I set up port forwarding on a Mikrotik router, but the router OS (v6.39.2) seems a lot more complicated than the standard off-the-shelf router interface I am used to. I followed the instructions from here and these are the settings I entered in IP/Firewall/NAT:
- Chain: dstnat
- Protocol: 6 (tcp)
- Dst Port: 8000
- In. Interface: all Ethernet (for testing purposes)
- Action: dst-nat
- Log: yes (for testing purposes)
- To Addresses: 192.168.1.33
- To Ports: 8000
As it doesn't look that the 8000 port hasn't officially been opened yet in the outer network (waiting for someone to do that, meanwhile I checked if it was open with yougetsignal.com) I would like to at least test if my port-forward rule works within the local network IF THAT IS POSSIBLE.
When I try to access 192.168.1.1:8000
in a web browser, i see some activity in the rate graph in the NAT-rule setting. But the web browser still only gives me a "This site can’t be reached" response.
My hope is that it would forward me to 192.168.1.33:8000
.
Should this be possible? Or did i do something wrong?
Best Answer
Mikrotik RouterOS based on the Linux kernel and has inherited most of the conceptions of networking.
So, I'll describe the setup of the port forwarding in the Mikrotik routers. And I'll try to describe your issue.
If you want to understand it more deeply, you can read the iptables tutorial. It's pretty cool documentation with detailed explanations.
When the packets arrive from outside (wan interface), the case is a trivial. But, when the packets, which should be port forwarded, arrive from LAN, something interesting happens.
http://<wan-ip>:8000
web page. The TCP packet in form192.168.1.Z:Y -> <wan-ip>:8000 TCP [SYN]
is originated on the LAN host and is sent to the default gateway (Mikrotik router).dst-nat
rule. After this action the packet will looks like192.168.1.Z:Y -> 192.168.1.33:8000 TCP [SYN]
192.168.1.33
host.192.168.1.33
host receives the TCP packet in form ofTCP SYN 192.168.1.Z:Y -> 192.168.1.33:8000
, create the reply in form of192.168.1.33:8000 -> 192.168.1.Z:Y TCP [SYN-ACK]
and sends it to LAN host directly.192.168.1.33:8000 -> 192.168.1.Z:Y TCP [SYN-ACK]
, but it isn't what the host expects! And this packet will be dropped.192.168.1.33
host should send replies to the mikrotik router, not to the LAN host directly. To do it, you can add additionalsrc-nat
rule to the Mikrotik.It makes the Mikrotik rewrites the source address in the port forwarded packets, originated in the LAN. After it the
192.168.1.33
host will see these packets as192.168.1.1:X -> 192.168.1.33:8000 TCP [SYN]
, and send the reply to the Mikrotik. The mikrotik will do the reverse addresse translation and all will work.filter/FORWARD
chain:Obviously, there are enough ways to improve, but the main concept is should be clear now.