to connect from outside your own network of from inside?

If you are trying from inside, you will need an additional hairpin nat rule
http://wiki.mikrotik.com/wiki/Hairpin_NAT

The rules you have posted are looking fine to me, although I would go for a slightly different set of default rules.

Hello Rudios.

I know about hairpin NAT (but did not finally add a rule). I try to connect from outside the network.
And exactly this is my problem. Everything "seems" to be OK, but it doesn't work.

btw: if you have any ideas how to make a better set of rules for the firewall I would like to hear... But before I would like to get port forwarding to work...

I would go for the following default rules.

Thank you, I will give it a try.
At which position has the accept rule to be set?
chain=forward action=accept protocol=tcp dst-address=192.168.0.5 in-interface=pppoe-WAN dst-port=8083 log=no log-prefix=""

And has the masquerade NAT rule to be at the TOP or at the bottom of the port forwarding rules so that port forwarding will work?

btw: Port forwarding doesn't even work if I disable all (or only drop rules) rules in firewall.

Thank you, I will give it a try.
At which position has the accept rule to be set?
chain=forward action=accept protocol=tcp dst-address=192.168.0.5 in-interface=pppoe-WAN dst-port=8083 log=no log-prefix=""

And has the masquerade NAT rule to be at the TOP or at the bottom of the port forwarding rules so that port forwarding will work?

btw: Port forwarding doesn't even work if I disable all (or only drop rules) rules in firewall.

I suggest to position the firewall filter rule between the established rule and the drop rule.

Regarding NAT it does not matter because the rules are both in different chains.
You MASQ is in srcnat, the port forward is on dstnat.

Good morning.

I changed the firewall rules, but still no luck. It doesn't work. I am able to manage my Router from outside (temporarly deactivated a drop rule), but Port forwarding is still not working. There must be something I forgot.

5 Ethernet ports, Port 1 (ether1-WAN-Port) has a PPPOE Client, which is called "pppoe-WAN". The rules have to be assigned to "pppoe-WAN", correct?
Ports 2-4 are part of a bridge, which is called "LAN-Bridge".

In the bridge setup there are also Filters and NAT settings. Do I have to set something up there?

I have no more idea... anyone?

OK, I think I found the problem. Thanks for trying to help me.
It's not a problem of setting up the mikrotik router
The problem has to do something with the NAS I try to connect. Maybe a firewall setup... (but I can't remeber that I set up anything...)
It does not allow me to connect from outside, but before it works very well with my linksys router.. strange..