MikroTik

Posted: **Fri Oct 20, 2017 5:44 pm**

Hi,

there are some ports forwared (dst-nat) from Internet to an internal server.
How can i only allow specific ip address ranges to connect to the internal server from Internet?

For example only devices from IP address ranges 90.111.222.0/24 and 90.200.100.0/24 should be able to connect to the internal Web Server on port tcp 80?

Regards

Posted: **Sat Oct 21, 2017 3:24 am**

Hi Cynrik,

The easiest way to do this is to make use of an Address-List, and then dst-nat the traffic inbound from that address list.

Modify the below script as you require.

/ip firewall address-list
add address=90.111.222.0/24 list=Allowed
add address=90.200.100.0/24 list=Allowed
/ip firewall nat
add action=dst-nat chain=dstnat comment="Port Forward" src-address-list="Allowed" dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.1.200

Posted: **Sat Oct 21, 2017 7:36 pm**

/ip firewall address-list
add address=90.111.222.0/24 list=Allowed
add address=90.200.100.0/24 list=Allowed
/ip firewall nat
add action=dst-nat chain=dstnat comment="Port Forward" src-address-list="Allowed" dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.1.200

Just remember to change the service port of router!

 /ip service set port=8080 www

MikroTik

Filter port forwarding

Filter port forwarding

Re: Filter port forwarding

Re: Filter port forwarding