Finally setting up a brand new upgraded 7.1 Router, see my signature, and doing a pretty standard port forward that I had on my Zyxel Router last night (working) but things are just not looking the same and a bit confusing.
Source IP: 5.150.195.195
Source Port: any (it varies so not defined)
Target IP on my Lan: 192.168.1.234
Target port: 22022 on a windows machine and no, nothing has changed on it since yesterday
Protocol is SFTP. It is a backup running from a web server to a Bitvise SFTP server.
1. I tried setting TCP, but can't find SFTP in the IP > Firewall > NAT settings.
2. Not sure if setting srcnat or dstnat or what in the chain. Tried diff variables.
I checked my DNS service (dynamic DNS configured with monitoring and updating software) and renewed the IP address manually on that since it seems the router might be somehow blocking it, but I will look in to that later.
Port Forwarding SFTP custom Port
Last edited by SecCon on Fri Jan 14, 2022 7:43 pm, edited 1 time in total.
Re: Port Forwarding SFTP custom Port
That doesn't sound right. Port forwarding rule looks like this:
Code: Select all
/ip firewall nat
add chain=dstnat dst-address=<your public address> protocol=tcp dst-port=<external port number> action=dst-nat to-addresses=<internal address> to-ports=<internal port>Re: Port Forwarding SFTP custom Port
There is no public address. Or rather, it can be anything.
5.150.* is the web server address
192.* is my local server address
So maybe I am confusing a non stable public IP with some of those above... or below?
5.150.* is the web server address
192.* is my local server address
So maybe I am confusing a non stable public IP with some of those above... or below?
-
-
jvanhambelgium
Forum Guru
- Posts: 1086
- Joined:
- Location: Belgium
Re: Port Forwarding SFTP custom Port
Nope, not like that
Remove the DST_ADDRESS 192.x.x.x from the rule, leave protocol & DST-port in there.
Under "Advanced" tab you can set DST-ADDRESS-LIST to for example WAN_IP (if you have a dynamic public IP).
Then go to "Action" tab and select DST-NAT from there, then fill in the TO-ADDRESS with 192.168.1.234
If you leave the "port" blank, exactly the same port is taken as the port 2022, so make sure your backend SFTP is "listening" on 2022 too.
If the SFTP is running on standaard 22, then put port 22 in this field here.
Remove the DST_ADDRESS 192.x.x.x from the rule, leave protocol & DST-port in there.
Under "Advanced" tab you can set DST-ADDRESS-LIST to for example WAN_IP (if you have a dynamic public IP).
Then go to "Action" tab and select DST-NAT from there, then fill in the TO-ADDRESS with 192.168.1.234
If you leave the "port" blank, exactly the same port is taken as the port 2022, so make sure your backend SFTP is "listening" on 2022 too.
If the SFTP is running on standaard 22, then put port 22 in this field here.
Re: Port Forwarding SFTP custom Port
... and replace it with your public address (5.150.x.x). That's if it's static, otherwise it would require slightly different config.Remove the DST_ADDRESS 192.x.x.x from the rule,
Edit: I see you mentioned dynamic DNS, so keep Dst. Address empty a use Dst. Address Type -> Address Type "local".
Re: Port Forwarding SFTP custom Port
I would only comment if I see the config
/export hide-sensitive file=anynameyouwish
Chances are there are multiple changes required...........
and some learning required in moving from zyxel to MT ( I am one of those breed )
/export hide-sensitive file=anynameyouwish
Chances are there are multiple changes required...........
and some learning required in moving from zyxel to MT ( I am one of those breed )
Re: Port Forwarding SFTP custom Port
I would only comment if I see the config
/export hide-sensitive file=anynameyouwish
Chances are there are multiple changes required...........
