Mikrotik port mapping/forwarding

If you would like to direct requests for a certain port to an internal machine (sometimes called opening a port, port mapping), you can do it like this:

/ip firewall nat add chain=dstnat dst-port=1234 action=dst-nat protocol=tcp to-address=192.168.1.1 to-port=1234

This rule translates to: when an incoming connection requests TCP port 1234, use the DST-NAT action and redirect it to local address 192.168.1.1 and the port 1234

Port forwarding to internal FTP server

As you can see from illustration above FTP uses more than one connection, but only command channel should be forwarded by Destination nat. Data channel is considered as related connection and should be accepted with “accept related” rule if you have strict firewall. Note that for related connections to be properly detected FTP helper has to be enabled.

/ip firewall nat
add chain=dstnat dst-address=10.5.8.200 dst-port=21 protocol=tcp action=dst-nat to-addresses=192.168.0.109
/ip firewall filter
add chain=forward connection-state=established,related action=accept

Note that active FTP might not work if client is behind dumb firewall or NATed router, because data channel is initiated by the server and cannot directly access the client.

If client is behind Mikrotik router, then make sure that FTP helper is enabled

[admin@3C22-atombumba] /ip firewall service-port> print 
Flags: X - disabled, I - invalid 
 #   NAME                                                                 PORTS
 0   ftp                                                                  21   
 1   tftp                                                                 69   
 2   irc                                                                  6667 
 3   h323                                                                
 4   sip                                                                  5060 
                                                                          5061 
 5   pptp

1:1 mapping

If you want to link Public IP subnet 11.11.11.0/24 to local one 2.2.2.0/24, you should use destination address translation and source address translation features with action=netmap.

/ip firewall nat add chain=dstnat dst-address=11.11.11.0/24 \
	action=netmap to-addresses=2.2.2.0/24

/ip firewall nat add chain=srcnat src-address=2.2.2.0/24 \
	action=netmap to-addresses=11.11.11.0/24

Same can be written using different address notation, that still have to match with the described network

/ip firewall nat add chain=dstnat dst-address=11.11.11.0-11.11.11.255 \
	action=netmap to-addresses=2.2.2.0-2.2.2.255

/ip firewall nat add chain=srcnat src-address=2.2.2.0-2.2.2.255 \
	action=netmap to-addresses=11.11.11.0-11.11.11.255

442 total views, 2 views today

Print Friendly