For Mikrotik brand routers, port forwarding is required to be done quite often. However, for network administrators and for unprepared users, the solution to this problem is often quite difficult. The following is a brief instruction, following which you can easily carry out any operations of this type, however, you will have to tinker a bit.
Configuring Mikrotik with port forwarding. Why is this needed?
Before setting up the router, you should dwell a bit on the principles of port forwarding and on what it is all used for.
The default setting of Mikrotik is such that computers located on the internal or external network do not see IP addresses assigned to other terminals. Here the rule of the so-called masquerade is used, when the router itself, when a request is received, replaces the address of the machine to which it is destined for its own external IP, although it opens the necessary port. It turns out that all devices connected to the network see only the router, and remain invisible among themselves.
In this regard, in some situations for Mikrotik devices port forwarding becomes an absolute necessity. The most common cases are the following:
- organization of remote access to devices on the network based on RDP technologies;
- creating a game or FTP server;
- organization of peer-to-peer networks and setting up the correct functioning of torrent clients;
- access to cameras and video surveillance systems from outside via the Internet.
Web UI Access
So, let's get started. For Mikrotik routers, port forwarding (RDP, FTP, etc.) begins with logging into the device management system, called the web interface. And if for the majority of well-known routers, 192.168 combinations with either 0.1 or 1.1 endings are used as standard addresses, this option does not work here.
For access in a web browser (it is best to use standard Internet Explorer), the combination 192.168.88.1 is entered in the address bar, admin is entered in the login field, and the password string, as a rule, remains empty. In case when access is blocked for some reason (the router does not accept the login), you will need to reset the settings by pressing the corresponding button or disconnecting the device from power for 10-15 seconds.
General options and settings
Login to the interface is made. Now the most important thing: in Mikrotik, port forwarding is based on the creation of so-called exception rules for the Masquerade function (the same masquerade with IP address substitution mentioned above).
In the general settings of the Firewall / NAT section, you can notice that one rule already exists. It is set as one of the factory settings. Port forwarding in the general case consists in adding a new rule by pressing the button with a plus sign, after which it will be necessary to fill in several basic settings fields.
Examples of used ports
Now let's look at some possible port usage examples. Depending on what exactly each open port will be used, the values ββmay be as follows:
- Torrent: tcp / 51413;
- SSH: tcp / 22;
- SQL Server: tcp / 1433;
- WEB Server: tcp / 80;
- telnet: tcp / 23;
- RDP: tcp / 3389;
- snmp: udp / 161 etc.
These values ββwill be used to forward each such port.
Creating rules and selecting actions
Now create a new rule and proceed to filling in the settings fields. Here you need to be very careful and proceed precisely from what access must be exercised (from the inside out or vice versa).
The parameters should be like this:
- Chain: srcnat is used for access from the local network, so to speak, to the outside world, dstnat - for access to the local network from the outside (we choose the second option for incoming connections);
- Src address fields and Dst. leave empty;
- in the protocol field, select either tcp or udp (usually set to 6 (tcp);
- Src. Port leave empty, i.e. outgoing port for external connections is not important;
- Dst. Port ( destination port ): indicates the port for the above examples (for example, 51413 for torrents, 3389 for RDP, etc.);
- Any Port can be left empty, but if you specify a number, one port will be used both as incoming and outgoing;
- In. Interface: the port of the router itself fits (usually it is ether1-gateway);
- Out. Interface: indicates the outgoing interface (can be skipped).
Note: in the case of port forwarding for remote external connection (RDP) in the Src field. Address indicates the IP of the remote computer from which it is supposed to access. The standard RDP port is 3389. However, most experts do not recommend doing such things, since it is much safer and easier to configure on a VPN router.
Further, in the Mikrotik router, port forwarding involves the selection of an action. Actually, here it is enough to specify only three parameters:
- Action: accept (simple method), but dst-nat is specified for external access (you can specify a more advanced netmap setting);
- To Addresses: the internal address of the machine to which the redirection is to take place is entered;
- To Ports: in general, the value is set to 80, but for the correct operation of the same torrent 51413 is indicated.
Mikrotik setup: forwarding FTP ports
Finally, a few words about what settings will be needed for FTP. First of all, you need to configure the FTP server itself, for example, based on FileZilla, but this is a separate conversation. In this case, we are more interested in forwarding Mikrotik FTP ports, rather than server side settings.
It is believed that the FTP server, although it requires an indication of a certain range of ports, however, works perfectly fine on control port 21. It must be enabled.
As in the general case, you first need to create a new rule, only in this situation there will be two: for the control port and for the entire range of ports.
For port 21, the parameters should be as follows:
- Chain: dst-nat;
- Dst. Address: the external address of the router (for example, 1.1.1.28);
- Protocol: 6 (tcp);
- Dst. Port: 21
- In. Interface: ether1-gateway.
The following values ββare set for the Action action tab:
- Action: dst-nat;
- Dst. Address: address of the terminal on which the FTP server is installed;
- To Ports: 21.
For a range (for example, 50000-50050), all options are similar, with the exception of two parameters:
- in the general settings for Dst. Port indicates the entire range of ports;
- when you select an action, the same range fits into the To Ports field.
Please note that when configuring forwarding for FTP, you need to follow the documentation of the router, and it says that it is not recommended to use the initial threshold of the port range below the value of 1024. This point is also worth considering.
In principle, you can still use the Hairpin NAT Mikrotik function, but it is needed only in cases where you need to log in to an external IP from the local network. In general, you do not need to activate it.