and some learning required in moving from zyxel to MT ( I am one of those breed )
Code: Select all
# jan/09/2022 08:45:07 by RouterOS 7.1.1
# software id = Y7E5-SEZ7
#
# model = RB1100x4
# serial number = D8580E4D7A72
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.0/24
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
/interface list member
add interface=ether1 list=WAN
add list=LAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
/ip arp
add address=192.168.1.234 interface=bridge1 mac-address=2C:76:8A:AD:27:86
add address=192.168.1.10 interface=bridge1 mac-address=00:25:90:4B:6B:4B
add address=192.168.1.16 interface=bridge1 mac-address=00:15:5D:01:EA:01
add address=192.168.1.33 interface=bridge1 mac-address=00:15:5D:01:EA:08
add address=192.168.1.35 interface=bridge1 mac-address=00:15:5D:01:EA:09
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.1.255 client-id=1:8:55:31:c1:67:57 mac-address=\
08:55:31:C1:67:57 server=dhcp1
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=accept chain=dstnat dst-address=192.168.1.234 dst-port=22022 log=\
yes log-prefix=SFTP-Inleed protocol=tcp src-address=5.150.195.195
/ip service
set telnet disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name=mt-ro-homered
Re: Port Forwarding SFTP custom Port
Dst-nat rule is wrong: dst-address is selector (much like src-address), you need to set to-addresses instead.
The way dst-nat works: it inspects packet headers and compares values to configured ones. In your case it compares src-address from packet to src-address from rule definition. It also compares values of dst-port and protocol type. So far so good. However: it also compares dst-address from packet to configured value and this is where it fails ... because packet's dst-address at this point is most likely same as router's WAN IP address. Good alternative [*] is to use in-interface-list=WAN instead. If all configured selector properties of dst-nat rule match, the NAT engine replaces dst-* fields of packet with to-* properties of dst-nat rule (or leaves values intact if they're not defined). So what you want is to set to-addresses=192.168.1.234 on dst-nat rule and in this case NAT engine would replace dst-address on ingress packet with IP address of your SFTP server.
[*] using in-interface or in-interface-list as selector in dst-nat rule means you can't use this rule to use SFTP service from inside your LAN by using WAN IP address (e,g. if you have a phone or laptop and you'd want to use service without a change of configuration while device is connected LAN and while device is somewhere in internet), for that one needs hair pin NAT. In your case this is not a case as one of selectors is WAN IP of SFTP client ... and you could mostly get away even with ommision of both dst-address and in-interface[-list].
The way dst-nat works: it inspects packet headers and compares values to configured ones. In your case it compares src-address from packet to src-address from rule definition. It also compares values of dst-port and protocol type. So far so good. However: it also compares dst-address from packet to configured value and this is where it fails ... because packet's dst-address at this point is most likely same as router's WAN IP address. Good alternative [*] is to use in-interface-list=WAN instead. If all configured selector properties of dst-nat rule match, the NAT engine replaces dst-* fields of packet with to-* properties of dst-nat rule (or leaves values intact if they're not defined). So what you want is to set to-addresses=192.168.1.234 on dst-nat rule and in this case NAT engine would replace dst-address on ingress packet with IP address of your SFTP server.
[*] using in-interface or in-interface-list as selector in dst-nat rule means you can't use this rule to use SFTP service from inside your LAN by using WAN IP address (e,g. if you have a phone or laptop and you'd want to use service without a change of configuration while device is connected LAN and while device is somewhere in internet), for that one needs hair pin NAT. In your case this is not a case as one of selectors is WAN IP of SFTP client ... and you could mostly get away even with ommision of both dst-address and in-interface[-list].
Re: Port Forwarding SFTP custom Port
Still no joy:
Code: Select all
add action=add-dst-to-address-list address-list=" 192.168.1.234" address-list-timeout=none-dynamic chain=dstnat dst-address-type=local log=yes log-prefix=SFTP-Inleed protocol=tcp src-address=5.150.195.195 to-addresses=192.164.1.234 \
to-ports=22022Re: Port Forwarding SFTP custom Port [SOLVED]
What is this rule supposed to do? You're over complicating things.
Your NAT rule should be this:
I've arranged the order of properties just to illustrate: first line simply defines the nature of rule (it's a dst-nat rule), second line of properties are selectors - they determine to which packets this NAT rule applies. The third line contains some logging properties (they don't affect selection process nor they affect the way packet might be altered). The last line defines what exactly dst-nat changes on matching packet (in this case dst-address is changed to set value).
N.b. if you decide you want to allow multiple src-addresses, you can add similar rules. But better sollution is to (statically) create address list, containing allowed src addresses. Then you'd change the rule above by replacing property src-address with src-address-list=<name of allowed address list> ...
