Community discussions

MikroTik App
 
uGeeko
just joined
Topic Author
Posts: 2
Joined: Fri Aug 18, 2017 11:11 pm

A Simple port forward

Fri Aug 18, 2017 11:19 pm

Hi All,

I am quite new to using a MikroTik router. I have managed to initialy setup my Mikrotik and setup my Lan network with some statics on my devices, I have managed to setup an l2tp VPN and have applied SSH Brute force prevention and other little bits, but i am having trouble setting up a basic port forward to one of my devices from my WAN. I have Closed http off as i have setup https on www-ssl. Can anyone please point me in the right direction, I have tried a few tutorials but do not seem to be able connect to the device. Internally can connect so i know the port on the device is correct.

Thanks in advance.
 
Sob
Forum Guru
Forum Guru
Posts: 5478
Joined: Mon Apr 20, 2009 9:11 pm

Re: A Simple port forward

Mon Aug 21, 2017 3:19 am

Basic port forwarding command is:
/ip firewall nat
add chain=dstnat dst-address=<public address> protocol=tcp dst-port=<public port> \
    action=dst-nat to-addresses=<internal address> to-ports=<internal port>
Depending on specific conditions, other variations are possible.

Connections must be also allowed through firewall filter, but you don't need to worry about it if you use default config.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1808
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: A Simple port forward

Mon Aug 21, 2017 3:39 am

Real admins use real keyboards.
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1106
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: A Simple port forward

Mon Aug 28, 2017 6:26 am

There are several ways to do this. This is one example. I prefer this method so that I don't have to keep readjusting my firewall filter.
/ip firewall filter
add action=accept chain=input comment="Accept established related" connection-state=established,related
add action=accept chain=input comment="Allow LAN access to router and Internet" in-interface=bridge-LAN
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward comment="Accept established related" connection-state=established,related
add action=accept chain=forward comment="Allow LAN access to router and Internet" connection-state=new in-interface=bridge-LAN
add action=accept chain=forward connection-nat-state=dstnat comment="Accept Port forwards"
add action=drop chain=forward comment="Drop all other forward"
Noticed the sixth line.

Now, for your Nat rules
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masq" out-interface=ether-WAN
add action=dst-nat chain=dstnat dst-port=123 in-interface=ether-WAN protocol=tcp to-addresses=192.168.1.2 to-ports=321
Notice I have in-interface set. Very important.
 
miyago
just joined
Posts: 9
Joined: Fri Jul 14, 2017 3:12 pm
Location: Sweden

Re: A Simple port forward

Wed Aug 15, 2018 4:21 pm

I found this post on google and i want to do a simple port forward aswell. I followed pcunite example but it doesnt work.

I have a hAP ac with default configuration and I'm trying to open ports so people from the outside can join my quake 3 server.

export compact gives this
# aug/15/2018 15:19:11 by RouterOS 6.43rc51
# 
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# 
/ip firewall filter
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=input comment="Accept established related" connection-state=\
    established,related
add action=accept chain=input comment="Allow LAN access to router and Internet" in-interface=\
    bridge
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward comment="Accept established related" connection-state=\
    established,related
add action=accept chain=forward comment="Allow LAN access to router and Internet" \
    connection-state=new in-interface=bridge
add action=accept chain=forward comment="Accept Port forwards" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all other forward"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface=ether1-WAN out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=27960 in-interface=ether1-WAN protocol=tcp to-addresse
    192.168.6.3 to-ports=27960
add action=dst-nat chain=dstnat dst-port=27960 in-interface=ether1-WAN protocol=udp to-addresse
    192.168.6.3 to-ports=27960

Who is online

Users browsing this forum: camaraderie28 and 101 guests