What is Port forwarding and mikrotik

Port Forwarding on MikroTik

Port forwarding is a network configuration technique that directs incoming traffic on a specific port to a particular internal IP address and port on a local network. This is useful for services like web servers, game servers, or remote desktop access, where external users need to access devices or services within a private local network (LAN) from the internet.

In MikroTik routers, port forwarding is typically configured using NAT (Network Address Translation) rules. These rules are added in the MikroTik firewall to control how incoming packets are handled and forwarded to the appropriate devices inside the network.

When to Use Port Forwarding

Port forwarding is required in the following scenarios:

  • Accessing a web server, FTP server, or game server located in your local network from the internet.
  • Using remote desktop applications to access a device in the internal network.
  • Enabling access to specific applications or services (e.g., surveillance cameras, email servers) on the local network from remote locations.
  • Running a VoIP service or similar applications that need to be accessible externally.

How Port Forwarding Works

When an external device (e.g., a remote user) sends a request to your public IP address on a specific port (e.g., HTTP on port 80), the router checks its NAT table for the appropriate forwarding rule. If a matching rule is found, the router will forward that request to the specified internal IP address and port within the local network.

For example:

  • You may have a web server running on an internal computer with IP 192.168.1.100 on port 80 (HTTP).
  • A port forwarding rule is set on the router to forward any external requests on port 80 to this internal IP address.

Setting Up Port Forwarding on MikroTik Router

Follow these steps to configure port forwarding on a MikroTik router using the WinBox interface or WebFig (the web interface).

Step 1: Identify the Port and Service

Determine which service you want to forward and what port it uses. Common services and ports include:

  • HTTP (web servers) – Port 80
  • HTTPS (secure web servers) – Port 443
  • FTP (file transfer) – Port 21
  • SSH (secure shell) – Port 22
  • RDP (Remote Desktop Protocol) – Port 3389
  • Game servers – Specific game ports (varies by game)

Step 2: Create the Port Forwarding Rule in MikroTik

  1. Log into your MikroTik router using WinBox, WebFig, or SSH.

  2. Go to the NAT settings:

    • In WinBox/WebFig, navigate to IP → Firewall → NAT.

  3. Add a new NAT rule:

    • Click on the + button to add a new rule.
    • In the General tab:
      • Chain: Set this to dstnat (destination NAT).
      • Protocol: Choose the protocol (e.g., tcp for web traffic).
      • Dst. Port: Enter the external port that you want to forward (e.g., 80 for HTTP).

  4. Set the action to forward:

    • In the Action tab, choose dst-nat (Destination NAT).
    • To Addresses: Enter the internal IP address of the device you want the port to be forwarded to (e.g., 192.168.1.100).
    • To Ports: Enter the internal port number (often the same as the external port, e.g., 80 for a web server).

  5. Save the rule by clicking OK.

Example: Forward HTTP (Port 80) to a Web Server

  1. You want to forward HTTP traffic (port 80) to a web server with the internal IP address 192.168.1.100 running on port 80.

  2. Configure the following in MikroTik:

    • Chaindstnat
    • Protocoltcp
    • Dst. Port80
    • To Addresses192.168.1.100
    • To Ports80

This rule will forward any incoming traffic on port 80 (HTTP) to the internal server at IP 192.168.1.100 on the same port.

Step 3: Ensure Firewall Rules Allow the Connection

Make sure that the firewall on the MikroTik router allows incoming traffic on the forwarded port.

  1. Go to IP → Firewall → Filter Rules.
  2. Ensure there’s a rule allowing incoming traffic on the forwarded port (e.g., port 80 for HTTP).
  3. If necessary, add a rule to allow the traffic from the outside:
    • Chain: input
    • Protocol: tcp
    • Dst. Port: 80
    • Action: accept

Step 4: Test the Port Forwarding

  • External Test: From an external network (e.g., using a mobile device or an external computer), try to access your public IP address followed by the forwarded port. For example:

    • http://<your-public-ip>:80
    • If it’s a web server, it should open the web page hosted on the internal server.

  • Internal Test: You can also test by accessing the internal server from another device on the local network using the local IP address directly.

Why configure port forwarding on MikroTik router

Before diving into the configuration, it’s essential to understand the purpose of port forwarding. This technique is commonly used for:

  • Remote access to services: Enabling remote access to servers such as FTP, SSH, or DVRs.
  • Website hosting: Directing traffic to an internal web server.
  • Online gaming: Opening specific ports for online games that require a direct connection to other players.

In this article, we’ll guide you through the step-by-step process of configuring port forwarding on Mikrotik using Winbox, its intuitive graphical interface.

Scenario

Let’s configure a scenario where we have an internal web server with the IP address 192.168.0.120, using the standard port 80 (HTTP). To make this server accessible externally, we’ll create a NAT rule on Mikrotik that redirects connections from port 9795 on the external interface to port 80 on the internal server. This configuration allows internet traffic destined for port 9795 to be forwarded to the web server.

Setting up port forwarding on Mikrotik
In the Winbox main menu, navigate to IP > Firewall.

Creating the NAT Rule

In the NAT tab, click the + button to add a new rule.

In the General tab, fill in the fields:

  • Chains – select the “dstnat” option.
  • Dst. Address – enter the public IP of the Mikrotik.
  • Protocol – define the protocol (for this example, TCP was selected).
  • Dst. Port – specify the external port to be redirected (for this example, it was 9795)

Define the Action

In the Action tab, fill in the fields:

  • Action – select dst-nat.
  • To Addresses – enter the IP of the internal server (example: 192.168.0.120).
  • To Ports – enter the port of the internal service (example: 80).
  • Click OK to save.

Test the Configuration

Access your public IP followed by the configured port (e.g. http://your_public_ip:9795) in a web browser. If the configuration is correct, you will be able to access the internal service.

Important Considerations

  • Security: Opening ports exposes your network to potential attacks. Use firewalls and other security measures to protect your devices.
  • Standard Ports: Avoid using standard ports for services, such as port 21 for FTP or port 80 for HTTP. Use non-standard ports to make attacks more difficult.
  • Multiple Rules: You can create multiple forwarding rules for different services.
  • Documentation: Keep a record of forwarding rules to facilitate network management.

Configuring port forwarding on Mikrotik using Winbox is a relatively simple task but requires attention to detail. By following this guide and considering the security tips, you can enable remote access to your services securely and efficiently.