MikroTik

Community discussions
https://forum.mikrotik.com/

Ports & Firewall

https://forum.mikrotik.com/viewtopic.php?t=128387

Page 1 of 1

Ports & Firewall

Posted: Tue Dec 05, 2017 3:07 pm
by oimboh
Hello,
I would like to know how to open ports in rb950. I wish to access my device remotely via IP and I don't have any idea in firewall rules.
Please help me out.

Regards

Re: Ports & Firewall

Posted: Tue Dec 05, 2017 4:28 pm
by ZeroByte
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT

In a nutshell, you want to use the IP > Firewall > NAT configuration. Add rules to the "dstnat" chain. In each rule, you use dst-port=xxxx as the "outside" port you want mapped, action=dst-nat and to-address=x.x.x.x (inside IP address) - if the inside port is the same as the outside port, you don't need to specify a to-ports. If the inside port is different (e.g. mapping outside 8080 to inside 80) then specify the inside port as the "to-ports" value.

The NAT table is evaluated once for each new connection when connection tracking is in use (the default condition).
Rules are processed in order top to bottom, and the first match is used.
If no rules match, then the packet is passed w/o any modification.
Rules match only if 100% of the conditions are true.
If any condition has multiple values, then this is an "or" condition - e.g. dst-port=80,443 will match if the destination port is 80 or if it is 443.

Re: Ports & Firewall

Posted: Wed Dec 06, 2017 11:27 am
by oimboh
Thank you for the help.I wish to access my rb950 via winbox which is running on port 8291 and I have a public IP configured in the rb950. How do I add this to the NAT configure? Regards

Re: Ports & Firewall

Posted: Thu Dec 07, 2017 4:31 pm
by ZeroByte
Thank you for the help.I wish to access my rb950 via winbox which is running on port 8291 and I have a public IP configured in the rb950. How do I add this to the NAT configure? Regards
You don't add NAT rules for talking to the router itself. (NAT means to modify the src/dst IP address and/or port number for traffic going through the router - i.e. map ports on the public IP address to ports on internal devices.) For accessing the router itself, you add rules to the firewall filter in the INPUT chain.
So to allow Winbox, you would make a rule that matches protocol TCP with dst port = 8291 and action=accept
This rule needs to be earlier in the chain (above) any rule which would block your traffic otherwise.
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/