If you would like to direct requests for a certain port to an internal machine (sometimes called opening a port, port mapping), you can do it like this:
/ip firewall nat add chain=dstnat dst-port=1234 action=dst-nat protocol=tcp to-address=192.168.1.1 to-port=1234
This rule translates to: when an incoming connection requests TCP port 1234, use the DST-NAT action and redirect it to local address 192.168.1.1 and the port 1234
Port forwarding to internal FTP server
As you can see from illustration above FTP uses more than one connection, but only command channel should be forwarded by Destination nat. Data channel is considered as related connection and should be accepted with “accept related” rule if you have strict firewall. Note that for related connections to be properly detected FTP helper has to be enabled.
/ip firewall nat add chain=dstnat dst-address=10.5.8.200 dst-port=21 protocol=tcp action=dst-nat to-addresses=192.168.0.109
/ip firewall filter add chain=forward connection-state=established,related action=accept
Note that active FTP might not work if client is behind dumb firewall or NATed router, because data channel is initiated by the server and cannot directly access the client.
If client is behind Mikrotik router, then make sure that FTP helper is enabled
[admin@3C22-atombumba] /ip firewall service-port> print Flags: X - disabled, I - invalid # NAME PORTS 0 ftp 21 1 tftp 69 2 irc 6667 3 h323 4 sip 5060 5061 5 pptp
If you want to link Public IP subnet 220.127.116.11/24 to local one 18.104.22.168/24, you should use destination address translation and source address translation features with action=netmap.
/ip firewall nat add chain=dstnat dst-address=22.214.171.124/24 \ action=netmap to-addresses=126.96.36.199/24 /ip firewall nat add chain=srcnat src-address=188.8.131.52/24 \ action=netmap to-addresses=184.108.40.206/24
Same can be written using different address notation, that still have to match with the described network
/ip firewall nat add chain=dstnat dst-address=220.127.116.11-18.104.22.168 \ action=netmap to-addresses=22.214.171.124-126.96.36.199 /ip firewall nat add chain=srcnat src-address=188.8.131.52-184.108.40.206 \ action=netmap to-addresses=220.127.116.11-18.104.22.168
2,285 total views, 3 views today