Mikrotik RouterOS: How to Port Forward?

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Churchill

Admiral
Jan 6, 2016
838
213
43
because I'm a glutton for punishment i put in a nice lil Mikrotik RouterOS switch. Works wonderfully but now I need to forward ports and make sure they are open on the outside.

For the life of me I have searched, tried, googled, and done everything short of pleading with this device to figure out how to forward ports from the internet to a local LAN based IP.

Rules I've tried (names changed to protect the innocent):

1.
/ip firewall nat add chain=dstnat dst-port=9881 action=dst-nat protocol=tcp to-address=INTERNAL.HOST to-port=9881

2.
/ip firewall nat
add chain=dstnat action=dst-nat in-interface-list=WAN protocol=tcp dst-port=9881 to-addresses=INTERNAL.HOST to-ports=9881

3.
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=INTERNAL.HOST protocol=tcp dst-address=INTERNAL.GATEWAY in-interface=ether1 dst-port=9881
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=INTERNAL.HOST protocol=udp dst-address=INTERNAL.GATEWAY in-interface=ether1 dst-port=9881

/ip firewall filter add chain=forward action=accept connection-nat-state=dstnat protocol=tcp dst-address=INTERNAL.HOST dst-port=9881
/ip firewall filter add chain=forward action=accept connection-nat-state=dstnat protocol=udp dst-address=INTERNAL.HOST dst-port=9881


Nothing, can't show the port is open and external clients can't connect to it.

Anyone who is a Mikrotik expert I'd love to have feedback.
 

Antonio

Member
Dec 20, 2015
42
13
8
Your firewall filter is probably blocking the connections.
try these lines and see.

/ip firewall address-list add address=client.host list=clients

/ip firewall filter add action=accept chain=input comment="Full access to CLIENT address list" log-prefix=client src-address-list=clients

/ip firewall nat add action=dst-nat chain=dstnat dst-port=9881 in-interface-list=WAN protocol=tcp src-address-list=support to-addresses=INTERNAL.HOST to-ports=9881 src-address-list=clients
 

Churchill

Admiral
Jan 6, 2016
838
213
43
Your firewall filter is probably blocking the connections.
try these lines and see.

/ip firewall address-list add address=client.host list=clients

/ip firewall filter add action=accept chain=input comment="Full access to CLIENT address list" log-prefix=client src-address-list=clients

/ip firewall nat add action=dst-nat chain=dstnat dst-port=9881 in-interface-list=WAN protocol=tcp src-address-list=support to-addresses=INTERNAL.HOST to-ports=9881 src-address-list=clients
Getting an error when applying your last rule.
expected end of command (line 1 column 136)

is this correct:

/ip firewall nat add action=dst-nat chain=dstnat dst-port=9881 in-interface-list=WAN protocol=tcp src-address-list=support to-addresses=INTERNAL.HOST to-ports=9881 src-address-list=clients

this part is grayed out which leads me to believe I'm missing something:
src-address-list=support to-addresses=INTERNAL.HOST to-ports=9881 src-address-list=clients
 

Antonio

Member
Dec 20, 2015
42
13
8
Sorry, copied and pasted and didn't check all the entries.

Try this line.
/ip firewall nat add action=dst-nat chain=dstnat dst-port=9881 in-interface-list=WAN protocol=tcp src-address-list=clients to-addresses=INTERNAL.HOST to-ports=9881 src-address-list=clients

You will need to move the firewall filter rule up before the default drop entries and the nat rule before the src-nat or masquerade entry.
After you get it working, disable the firewall filter entry to find out if the issue is the firewall or the src-nat/masquerade.
If with the firewall entry disabled the port forwarding works, your issue was nat. if it doesn't work it was the firewall blocking the connections (good thing).

To move/rearrange the entries use winbox and drag and drop.
 

Churchill

Admiral
Jan 6, 2016
838
213
43
Added the rule, had to remove the additional "src-address-list=clients" on the end as that caused an error.

Still no dice after moving all the rules to the top, port is still showing as being closed externally.

I'm using:

Not seeing any traffic going to that rule either from my internal host.

Thank you for your help i know this isn't the easiest firewall to muck with.
 

Antonio

Member
Dec 20, 2015
42
13
8
this will only work with the ip's or dns names listed in the clients address list. it will block the connection from anything else.
 

Churchill

Admiral
Jan 6, 2016
838
213
43
this will only work with the ip's or dns names listed in the clients address list. it will block the connection from anything else.
how do i open up the port globally without restrictions where anyone/everyone can hit it.

I tried adding the website and still showing the port as closed.
 

pod

New Member
Mar 31, 2020
15
7
3
how do i open up the port globally without restrictions where anyone/everyone can hit it.

I tried adding the website and still showing the port as closed.
You need an ip filter forwarding rule to allow new dst-nat connections to your internal server address/port combo. Would copy paste but can't from this device. conn state =new conn nat state=dstnat

leave out source addresses and it will be global by nature.
 

Churchill

Admiral
Jan 6, 2016
838
213
43
@Antonio has been helping me quite a bit. Without his assistance I wouldn't be any closer to solving the issue than I was before. Mikrotik doesn't make it intuitive how to do what I want and their documentation is atrocious.