Your NAT rule should be this:
Code: Select all
add action=dst-nat chain=dstnat \
src-address=5.150.195.195 dst-port=22022 protocol=tcp in-interface-list=WAN \
log=yes log-prefix=SFTP-Inleed \
to-addresses=192.168.1.234
I've arranged the order of properties just to illustrate: first line simply defines the nature of rule (it's a dst-nat rule), second line of properties are selectors - they determine to which packets this NAT rule applies. The third line contains some logging properties (they don't affect selection process nor they affect the way packet might be altered). The last line defines what exactly dst-nat changes on matching packet (in this case dst-address is changed to set value).
N.b. if you decide you want to allow multiple src-addresses, you can add similar rules. But better sollution is to (statically) create address list, containing allowed src addresses. Then you'd change the rule above by replacing property src-address with src-address-list=<name of allowed address list> ...
Re: Port Forwarding SFTP custom Port
(1) This needs to be removed it does nothing
/interface list member
add interface=ether1 list=WAN
add list=LAN
add interface=bridge1 list=LAN
(2) This is misconfigured and needs to be removed
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
(3) Never seen an ip pool configured as such but it must be legit
/ip pool
add name=dhcp ranges=192.168.1.0/24
(4) Your dst nat rule is troubling. but I will let mkx sort it out as he has you on the right track.........
My initial read of your first entry was that you didnt have a public IP address............
/interface list member
add interface=ether1 list=WAN
add list=LAN
add interface=bridge1 list=LAN
(2) This is misconfigured and needs to be removed
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
(3) Never seen an ip pool configured as such but it must be legit
/ip pool
add name=dhcp ranges=192.168.1.0/24
(4) Your dst nat rule is troubling. but I will let mkx sort it out as he has you on the right track.........
My initial read of your first entry was that you didnt have a public IP address............
Re: Port Forwarding SFTP custom Port
(4) Your dst nat rule is troubling. but I will let mkx sort it out as he has you on the right track.........
My initial read of your first entry was that you didnt have a public IP address............
As for 1-2-3 that's the result of the quick set, I suspected some was wrong, but it works and I cant really do anything about that right now... followed the instructions for 1st setup and have added absolutely zero to that.
4: I have a dynamic public IP, meaning it may change if I reset the fiber modem or if the ISP changes something. My ISP offers fixed IP, but do not recommend it's usage. That is why I use an updating software and an external DNS host provider to properly direct calls to my network. It has worked for many years now, all back through my ASUS Router, via an Ubiquiti Edge Router and the last, the Zyxel one. I expect it to work with Mikrotik as well, but Mikrotik seems by far the most complex to set up, both in regards to how the interface looks and works, adding to that the seemingly lacking port forwarding instructions in the manual. Ref: https://help.mikrotik.com/docs/dosearch ... ward&where
Re: Port Forwarding SFTP custom Port
Thanks.What is this rule supposed to do? You're over complicating things.
Your NAT rule should be this:
I've arranged the order of properties just to illustrate: first line simply defines the nature of rule (it's a dst-nat rule), second line of properties are selectors - they determine to which packets this NAT rule applies. The third line contains some logging properties (they don't affect selection process nor they affect the way packet might be altered). The last line defines what exactly dst-nat changes on matching packet (in this case dst-address is changed to set value).Code: Select alladd action=dst-nat chain=dstnat \ src-address=5.150.195.195 dst-port=22022 protocol=tcp in-interface-list=WAN \ log=yes log-prefix=SFTP-Inleed \ to-addresses=192.168.1.234
N.b. if you decide you want to allow multiple src-addresses, you can add similar rules. But better sollution is to (statically) create address list, containing allowed src addresses. Then you'd change the rule above by replacing property src-address with src-address-list=<name of allowed address list> ...
Console complained about errors when I typed it all in one line but I set it in the interface instead. The export seems to give the same as you suggested:
Code: Select all
add action=dst-nat chain=dstnat dst-port=22022 in-interface-list=WAN log=yes log-prefix=sftp-inleed protocol=tcp src-address=5.150.195.195 to-addresses=192.168.1.234Thank you very much for the help... Now I need to wrap my head around that logic...
Last edited by SecCon on Sun Jan 09, 2022 9:18 pm, edited 1 time in total.
Re: Port Forwarding SFTP custom Port
Coming from zyxel its not too bad, no loopback checkbox and little less spoon feeding. (used to be a reseller for zyxel)
The main difference is only one firewall rule for all port forwardings is done.
The main place for rule details are in the dst-nat rules.........
You have the right info.
