Hi All,

I have a cheat sheet for creating a port forward on hAP ac2 routers. Problem: it required that I know the WAN IP address. Would someone please help me update these directinos for a floating WAN IP address? My attempts have all failed.

Many thanks,
-T

MikroTik Port Forwarding (NAT) & Access from Internet

Reference(s):
https://blog.eldernode.com/port-forward ... -mikrotik/


WARNING: THE FOLLOWING REQUIRES A FIXED WAN ADDRESS!

Configure NAT in MikroTik:

1) Open the router with Winbox or directly with a browser

2) IP → Firewall → Select NAT tab → "+" sign (add) → General (tab)

3) A) Chain → dstnat
B) Dst. Address → your WAN (Public) IP
C) Protocol → tcp, udp, etc. Note 6(tcp) does not mean IPv6
D) Dst. Port → the port requested by your external client

4) a) Action → dst-nat
b) To Address → the IP of your internal server
c) To Ports → the open port on your internal server (not
necessarily the same as the clients requested port, but
typically the same)

5) click “OK”.

If using WinBox, Session (pull down, upper left) → Save
(or you lose everything and have to start over)

Hello,

the steps are correct, if you have multiple public IP addresses and you want the forward only at a specific one.
This can be use to forward the same port to different internal targets like port 443 to 2 different web servers.

If you have just one public IP address of you want the forward on all public IP addresses you can skip 3B.

PS: Don't forget to tpen the ports in the filter forward chain!

B) Dst. Address → your WAN (Public) IP

You can use "in-interface/list" instead

As noted,
Port forwarding for dynamic IPs is in the format.

add chain=dsntat action=dst-nat in-interface-list=WAN protocol=tcp \
dst-port=12345 to-addresses=IPofServer to-ports=54321 (to ports only required for port translation).

Port forwarding for Static WANIPs is in the format
add chain=dsntat action=dst-nat dst-address=WANIP protocol=tcp \
dst-port=12345 to-addresses=IPofServer to-ports=54321 (to ports only required for port translation).
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Both cases will probably work for you but if you want to be accurate, you would make two rules below for your server........

add chain=dsntat action=dst-nat dst-address=WANIP-ONE protocol=tcp \
dst-port=12345 to-addresses=IPofServer

add chain=dsntat action=dst-nat dst-address=WANIP-TWO protocol=tcp \
dst-port=12345 to-addresses=IPofServer

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

However the question I have for you is, how are you directing people to your servers??
Typically you can give them
a. the actual WANIP itself, oR
b. a dyndns type name that points them to the right WANIP.

Therefore its not clear to me what the requirement actually is??
It should be based on how you are directing people to your server.

If, you are stating that you have two groups of users lets say,
1/2 you want to access the server on WAN1 and the other other half on WAN2
OR
you want all users to use WAN1 but somehow they know WAN1 is not available to switch to WAN2 ???

In summary, the requirement is not for a port, the requirement is for users! Thus how to float users to available server depending upon WAN availability would be more accurate.

Thank you for the in depth reply. Would it be possible for you to answer the question I asked, which was how to alter my cheat sheet?

> B) Dst. Address → your WAN (Public) IP
> You can use "in-interface/list" instead

Hi CZFan,

My new note:

B) In. Interface List --> WAN

And verified by nmap.

Thank you!

-T

Thank you for the in depth reply. Would it be possible for you to answer the question I asked, which was how to alter my cheat sheet?

No, absolutely not.
Make your requirement clear, and I will render assistance.
Other are more than happy to guess at what you mean, I dont play that game.

> Make your requirement clear, and I will render assistance.

You need to read what is actually being asked and not get pissy when folks try to get you back off a tangent. My question was so very clear it was pathetic. You did not read it closely enough (or at all) and jumped to conclusions.

Anyway, CZFan did read my questions and gave me the exact answer I was looking for. I marked the question as "solved" by CZFan.

There is no such thing as a floating wan ip address.
There is no such thing as a floating port.

Either users come in on wan1 or wan2.
It is no accident as you the OP provides the wanip to users, there is no floating, its cut and dried.
Ports dont have requirements people do, ports are part of a configuration solution (toolset) within the configuration.

If the question was stated, I want to ensure users regardless if they are entering my router via WAN1 or WAN2 can access the same, single server on the same port, on my LAN and I think my config is correct can you please check it.
Is a question I would have gladly answered.
Nothing in your question was well written or clear, sorry to burst your small bubble.
Furthermore, i dont want to have to go another website, in a poor attempt to get people to read a crappy blog when what you should have done is post your config
/export hide-sensitive file=anynameyouwish

As for the cough informative cough blog
The process of intercepting data traffic headed for a computer’s IP/port combination and redirecting it to a different IP and/or port is called Port forwarding.

Wrong,
Port Forwarding, a subset of Destination NAT is typically the method by which incoming unsolicited traffic at the router is directed to an internal LAN server.
The traffic is allowed to go past the WAN port because the incoming port has been identified on rules contained within the router. The rules also stipulate which internal LANIP,
the traffic will be forwarded too. (hence port forwarding). Port translation occurs when the router changes the incoming port so that the traffic hits the server on the translated port and not the port the traffic used to enter the router. Mikrotik also allows the rule maker to confine the incoming traffic to allow only specific public IPs to access the server.

> There is no such thing as a floating wan ip address.
https://en.wikipedia.org/wiki/Dynamic_H ... n_Protocol

One has a dynamic IP which more often than naught these days rarely changes and there are static WANIPs.
Neither has been discussed as floating........................
I think you are smoking too much of something and spend time in the clouds floating.

Important thing is your network is up and running the way you want it.