I see that port forwarding on the Mikrotik is part of the NAT configuration. Currently I have my ZTE modem doing NAT because I cannot whatever I try get bridge mode to work. So the ZTE is my gateway router, I have a couple of static routes and no double-NAT and it basically works fine. My ISP is not helpful in getting bridge most to work or replacing the ISP modem with my own GPON.

Now I want to add port forwarding rules to the Mikrotik to expose some ports to the outside world (I cannot do this entirely on the ZTE either as it will only port-forward onto what it thinks its local LAN is and all my machines are on internal VLANs with different IP ranges). Can I add port forwarding rules to the routerboard without it also being the primary NAT device for the network or does port forwarding expect/require that the WAN connection is fully NATed by the routerboard?

Shouldn't you be doing this on ZTE modem first then ?
From ZTE modem to your MT Router and then you can work from there.
Obviously your MT router needs a fixed IP within your network then.

I have a similar situation at home with an ISP modem which theoretically can be fully bridged, but I don't.
Needed external ports are forwarded from that modem to my router and then I go from there.
I use double NAT and I have yet to see a single problem because of it ... I don't get why so many people make an issue out of it.

Shouldn't you be doing this on ZTE modem first then ?
From ZTE modem to your MT Router and then you can work from there.
Obviously your MT router needs a fixed IP within your network then.

I have a similar situation at home with an ISP modem which theoretically can be fully bridged, but I don't.
Needed external ports are forwarded from that modem to my router and then I go from there.
I use double NAT and I have yet to see a single problem because of it ... I don't get why so many people make an issue out of it.

Yes I'm going to have to do something on the ZTE, but I have a few choices there, either using a DMZ host or setting up some static port forwards. However once I've done that and land on the router, or land on another virtual address on the WAN VLAN , I need to forward on again. That's the bit I'm asking about.

I really don't want to double NAT if I can avoid it, it just feels wrong and you'll find a lot of operating systems detect it and complain, so i wanted to know if I can use the router port forwarding without having it do NAT on that connection.

One last option is .. there are only a couple of machines I want to port forward onto so I could double-home them into the WAN VLAN, but that's also a pretty poor solution. It's regrettable that the ZTE won't let me port forward to any address I want, or at least any address it can route internally to (I have static routes for my internal network) but it seems that it will not.

I'm afraid that you're right in your conclusions.

In a proper setup you would have a single device doing NAT. It seems that your ISP and ZTE have decided that the ZTE will do NAT whether you want it or not. Apparently the ZTE software has decided that it can't forward to the addresses you require. Double NAT will be needed. While far from ideal it's usually not that big of a problem in practice. Basically your only remaining choice is to either forward all incoming ports to the Mikrotik (this is what DMZ does) or forward only selected traffic. If you only deal with TCP and UDP traffic, the choice is cosmetic. If you want to forward other protocols, DMZ is the way to go. (Beware that many off-the-shelf routers have "problems" with forwarding non-TCP/UDP traffic - it mostly seems as if this functionality if not tested at all.)

As to the technical part of your question. dst-nat (forwarding) works by altering the destination address of the packets. For connections to work in any meaningful way, the return packets have to have their source addresses translated back, and this can be done only if the return packet goes through the same router. This basically means that the Mikrotik must be the default route for the devices to which forwarding is planned. At this point the usual configuration is to do srcnat as well.

My suggested (again: far from optimal) setup for these cases basically looks like this. The ZTE should only be aware of a single internal LAN, in which only your Mikrotik is placed. Other networks sit behind the Mikrotik, which does src/dstnat as required.

If your devices acting as servers for the services to be port forwarded allow adding multiple IP addresses (/32 addresses are enough), you can use the help of proxy-arp.

Let's say the LAN of the ZTE has 192.168.10.0/24, with 192.168.10.1 being the ZTE router and 192.168.10.2 is the WAN address of the MikroTik router. You'll need to set ARP mode on the WAN interface to proxy-arp.

The LAN (or VLANs) of the MikroTik router still keep their normal address ranges and DHCP Server configuration (for example 192.168.20.0/24 etc...), but you will now manually add additional static IP addresses in the 192.168.10.0/24 range to your individual servers (beside their existing addresses in the 192.168.20.0/24 range), for instance 192.168.10.11 to eth0 of Server X, 192.168.10.12 to eth0 of NAS Y, etc...

Then on the MikroTik router, add static /32 entries (together with static /32 network) to /ip address table on the corresponding LAN/VLAN interfaces


Then adjust the firewall filter table to allow forwarding from WAN to 192.168.10.11, 192.168.10.12, etc...

Now you'll only need to setup port forwarding on the ZTE router, with the target 192.168.10.11, 192.168.10.12, etc... and don't have double NAT. The ZTE router, when trying to find the MAC addresses for 192.168.10.11, 192.168.10.12, etc... will get the MikroTik router's WAN port MAC address and forward the packets to the MikroTik router, which then use the /32 routes to forward the packets to the target servers.