You have two choices in Mikrotik for formatting the Dst NAT RULES
TYPICALLY
a. for dynamic firewall rules one uses in-interface=ether1 or in-interface-list=WAN (assuming ether1 is the WAN interface, like standard cable)
b. for static, fixed ip, one uses dst-address=PublicIP of WAN
If you think about they say different things but have the same result. The first says for any traffic coming from the WAN side, headed for portxx send the traffic to lanip blah blah
THe second one says that for any traffic heading to my public IP, headed for portxx send the traffic to lanip blah blah.
Pretty straightforward !!
Note: You could use the dst-address for dynamic IPs, but then would have to change the rule everytime the IP changed.
The in-interface list method, for Dynamic WANIPs, is useless if you ever want users or yourself (FOLKS ON THE LAN behind the router) to access the server via the Public WANIP.
I never understood loopback on the zyxel until I ran across this need. I was like, pffffft what losers dont just use the LANIP directly of the server when within the LAN. Clearly there are many cases where people seem to defy logic.
So there are work arounds to make the dynamic IP scenario LOOK LIKE the fixed IP scenario, so that the router will accept both internal and external users access to the server.
One can see right away that if you use in-interface-list=WAN one is NOT INCLUDING internal users.
However as noted above I could use the IP address but would have to change the rule everytime the IP changed, so how to avoid that is the next format!!
FORMAT
add chain=dstnat action=dst-nat dst-address-list=(applicable firewall address list for your dyndns of choice - most use the IP cloud address on the router itself)
dst-port=xxxx protocol=tcp to-addresses=IPofServer {to ports is not required if the same as dst-port}
What we have done here is to identify the public dynamic IP with a dyndns name which will keep the IP relatively current and thus one can use the format of the fixed IP dst nat rule which would include both internal and external users because they are both pointing at the public IP.......
There is one caveat, and that is if the server and the users are in the same subnet we run into something called hairpin NAT. All explained in the article below and more.
Suffice to say one source nat rule fixes this issue, and alternatives are discussed as well.
Enjoy todays instructional lessons!
viewtopic.php?t=179343
I should note that the dstnat rules can also have source addresses or source address lists which narrow down access to the server, always a good thing!
Since people can get free dyndns names for their own routers, they can give you their static fixed wanip or dynamic URL to put into the firewall address list!!
The main difference is only one firewall rule for all port forwardings is done.
The main place for rule details are in the dst-nat rules.........
You have the right info.
You have two choices in Mikrotik for formatting the Dst NAT RULES
TYPICALLY
a. for dynamic firewall rules one uses in-interface=ether1 or in-interface-list=WAN (assuming ether1 is the WAN interface, like standard cable)
b. for static, fixed ip, one uses dst-address=PublicIP of WAN
If you think about they say different things but have the same result. The first says for any traffic coming from the WAN side, headed for portxx send the traffic to lanip blah blah
THe second one says that for any traffic heading to my public IP, headed for portxx send the traffic to lanip blah blah.
Pretty straightforward !!
Note: You could use the dst-address for dynamic IPs, but then would have to change the rule everytime the IP changed.
The in-interface list method, for Dynamic WANIPs, is useless if you ever want users or yourself (FOLKS ON THE LAN behind the router) to access the server via the Public WANIP.
I never understood loopback on the zyxel until I ran across this need. I was like, pffffft what losers dont just use the LANIP directly of the server when within the LAN. Clearly there are many cases where people seem to defy logic.
So there are work arounds to make the dynamic IP scenario LOOK LIKE the fixed IP scenario, so that the router will accept both internal and external users access to the server.
One can see right away that if you use in-interface-list=WAN one is NOT INCLUDING internal users.
However as noted above I could use the IP address but would have to change the rule everytime the IP changed, so how to avoid that is the next format!!
FORMAT
add chain=dstnat action=dst-nat dst-address-list=(applicable firewall address list for your dyndns of choice - most use the IP cloud address on the router itself)
dst-port=xxxx protocol=tcp to-addresses=IPofServer {to ports is not required if the same as dst-port}
What we have done here is to identify the public dynamic IP with a dyndns name which will keep the IP relatively current and thus one can use the format of the fixed IP dst nat rule which would include both internal and external users because they are both pointing at the public IP.......
There is one caveat, and that is if the server and the users are in the same subnet we run into something called hairpin NAT. All explained in the article below and more.
Suffice to say one source nat rule fixes this issue, and alternatives are discussed as well.
