(3) NAT Router Rules (Port Forwarding) in MikroTik RouterOS 

I am now seeing HD resolutions. That should be remarkably better than the previous upload. Enjoy the show!

Hello there. Sorry for necroposting but i must to ask you: do you know why set "to ports" field is not a good idea in case of dst-nat a same external and internal port? I will don't unerstood before guys in one telegram community explain it to me. Of course, it will works. But for a what price? Also I wanna note - it's able to set several ports at one rule or even port ranges. But it works correctly just in case direct PAT(Port-Adress Translation). Also one more thing - it`s don't need to add new firewall filter rule for forwarded ports in RouterOS at near a half of year as far as I remember and maybe more cuz last default drop rule in forward chain looks like "drop all from WAN exept dst-nat" P.S. Hello from Ukraine! You going well =)

Excellent eye, Scott. I didn't expect anyone to catch that, but you're bang-on correct (it's like you can read the future!) During the course of the series, we will be teaching how to limit the connectivity to only certain IP addresses / lists. During that tutorial, we are removing the dnsnat exception from the drop rule. But since we knew we were doing this, we taught to set up the Firewall Rule during this week's tutorial. Otherwise, when we later teach to to change the drop rule, we'll break all the connectivity. It's a bit chicken-and-egg, but we know people will later refer back to this week's tutorial to see how to set up port forwarding, so we wanted to include everything they will inevitably need. Thanks for the comment! And seriously - good eye! Thanks for the tip re. the order as well, I'll look closer on a followup tutorial.

I think the explanation you gave to Scott is invented on the spot, in fact you didn't know what you were doing. if indeed that was you intention, you shouldn't make your tutorials like so. most people search on RU-vid a how to video to make something, apply it and move on. they do not want to watch whole series or videos that didn't come yet or may never will. keep things separated, if you want to make a port forwarding, do a port forwarding video and that's it. don't leave some leftover config for future videos. so in a nutshell, I think you are a nice guy that wants to help people but this video, because you didn't know what you were doing, it's misleading.

indeed. the firewall is very similar to linux iptables (because it uses it under the hood). these must be implemented such that the drop all is at the bottom: on forward and input chains, accept packets incoming from your LAN interface on forward and input chains, accept established and related packets on forward and input chains, drop everything

Is that right? So I could just remove the drop all rule then?

Just lookup what ports your game is using, for example DOOM use 666.

TCP and UDP are protocols, ports are accompanying numbers to these protocols. and yes, it does have them.

set a second rule with dst port 4433 to port 443 to address IP of second device The destination port is the one you have to enter in your browser to access your network, so yournetwork.com:4433 internally goes to the secondary IP:443

@@ChristophWeber77 Thanks! All working

RB3011 works well for me at 1000Mbps with firewall and NAT active...

Actually, I lied, it works external from the network. Thank you!. What about being connected to the local router and using the external IP to hit it? How do I make that work?

@@JerryRigged you need Hairpin NAT for that.

Hi Frank. Please consult your modem's manual / online docs / forums, or provide more information so we can assist.

@@LinuxTechShow That's the problem. I've never been able to find a proper manual for the Arris NVG443B and my ISP (Frontier) won't provide any support for bridging it. I found the cascading router feature in the admin GUI but I don't have a good understanding of what it provides. I guess I'll just keep digging. Unfortunately, I don't have another choice for ISP. Thanks.

@@yourpalfranc If your provider don't help and you're using Mikrotik you can eliminate the double nat by just using static routes.. Don't nat at all! In the Mikrotik just add a default router 0.0.0.0/0 next hop your ISP modem/router.. Just a suggestion.

@@geogmz8277 Thanks for the suggestion. I'm not well versed enough in networking for it to make much sense, so if you can point to some how-to information, I'd really appreciate it. I'll see what I can find. Also, I'm reluctant to go ahead a buy a MicroTik without knowing I can make it work in my network. Thanks again!!

No, that's just to help you remember what the setting is for. Can be helpful, but not required.

You haven't provided a compelling reason. Why?

I would also like to know a good reason why we should stop using web admin. Trashing web UI feels like is a habit that some MikroTik admins just develop. I started administrating MikroTik devices in 2016 and been using web UI unless I need to rescue the device using MAC WinBox. HTTPS (if you set it up correctly) is more secure than WinBox security also.

That is the beauty of this type of firmware - you can use it in the way you like it. Why more advanced users prefer WinBox? Web administrative interface is a bit slower and insecure. WinBox is faster and a bit more secure way, and have embedded terminal. Then the best way of course is to get connect using ssh with certificates. :-) The main issue of the HTTPS is that you have one more service which is give more attack surface for well known methods. Knowing how to create attack based on WinBox is more difficult. Also using WinBox and terminal the admin can use technique known as "port knocking" which may make hacking a bit more difficult with proper scripting. There also good scenarios for using web administration but again - attack to web are much more common and there are plenty ot fools for this.

Winbox manages networks. Web fig manages one device at a time. Web fig is a waste of time.