need port forwarding assistance

dharris · Thu Sep 23, 2010 12:58 am

hi,

i need to know the basic command line commend to set up port forwarding. i've reviewed a lot of the posts but they seem to be more than what i need.

what i need is the following:

i have the mikrotik set up in router mode with NAT. i need to forward all requests to port 8443 on the WAN IP to port 8443 on a static IP on the LAN side of the mikrotik.

thats it.

can someone please reply with the simplest CLI string i need to enter under /ip to accomplish this.

tia,
dave

fewi · Thu Sep 23, 2010 1:04 am

http://wiki.mikrotik.com/wiki/Manual:IP ... rt_mapping

/ip firewall nat add chain=dstnat in-interface=WAN dst-port=8443 action=dst-nat protocol=tcp to-address=192.168.1.100

dharris · Fri Sep 24, 2010 12:45 am

hi,

i entered the string replacing "WAN" with ether1 as it is the in-interface but i still don't appear to getting forwarded to the LAN device. the to-addresses= IP is the device i'm trying to get to from the WAN. the following is the entry from an /ip firewall nat print command:

chain=dstnat action=dst-nat to-addresses=207.xx.xx.xx protocol=tcp
in-interface=ether1 dst-port=8443

any thoughts?

tia,
dave

fewi · Fri Sep 24, 2010 1:07 am

The to-address should be the IP address of the behind you're forwarding to. The private IP of that computer, not the public IP address of the router.

http://wiki.mikrotik.com/wiki/Manual:IP ... Properties

to-addresses (IP address[-IP address]; Default: 0.0.0.0) Replace original address with specified one. Applicable if action is dst-nat, netmap, same, src-nat

dharris · Fri Sep 24, 2010 1:51 am

hi,

the to-address does have the private IP of the computer i'm trying to access. do i need to explicitly state the WAN IP or is ether1 sufficient.

thanks,
dave

fewi · Fri Sep 24, 2010 2:06 am

Just ether1 is sufficient, but you can state the WAN IP if you want to.

andrescamino · Fri Sep 24, 2010 2:07 am

It is sufficient with the in-interface, you don't have to put the WAN IP if you don't want it, another way to do this is without setting in-interface is

 / ip firewall nat add chain=dstnat protocol=tcp dst-port=8443 dst-address=wanAddress action=dst-nat to-addresses=privateIpAddress to-ports=8443

dharris · Fri Sep 24, 2010 3:53 am

hi,

i ran a packet sniffer when accessing the computer from the same subnet (where it is successful) and see that the traffic from the source computer comes out of port 1143 and is destined for port 8443 on the computer i'm trying to port forward to. replies to the source computer go from port 8443 to port 1143 on the source computer.

all communication goes between these two ports.

do i need to add a firewall rule to allow traffic on port 1143?

tia,
dave

fewi · Fri Sep 24, 2010 3:59 am

Not as such. That is an ephemeral port more or less random.

But if you do have firewall rules they might be blocking the traffic. Post them if you're not sure.

dharris · Sat Sep 25, 2010 1:38 am

DOH! the device i was trying to port forward to was set to accept only incoming connections from the same subnet. i changed that and i'm in business!

thanks for all your advice!

dave

need port forwarding assistance

need port forwarding assistance

Re: need port forwarding assistance

Re: need port forwarding assistance

Re: need port forwarding assistance

Re: need port forwarding assistance

Re: need port forwarding assistance

Re: need port forwarding assistance

Re: need port forwarding assistance

Re: need port forwarding assistance

Re: need port forwarding assistance

Who is online