Enjoy todays instructional lessons!
viewtopic.php?t=179343
I should note that the dstnat rules can also have source addresses or source address lists which narrow down access to the server, always a good thing!
Since people can get free dyndns names for their own routers, they can give you their static fixed wanip or dynamic URL to put into the firewall address list!!
Last edited by anav on Sun Jan 09, 2022 9:34 pm, edited 3 times in total.
Re: Port Forwarding SFTP custom Port
Listen I have to start somewhere, ok...
If this is what you have then the problems in the config are elsewhere and if you use quickset its like configing in quicksand........ a slow death by a 1000 cuts.
I chose Mikrotik because of its versatility and reputation, been wanting this for a number of years so with some great advantages I expect to be learning as well... small effort well worth it in the long run. Just you wait till I start pestering the PFSense forums when I have the "friedwall" running.... should I ever get there.Re: Port Forwarding SFTP custom Port
See above post to start that learning curve, If I can learn it, any idiot can, at least thats what SOB says
Re: Port Forwarding SFTP custom Port
Console complained about errors when I typed it all in one line ...
The backslash (\) characters followed by new-line are "continuation" characters (meaning that the command continues in next line). If you typed the rule in single line but kept the backslashes, then this is why console complained.
Re: Port Forwarding SFTP custom Port
@mkx
I know... just typed it without backslashes in one row, still errors.
I did add /ip and /firewall before typing add in a couple of attempts, but still would not work. Maybe cmd syntax changed in 7.1?
Anyhow, it works and I have documented it.
I know... just typed it without backslashes in one row, still errors.
I did add /ip and /firewall before typing add in a couple of attempts, but still would not work. Maybe cmd syntax changed in 7.1?
Anyhow, it works and I have documented it.
Re: Port Forwarding SFTP custom Port
...and verified...
ignore the ipad entries...
ignore the ipad entries...
Re: Port Forwarding SFTP custom Port
I did add /ip and /firewall before typing add in a couple of attempts, but still would not work. Maybe cmd syntax changed in 7.1?
Eh ... the command was meant to be preceeded by /ip firewall nat ... in ROS configuration is in a pseudo file system hierarchy and commands have context in tree position ... e.g. command add is completetly different elsewhere, say in /interface bridge ...
Anyway, it's good it's working for you now ... and I'm sure you'll learn your way around in no time.
Re: Port Forwarding SFTP custom Port
Just to repeat the working config
But I am still puzzled by one thing.
In QuickSet (7.1.1) there is a button for Port Mapping. it takes you to what in the browser address would be [ROUTER_IP]/#Port_Mapping.Port_Mapping.new
Is that not supposed to be used for Port Forwarding? Or am I obtuse?
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=22022 in-interface-list=WAN log=yes log-prefix=sftp-inleed protocol=tcp src-address=5.150.195.195 to-addresses=192.168.1.234In QuickSet (7.1.1) there is a button for Port Mapping. it takes you to what in the browser address would be [ROUTER_IP]/#Port_Mapping.Port_Mapping.new
Is that not supposed to be used for Port Forwarding? Or am I obtuse?
Re: Port Forwarding SFTP custom Port
Just a comment, not really answer to your question: if you do any change of configuration outside QuickSet, don't ever go back using QuickSet. QuickSet is pretty dumb and doesn't take into account anything configured outside its scope (either via WebFig/winbox or CLI) and will most definitely break configuration.
Re: Port Forwarding SFTP custom Port
@mkx
Yes, I think am beyond that first little left turn in my learning curve, but thanks for reminding me...
Yes, I think am beyond that first little left turn in my learning curve, but thanks for reminding me...
Re: Port Forwarding SFTP custom Port
Port mapping is not a term I am familiar with but PORT translation is.
In the case where you want an external user to come in on a different port than what your server is expecting and that is the true function of TOO PORTS.
Lets say your ISP does not allow originated inbound on port 80 but your server needs to be setup on port 80.
add chain=dstnat action=dst-nat dst-port=80 protocol=tcp in-interface-list=WAN to=addresses=IPofServer { note when to-ports is the same as dst-ports, it is not required)
The above wont work because ISP is blocking port 80 inbound. Sol'n, get your clients to come in on port 8080
add chain=dstnat action=dst-nat dst-port=8080 protocol=tcp in-interface-list=WAN to-addresses=IPofServer to-ports=80
In the case where you want an external user to come in on a different port than what your server is expecting and that is the true function of TOO PORTS.
