Hello everyone and thank you for taking your time in reviewing my struggle with my port forwarding woes.

We have a customer that needs his DVR Camera port forwarded from our network, we gave him a statci address for his DVR Camera System with X.X.X.99 (class b) and his DVR Tech people have it setup on their system. He has the ports: 80, 81, 8000, and 10554 for his camera system and they are all tcp, i doubled check to make sure he did not need udp as well, I went into our mikrotik router and setup the ports like this:

In Firewall> NAT > New Rule:
Chain: dst-nat
Protocol: tcp
In Interface: ether 1 WAN
Actions Tab:
Action: Dst-nat
To Address: His Static address for his camera system: X.X.X.99
To Ports 81

In order to keep this short, I made these same rules for all the other ports, however when typing in our router's IP address and the port forward numbers 81, 8000, 10554, it does not bring me to his DVR Camera Login Screen or by typing the static IP address we gave him X.X.X.99 with the port forwarding number to follow.

This is the main problem, when I put this translation for port 80, and I type in our routers IP address for the web interface it directly takes me to his DVR Login screen and I can hit the camera system, however, it shouldn't do that! I should be able to type our routers IP address and with the port forwarding number and it should direct me to the camera system. I can see traffic going through the other ports, but, when I try entering those in the web browser, I never hit the DVR Login Screen, Only when Port 80 is opened.

I want to be able to hit his Camera system to insure its working and to make sure that the customer can see his camera's and I can login to our router by web interface.


Any help is appreciated,

I have tried a number of things, and it keeps doing this same problem.

You'll need to provide more details, because it's not clear at all. Mainly the basics, how are things connected, what's x.x.x.99 (public, private, where?), if you're doing this in your network or if you're perhaps trying to forward ports between different public addresses, etc...

Hi Sob,

Sorry, yes the x.x.x.99 (private Class B address) is on the mikrotik router its the LAN and its private, for security reasons I cannot give the full encapsulated IP address.
x.x.x.72 is the WAN IP address this address is a public address which is used for the mikrotik router.

Not sharing public IP address, I can understand that. But private address, which is not unique and not accessible from internet anyway? But ok, it's not important.

If the customer is connected behind your router, then the way to set it up is: What you posted had to-ports and no dst-port, which would forward any port to target 172.x.x.99:81. Also in-interface is not the best way, dst-address is better.

When you want to test it, it also depends from where exactly you do that. From internet, it should just work like this. The same goes for any other subnet than what 172.x.x.99 is in. But if you'd want it to work also from same subnet, you'd need to add hairpin NAT.

You have to specify ports in chain and in action too like below:
ip firewall nat add chain=dstnat dst-address=XXX.XXX.XXX.XXX dst-port=81 action=dst-nat to-addresses=172.xxx.xxx.xxx to-ports=81
XXX.XXX.XXX.XXX your router public IP
Retype this for all ports.
Don't forget that ports should be open on customer CPE too

If you have same port in dst-port and to-ports, you can skip to-ports.

You have to specify ports in chain and in action too like below:
ip firewall nat add chain=dstnat dst-address=XXX.XXX.XXX.XXX dst-port=81 action=dst-nat to-addresses=172.xxx.xxx.xxx to-ports=81
XXX.XXX.XXX.XXX your router public IP
Retype this for all ports.
Don't forget that ports should be open on customer CPE too

Thanks for your response, yes I made a mistake I do have the dst-port made for each port,
ip firewall nat add chain=dstnat dst-address= XXX.XXX.XXX.72 dst-port=80 action=dst-nat to-addresses=172..x.x.x to ports=80
ip firewall nat add chain=dstnat dst-address= XXX.XXX.XXX.72 dst-port=81 action=dst-nat to-addresses=172..x.x.x to ports=81
ip firewall nat add chain=dstnat dst-address= XXX.XXX.XXX.72 dst-port=8000 action=dst-nat to-addresses=172..x.x.x to ports=8000
ip firewall nat add chain=dstnat dst-address= XXX.XXX.XXX.72 dst-port=10554 action=dst-nat to-addresses=172..x.x.x to ports=10554
I tried this for all the ports 80, 81, 8000, and 10554. I notice when I have the port 80 configured, I can hit the customers DVR Login screen with my public routers IP address. However, when I do that, I loose the ability to access the mikrotiks routers webfig with the browser typing in the routers public IP address, any time I type in my routers IP it will always bring me to the Customers DVR.

What i have heard is that the mikrotik webfig, uses port 80! and maybe thats why, I read you could change the mikrotiks webfig port to a different port! but, I am uncertain how to do that, I look at the IP > Services > and see the ports for that port but thats pointing to the ( www - for port 80) which port 80 is for http,

Atm I am uncertain, I think I need call the DVR people and tell them to change that port 80 to something else, unless someone else can think of something, I truly appreciate everyone's responses and hope to see more. Thanks again.

Of course it works like this. It's just one address and one port, it can't work for two different services at the same time.

And yes, "www" in IP->Services is where you can change port used by WebFig.

Hello everyone, and a big thank you to all of you for your wonderful tips and help, I still cannot access the customer's DVR through the other ports 10554. 8000, and 81, even though I know I have the configurations setup correctly. However, I can get into the customers DVR with Port 80.

What I had to do was change the routers Port Forwarding Number and I did that by first, adding a new NAT Rule,
Chain: dst-nat > Protocol: tcp > Dst. Port: 91: Action: Action: dst-nat > to addresses: My Routes IP Address here > To Ports: 91.
I than added a Filter Rule:
Chain: Input > Protocol: tcp > Dst. Port: 91 > Action: Action: accept.
Next I went into IP > Services > Changed the www port: to port 91.

After making these changes I was able to type in my routes IP Address with port number 91 and was able to hit my routes webfig on the browser.
I also can now just type the Routers IP address with Port 80 and it brings it to the customers DVR login screen.

However, I am nerves that by changing the IP services ( www ) to this port 91, if that will effect the customers web browsing experience if they goto sites that use port 80? I am unsure of that atm, but I am going to test this out to see if it affects it on my mikrotik router I have at home for experiments like this.

If anyone knows by changing that IP service www port will screw with the customers internet browsing services, please let me know.

Oh! I also want to mention, I also tried the Hairpin NAT, and that did not work, it would only work for port 80 and even than I could no longer access the routers Webfig on the browser.

Thanks again everyone.

When you change www in IP->Services to some other port, it only affects http server on router. It has absolutely nothing to do with other http servers.

Also to access WebFig on this new port, you don't need any dstnat, just allow it in input chain (whether it's the best idea to have WebFig accessible from everywhere, that's another question).

And about those other ports, how exactly you test them? You wouldn't be just trying to open them in web browser, just address with different port, would you? Because they might be used by some completely different service, so that would get you nowhere. Use something like nmap to test them.

When you change www in IP->Services to some other port, it only affects http server on router. It has absolutely nothing to do with other http servers.

Also to access WebFig on this new port, you don't need any dstnat, just allow it in input chain (whether it's the best idea to have WebFig accessible from everywhere, that's another question).

And about those other ports, how exactly you test them? You wouldn't be just trying to open them in web browser, just address with different port, would you? Because they might be used by some completely different service, so that would get you nowhere. Use something like nmap to test them.

Thanks Sob, for your insight, so grateful and lucky to have your insight on these things. It means a lot to me. What you said, is what I was thinking as well that the customer might be using a service like you suggested, I am running the nmap like you suggested and I can see those ports are open and are running, thanks so much Sob.