Page 1 of 1
Port forwarding - Dynamic WAN IP
Posted: Sat May 28, 2016 7:51 pm
by zhup
Hello,
I have read many posts but i am not able to handle it.
How to forward port if the wan address is dynamic (pppoe)?
add action=dst-nat chain=dstnat disabled=no dst-port=8888 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.88.10 to-ports=8888
It does not work.
Thank you in advance.
Re: Port forwarding - Dynamic WAN IP
Posted: Sat May 28, 2016 9:22 pm
by Sob
Your rule should already work if you test it from outside. If it doesn't, packets are probably blocked in forward chain, so make sure they are enabled. The simplest way should be this rule:
/ip firewall filter
add chain=forward connection-nat-state=dstnat
If you're trying to connect to your public address from LAN, you need
hairpin NAT. You'll need to replace in-interface in your original rule with dst-address-type=local and add srcnat rule as described in wiki.
Re: Port forwarding - Dynamic WAN IP
Posted: Sat May 28, 2016 9:42 pm
by zhup
What do you think about the rule below:
add chain=dstnat action=dst-nat dst-address=!192.168.88.1 dst-address-type=local dst-port=8888 protocol=tcp to-addresses=192.168.88.10 to-ports=8888
Re: Port forwarding - Dynamic WAN IP
Posted: Sat May 28, 2016 11:55 pm
by Sob
I like it. Does it work for you? It should.
Re: Port forwarding - Dynamic WAN IP
Posted: Sun May 29, 2016 10:28 am
by zhup
It works only from outside, but if I try to access my WAN from LAN it does not work unfortunately.
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=pppoe-out1 log=no log-prefix=""
1 chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0/24 out-interface=pppoe-out1 log=no log-prefix=""
2 chain=dstnat action=dst-nat to-addresses=192.168.88.253 to-ports=8888 protocol=tcp dst-address=!192.168.88.253 dst-address-type=local dst-port=8888 log=no log-prefix=""
3 chain=dstnat action=dst-nat to-addresses=192.168.88.253 to-ports=12000 protocol=tcp dst-address=!192.168.88.253 dst-address-type=local dst-port=12000 log=no log-prefix=""
I do not know what is wrong?
Re: Port forwarding - Dynamic WAN IP
Posted: Sun May 29, 2016 11:44 am
by zhup
This below works. I changed in second rule the out-interface from pppoe into the bridge.
chain=srcnat action=masquerade out-interface=pppoe-out1 log=no log-prefix=""
chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0/24 out-interface=bridge log=no log-prefix=""
chain=dstnat action=dst-nat to-addresses=192.168.88.253 to-ports=8888 protocol=tcp dst-address=!192.168.88.253 dst-address-type=local dst-port=8888 log=no log-prefix=""
chain=dstnat action=dst-nat to-addresses=192.168.88.253 to-ports=12000 protocol=tcp dst-address=!192.168.88.253 dst-address-type=local dst-port=12000 log=no log-prefix=""
Coud someone explain to me this situation?
Re: Port forwarding - Dynamic WAN IP
Posted: Sun May 29, 2016 6:11 pm
by Sob
Your change is correct. It's what hairpin NAT does, it changes source of LAN->LAN packets. And their out-interface is LAN, in your case "bridge". See the link I posted, it's explained there very nicely, step by step what happens.
Re: Port forwarding - Dynamic WAN IP
Posted: Wed Jul 06, 2016 11:03 am
by ADCAB
I'm new in MikroTiks world and I have just bought a RB3011UiAS-RM. A fantastic product.
I have port forwarded my NAS so I can reach it from outside, no problems. But I can´t reach it from my lan network and I know that I need to loopback/hairpinning.
Do I need to add one or two extra functions under "FIREWALL" "NAT" or do I need to modify the port forwarding that I already configured?
I have dynamic IP from my ISP so I use MikroTik´s DDNS.
Re: Port forwarding - Dynamic WAN IP
Posted: Wed Jul 06, 2016 9:20 pm
by ADCAB
