How to forward a port?

Exodus112019-02-12 15:30:57

System administration

Exodus11, 2019-02-12 15:30:57

In the Mikrotik setting, I'm completely green, please do not judge strictly. I need to forward port 3998 (let's say). The appeal must go from the outside, the port opens for remote control.
Chain dsnat
Dst adress - I specify my static IP address of the provider
Protocol tcp
Dst.Port 3998
In.Interface ether1
Action dst-nat
To Adresses I specify which PC on the LAN to redirect the connection
To Ports 3998
Maybe I'm doing something wrong? Or is there any action before port forwarding in NAT?

Answer the question

In order to leave comments, you need to log in

9 answer(s)

Andrey Levashev, 2019-02-12
@skystart

In forwarding, allow traffic to this host, or even to the internal network, plus all established connections.
In console
# this is already done:
/ip firewall nat
add action=dst-nat chain=dstnat comment=for_tcp_3998 dst-address=_white_ip_ dst-port=3998 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.0 .x
# for example, allow forwarding just towards the grid
# as one of the options
/ip firewall filter
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=accept chain= forward in-interface=ether1-gateway out-interface=bridge-lan connection-state=new
add action=accept chain=forward in-interface=bridge-lan out-interface=ether1-gateway connection-state=new
### other rules ###
add action=drop chain=forward log=yes log-prefix=DROP_FORWARD_

Vladimir, 2019-02-12
@MechanID

for port forwarding to work, you must also have masquerading
chain=srcnat action=masquerade out-interface=ether1
where ether1 is the port to the provider
and this microtic must be a gateway for the PC in lan

dimaaannn, 2019-02-12
@dimaaannn

In addition to other answers, I will try to explain more simply.
To forward a port, you need to register it in 2 places:
1. Filter rules - allow the forward of this port from outside
2. Directly forward the port in NAT - dstnat to the desired ip

Softer, 2019-02-12
@Softer

It's worth checking the forward chain, there should be an appropriate allow rule for "To Ports".
If the route for the destination PC is not through the specified "static IP address of the provider" - you need to build routing from the source.
And at the "other end", of course, the port should be listened to :)

d-stream, 2019-02-12
@d-stream

I guess: the port openness check comes from the same network)
Then you also need wiki.mikrotik.com/wiki/Hairpin_NAT

Anatoly, 2019-02-13
@Tolly

/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=dst-nat chain=dstnat dst-address=31.31.31.31 dst-port=3998 protocol=tcp to-addresses=192.168. 1.3
if there are other rules in the firewall, then you need to disable them to check

sazhyk, 2019-02-21
@sazhyk

I'll put in my 5 cents too.
You haven't provided any input here yet.

Does your rdp connection work in LAN?
What type of internet connection?
Static IP from ISP or not?

Eugene Namchuk, 2019-02-21
@enamchuk

For remote use, the default port is 3389/TCP.
In your example it is different.
Did you change it manually? If not, then you won't be able to connect.

Sergey, 2019-02-21
@sokolovsv

A finger to the sky, the port is painfully similar:
Forward is needed for RDP, port 3998 - so that the enemies do not guess?
In this case, in a standard situation in dst-nat, the port is standard for RDP 3389.
You have already been told about the firewall.