Hello, I'm quite new to RouterOs but with all the information available on the web I managed to get my RB2011 up and running.

Even though it's still impossible to get port forwarding working. Of course I have read about this topic and I have found many examples. I believe I'm trying accoording "the book" but it's not working. Hope one of the people on this forum is willing to have a look at my settings.

What I want to do is this:

I have an IP-cam with IP address 198.168.2.114 which can receive connections on port 2. Connection through this internal IP address is no problem. I want to forward requests on the WAN IP address and port 2 to this IP cam. So what I need to do is allowing this traffic in the firewall and forwarding traffic on port 2.

In de browser http://192.168.2.98:2 connects to my IP-CAM while http://{WAN-IP}:2 does NOT connect to my IP-CAM.

My settings are like this:

/ip firewall address-list
add address=192.168.2.0/24 list=PrivateSubnets

/ip firewall connection tracking
set enabled=yes

/ip firewall filter
add chain=input in-interface=pppoe protocol=icmp
add chain=input connection-state=related
add chain=input connection-state=established
add action=reject chain=input disabled=yes in-interface=pppoe protocol=tcp \
reject-with=icmp-port-unreachable
add action=reject chain=input in-interface=pppoe protocol=udp reject-with=\
icmp-port-unreachable
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid
add chain=input comment="Accept established connections" connection-state=\
established
add chain=input comment="Accept related connections" connection-state=related
add chain=input comment="Allow access from local network" in-interface=\
bridge-local src-address=192.168.2.0/24
add chain=input comment="Allow access to IPCAM:2 from outside" dst-port=2 \
in-interface=ether1-gateway protocol=tcp
add action=log chain=input comment="Log everything else" log-prefix=\
"IPv4 Drop input:"
add action=drop chain=input comment="Drop everything else"
add action=drop chain=forward comment="Drop invalid connections" \
connection-state=invalid
add chain=forward comment="Accept established connections" connection-state=\
established
add chain=forward comment="Accept related connections" connection-state=related
add chain=forward comment="Allow traffic from Local network" in-interface=\
bridge-local src-address=192.168.2.0/24
add chain=forward comment="Allow connection to IPCAM:2 from outside" \
dst-address=192.168.2.114 dst-port=2 in-interface=ether1-gateway protocol=\
tcp
add action=log chain=forward comment="Log everything else" log-prefix=\
"IPv4 Drop forward:"
add action=drop chain=forward comment="Drop everything else"

/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe src-address=\
192.168.2.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="Masquerade internal to outside IP" \
out-interface=ether1-gateway src-address=192.168.2.0/24
add action=dst-nat chain=dstnat comment="Forward tcp:2 to IPCAM:2" dst-port=2 \
protocol=tcp to-addresses=192.168.2.114 to-ports=2

Any help will by appreciated very much.

Thanks in advance.

Walter

The dst-port and to-port options are TCP ports, not the physical ports on the router. That is probably where you went wrong...

Hello Walter,

I think the first red rule in the list is not needed at all. The input chain is for connections to services on the router itself.
For example to login via SSH via internet. Or Winbox from inside your LAN.
The second red rule is ok.
The third red rule needs in-interface=ether1-gateway added in the rule.

Hope it works now.

Adding in-interface shouldn't, strictly speaking, be necessary, but it's probably a good idea since you only need to apply the rule to incoming traffic on the WAN link.