Categories

Mikrotik
52
ServerHacks
16
SoftEther VPN
20
Videos
34

  Categories

  Tag Cloud

Mikrotik Network Security Networking Servers VPN

  Support

My Support Tickets
Announcements
Knowledgebase
Downloads
Network Status
Open Ticket

Beginner’s Guide: Setting Up Port Forwarding on MikroTik Print

  • Mikrotik, Networking
  • 42

Hi again! Emmanuel Corels here from Emmanuel Corels Creatives, back with another practical MikroTik guide. This time, we’ll show you how to port forward—something that comes up often when people need to host services (like a web server, game server, or remote desktop) behind their MikroTik router. Ready to open a port or two? Let’s dive in!

What Is Port Forwarding?

Port forwarding (also known as Destination NAT) allows inbound traffic from the internet on a specific port to reach a device on your local network. For example, if you run a web server at 192.168.88.100:80, you can configure MikroTik so that anyone hitting your router’s public IP on port 80 will be forwarded to that local IP.

Typical Scenario

  • WAN interface: ether1, obtains a public IP from your ISP (or at least a routable address).
  • LAN network: 192.168.88.0/24 with a server at 192.168.88.100.
  • Service: Let’s say a web service on port 80. We’ll forward external traffic from port 80 → 192.168.88.100:80.

(If you’re hosting a different service—like a game server on port 25565—just substitute the port numbers.)

Step 1: Confirm Your WAN IP

Before port forwarding, ensure your MikroTik’s WAN IP is truly public. If your ISP gives you a private IP (like 10.x.x.x, 100.x.x.x, or 192.168.x.x), you might be behind Carrier-Grade NAT. In that case, normal port forwarding won’t work unless your ISP does additional NAT rules on their side.

  1. WinBox → IP → Addresses: Check the address on ether1.
  2. If it’s in a private range, contact your ISP to see if they offer a public IP.

Step 2: Basic Firewall/NAT Check

Assuming you have a default config, your MikroTik has a masquerade rule for outbound traffic. That’s good. We’ll add a dst-nat rule to handle inbound traffic. No need to remove or modify existing NAT rules—just add a new one.

Step 3: Add the Port Forward Rule

In WinBox, go to IP → Firewall → NAT. Click the “+” to create a new rule:

  1. General tab:

    • Chain: dstnat
    • Protocol: tcp (assuming your service is TCP; if it’s UDP, choose that)
    • Dst. Port: 80 (the port on which you expect inbound connections)

  2. In. Interface: If you’d like, specify ether1 (WAN interface). This ensures the rule only triggers on traffic arriving from the internet side.

  3. Action tab:

    • Action: dst-nat
    • To Address: 192.168.88.100 (the LAN IP of your server)
    • To Ports: 80 (if you want to keep the same port internally)

  4. Comment (optional but helpful): “Forward port 80 to web server”

Click OK. You should see your new rule listed.

(CLI Version):

/ip firewall nat add chain=dstnat in-interface=ether1 protocol=tcp dst-port=80 \
action=dst-nat to-addresses=192.168.88.100 to-ports=80

Step 4: Confirm or Adjust Firewall Filter

By default, the forward chain in many MikroTik default configs allows established/related traffic. That usually suffices to permit port forwarding. However, if you have a strict firewall filter that explicitly drops all inbound traffic, you may need a forward chain rule to accept traffic destined for 192.168.88.100:80.

  1. IP → Firewall → Filter Rules
    • If you see a final “drop all” rule in the forward chain, add a new rule above it:
      • Chain: forward
      • Protocol: tcp
      • Dst. Address: 192.168.88.100 or leave blank if you want to rely on the NAT rule
      • Dst. Port: 80
      • Action: accept

If your default firewall config is the typical one from MikroTik, you might not need this—some default configs have pre-built rules that allow forwarded traffic for valid NAT connections.

Step 5: Testing the Port Forward

  1. From an outside network (like your phone on cellular data or a friend’s house), browse to http://[Your Public IP]:80.

  2. If all is well, you should reach the server’s webpage.

  3. If it fails, try these troubleshooting steps:

    • Local Test: If you test from inside the LAN with http://[Public IP], you might need Hairpin NAT for it to work.
    • Check Logs: In System → Logging, add a firewall topic to see if inbound traffic is hitting the dst-nat rule.
    • ISP Issues: Some ISPs block inbound port 80. Try a higher port (e.g., 8080 or 8000) or see if your ISP can remove that block.

Optional: Hairpin NAT

If you want users on your LAN to access the server using the public IP rather than the internal IP, that’s called hairpin NAT. You add a second dst-nat rule or a masquerade rule referencing the LAN subnet. Example:

/ip firewall nat add chain=srcnat src-address=192.168.88.0/24 \
dst-address=192.168.88.100 protocol=tcp dst-port=80 \
out-interface=bridge-lan action=masquerade

This ensures LAN devices can connect to http://[Public IP]:80 and be looped back to the internal server. Otherwise, they might fail or loop incorrectly.

Common Pitfalls

  • Double NAT: If your ISP modem is also doing NAT, you might need to port forward on that device too (or set it to bridge mode).
  • ISP Blocking: Some ISPs block common ports like 80 or 25 to prevent local hosting. Try a different port or call your ISP.
  • Firewall Overly Strict: If you drop inbound traffic by default, remember to allow the forwarded traffic in the forward chain.
  • Wrong Protocol: If your service uses UDP (e.g., certain game servers), you need to forward UDP, not TCP. Or sometimes both.
  • Dynamic WAN IP: If your WAN IP changes frequently, consider using a dynamic DNS service so you can connect by hostname instead of IP.

Wrapping Up

That’s the gist of port forwarding on MikroTik. You define a dst-nat rule, possibly tweak your firewall filter if needed, and test from outside. Whether you’re hosting a personal game server, a remote desktop session, or a small web server, these steps get you there.

Remember, exposing services to the internet does come with security considerations. Keep your server patched, and if possible, limit inbound connections to known source IPs with firewall rules. Stay safe, and enjoy your newly accessible service!

If you hit any snags, don’t hesitate to reach out. MikroTik’s NAT can seem tricky at first, but once you’ve done it a few times, it’s second nature. Till next time, happy hosting!

Guided with clarity by
Emmanuel Corels – Admin, Emmanuel Corels Creatives

Does this help?

Related Resources

Getting Started with MikroTik: An Introduction and Basic Setup for Beginners   Hey there!I’m Emmanuel Corels, the admin over at Emmanuel Corels Creatives, and today we’re... Mastering the MikroTik Firewall: NAT, Port Forwarding, and Basic Security Hey there!I’m Emmanuel Corels, your friendly admin from Emmanuel Corels Creatives, and welcome to... Exploring MikroTik CHR and VPNs: Deploying a Cloud Hosted Router and Setting Up Your First VPN Hey everyone!I’m Emmanuel Corels, your friendly admin from Emmanuel Corels Creatives, and welcome... Leveling Up Your VPN Game with L2TP/IPsec Hey, hey, hey! It’s your favorite MikroTik guru—Emmanuel Corels from Emmanuel Corels... Tunneling with OpenVPN on MikroTik: Another Step to Secure Networking Hello, network ninjas!It’s Emmanuel Corels again, the proud admin of Emmanuel Corels Creatives,...
« Back

  Tag Cloud

Mikrotik Network Security Networking Servers VPN

  Support

My Support Tickets
Announcements
Knowledgebase
Downloads
Network Status
Open Ticket