Lets say your ISP does not allow originated inbound on port 80 but your server needs to be setup on port 80.
add chain=dstnat action=dst-nat dst-port=80 protocol=tcp in-interface-list=WAN to=addresses=IPofServer { note when to-ports is the same as dst-ports, it is not required)
The above wont work because ISP is blocking port 80 inbound. Sol'n, get your clients to come in on port 8080
add chain=dstnat action=dst-nat dst-port=8080 protocol=tcp in-interface-list=WAN to-addresses=IPofServer to-ports=80
Re: Port Forwarding SFTP custom Port
If you mention quickset again.........
https://www.youtube.com/watch?v=gZwYmlR9Lh8
https://www.youtube.com/watch?v=gZwYmlR9Lh8
Re: Port Forwarding SFTP custom Port
Not a fan of NCIS.If you mention quickset again.........
https://www.youtube.com/watch?v=gZwYmlR9Lh8
May I quote the F-NG OFFICIAL HELP PAGES:
https://help.mikrotik.com/docs/display/ROS/Quick+SetQuickset is a simple configuration wizard page that prepares your router in a few clicks. It is the first screen a user sees, when opening the default IP address 192.168.88.1 in a web browser.
Quickset is available for all devices that have some sort of default configuration from factory. Devices that do not have configuration must be configured by hand. The most popular and recommended mode is the HomeAP (or HomeAP dual, depending on the device). This Quickset mode provides the simplest of terminology and the most common options for the home user.
Now, again, I realize that QuickSet has issues, but if that is the case it is up to MT to fix them. Just saying...
Re: Port Forwarding SFTP custom Port
You mentioned it again............... slow learner!!
Re: Port Forwarding SFTP custom Port
Yes, QuickSet can do port forwarding/mapping/<whatever you want to call it>. But it's far from great, because it creates rules like this:
So if you need some non-standard port like 46213, you have good chance to not have any problems. But try to forward port 80 to your webserver and you won't like the result (there's no condition for destination address, so all connections will match, incoming, outgoing, everything). So let's say it's a bit unfinished, if I want to be nice.
Code: Select all
/ip firewall nat
chain=dstnat action=dst-nat to-addresses=1.2.3.4 to-ports=8080 protocol=tcp dst-port=80Re: Port Forwarding SFTP custom Port
I'll highlight some things for you:
Which means: if you ever need to configure anything not on Quickset page, you're out of "simple", so Quickset is off-limits ever after. And if it's the first screen seen by user it doesn't mean it should be the last ... but, again, if user sees second screen (and it's not Quickset), then Quickset should not be the third or the fourth ...
Indeed it's up to MT to do something about it ... there was an argument in this forum that Quickset should be automatically disabled as soon as any setting is done outside Quickset ... MT staffers didn't agree (they suggested to use skin editor to remove Quickset button ... sic!). But it would solve a complaint or two seen on forum.
Quickset is a simple configuration wizard page that prepares your router in a few clicks. It is the first screen a user sees, when opening the default IP address 192.168.88.1 in a web browser.
Which means: if you ever need to configure anything not on Quickset page, you're out of "simple", so Quickset is off-limits ever after. And if it's the first screen seen by user it doesn't mean it should be the last ... but, again, if user sees second screen (and it's not Quickset), then Quickset should not be the third or the fourth ...
Indeed it's up to MT to do something about it ... there was an argument in this forum that Quickset should be automatically disabled as soon as any setting is done outside Quickset ... MT staffers didn't agree (they suggested to use skin editor to remove Quickset button ... sic!). But it would solve a complaint or two seen on forum.
Re: Port Forwarding SFTP custom Port (SOLVED)
Today I added another instance of the same thing described above for another computer, this time a virtual one, not a physical one, and it worked straight out of the box.
I was fearing the virtual network might cause some issues as it goes via an ESXi server, but all works.
Did some minor modifications, like changed the port number and the target IP.
Happy days.
Ehm... just a small thing, why is the no COPY button in WebFig? So much simpler.
I was fearing the virtual network might cause some issues as it goes via an ESXi server, but all works.
Did some minor modifications, like changed the port number and the target IP.
Happy days.
Ehm... just a small thing, why is the no COPY button in WebFig? So much simpler.