Hi!

I've been using a pfsense so far, but now I'd like to try MikroTik.
Well, MikroTik has a lot more possibilities, but is also more complicated.

Some problems I have so far:
What I'd like to do is do a portforwarding on the Mikrotik itself
i.E.
Accessing Port 2000 UDP forwards to the MikroTik Port 161 UDP.
This works for Computers in the LAN, but I haven't been able to do it on the MikroTik itself. How can it be done?

OK, let's go on:
I have 4 WAN connections. The main connection has a default route with the lowest distance, the other connections use higher distances.

Because the forwarding 2000->161 UDP doesn't work, I just allowed an IP to connect from the internet to that port.
When I access the router via the main connection to port 161, I get an SNMP response.
When I use another connection, I can see that the response gets to the router and a response is sent, but it never reaches my management computer.
I guess that has either something to do with masquerading or because the resonse is obviously sent out via the default route, i.E. coming in via WAN2, response going out via WAN1. But I guess that was true for my pfsense as well and it worked like this.
Of course it would be better to have responses sent out via the same gateway as it came in, but can that be done?
If it can't, how do I get at least a working connection?

Some computers are configured to use secondary connections, I do that by prerouting mangle rules that add routing Marks to packets coming from those IPs and having default routes with thouse routing marks… is this the correct/ best way to do it?

I know, a lot of questions (and I have some more to come… ) but I'd be grateful if somebody could help me.

Regards
Patrick

There is a lot to work with on these devices. Perhaps you should read the book, "RouterOS by Example".

Create a NAT rule as usual, specific the router address as the Dst Address, specific a Dst Port then in Action select dst-nat and only specify To ports - leave To Addresses blank/default.

Create a NAT rule as usual, specific the router address as the Dst Address, specific a Dst Port then in Action select dst-nat and only specify To ports - leave To Addresses blank/default.

Thank you. The router address would be the public ip, wouldn't it? Tried that and it seems to receive traffic (as seen in nat firewall tab) if I connect to the specified port, but I only get a timeout, no connection… so I guess it's not dst-nated to the router?

Yes that's correct, the public IP is the dst address.

an example of port forwarding 49000 would be;

Yes that's correct, the public IP is the dst address.

an example of port forwarding 49000 would be;

Code: Select all

add action=dst-nat chain=dstnat comment="Example SIP" disabled=\
    no dst-address=*publicIP* dst-port=49000 protocol=tcp to-addresses=\
    *localIP*

And if you have a dynamic public IP, you can also specify the in-interface and leave out the dst-address

Yes that's correct, the public IP is the dst address.

an example of port forwarding 49000 would be;

Code: Select all

add action=dst-nat chain=dstnat comment="Example SIP" disabled=\
    no dst-address=*publicIP* dst-port=49000 protocol=tcp to-addresses=\
    *localIP*

And if you have a dynamic public IP, you can also specify the in-interface and leave out the dst-address

Yeah I know how 'normal' portforwarding works, my question was related to forwarding a port to another port on the mikrotik itself.
i.E. make ssh available on port 8000 from the outside. I haven't got that to work yet.

I did it like this, you can do it without dst-address:
br-WAN is the gateway interface... I used an address list for source, security-wise.