Syed Jahanzaib Personal Blog to Share Knowledge !

January 29, 2012

Mikrotik / Linux Port Forwarding to Local Server on LAN

Filed under: Linux Related, Mikrotik Related — Tags: , — Syed Jahanzaib / Pinochio~:) @ 9:50 AM

Mikrotik Port Forwarding to Local Server

If you want to host any web server (or any other service like RDP or Game Server) behind mikrotik server and you want it to be publicly available for all internet users, you can use port forwarding and create one dstnat rule as below.Just make sure this rule comes above any masquerading rule.





First setup port forwarding in your dsl modem to forward port 80 request to your mikrotik, I am not showing DSL modem config, as its very different for every mode, search for your modem confg page on howto do port forwarding. Just an example here for my Wi.Fi MODEM page.

Then in mikrotik , add an rule to forward port 80 request to your local web server, (one that is hosted behind your mikrotik server, on local user LAN)


/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-port=80 in-interface=WAN2-QUBEE protocol=tcp to-addresses= \

The above rule result would be something like below.


Linux Port Forwarding to Local Server

Linux WAN IP = [Connected with WAN]
Linux LAN IP = [Connected with User LAN]
Mikrotik LAN IP = [Connected with User LAN or with SQUID]

sysctl net.ipv4.ip_forward=1

iptables -t nat -A PREROUTING -p tcp –dport 8291 -j DNAT –to-destination

iptables -t nat -A POSTROUTING -j MASQUERADE

Syed Jahanzaib


  1. my client needs to setup a cctv on his office
    here is my network config.

    Client wireless router IP (wisp mode) =
    Client wireless router internal IP (dhcp) = –

    i already port forward the port 37777 IP in client router

    MIKROTIK Bridge IP =
    ( i didnt set ip for seperate wan & lan, instead of that , i add both interfaces on the bridge.)

    AAA server IP = (bandwidth controlling)
    Wan IP =

    how could i config in my mikrotik router.
    help me
    thanks in advance.

    Comment by tamilmaran — January 29, 2012 @ 6:41 PM

  2. thank’s my bro, it works for me, your tutorials is very great for teaching me:mrgreen:

    Comment by willykk — February 27, 2012 @ 8:34 AM

  3. My network status is as follows :

    1- Load balancer (rb 750)
    WAN1 : WAN2 : WAN3 : WAN4 :
    LAN1 :

    2- HOTSPOT :

    WAN1 :
    LAN1 :

    What should I do.

    Thank you.

    Comment by Muhammad Fawad — March 21, 2012 @ 12:45 PM

  4. what about a reversal of what you just did there? for instance having a local ip address forward to a website? how would this be done?

    Comment by strider — September 16, 2012 @ 10:31 PM

  5. Hi,
    I had configure one static IP into my WIFI modem. I connect a server with this modem through lan .Now my requirement is how to access this server from other network.

    Please help me.
    Thanks in advance…

    Comment by Rahul mahajan — September 18, 2012 @ 11:09 AM

  6. Hi , from Mexico, i have a scenario like this … loadbalancer + port forwarding with issues

    Comment by acriollo — September 26, 2012 @ 5:42 AM

  7. i also do have issue with ( loadbalancer + port forwarding with issues)

    Comment by owais ahmad — October 17, 2012 @ 8:40 PM

  8. Dear Jahanzaib Bhai,
    I want to Allow internet users to play Counter strike on LAN server. I have nth Loadbalancing mikrotik server. please provide the configuration to allow 27015 port.

    Comment by Conquerer — November 12, 2012 @ 3:22 PM

  9. Hi everybody, i tried to do this configuration, but it works only on my LAN. When I try to access my server outside it doesn’t work. Please can you help me ?

    Comment by Yves — November 22, 2012 @ 7:33 PM

  10. Asalamualikum Sir …
    I can get access to mikrotik configured as bridge Point to Point wireless from another place but same big network through a bypass made by my isp
    I wan to accecc the routers connected after that mikrotik bidge mode , how to make forward in bridge mode mikrotik ?

    Please …

    Comment by esalehnet — January 22, 2013 @ 3:50 PM

  11. Dear Syed Jahanzaib vai,
    I am using duel wan pcc load balance in RB450G router. one of my local user ( (real ip) assigned on his TP-Link router’s wan port) using a server connected to his TP-Link router’s Lan port. Now he wants to access the server from outside. though i have given him above mentioned real ip but he can not access the server. he can only ping the server.he also done the port forwarding from his router(TP-Link). what is the solution? plz help me..


    Comment by Md.Arifujjaman — October 6, 2013 @ 7:05 PM

  12. How does this change if you would like to forward to multiple hosts on the LAN serving the same web site, ie load balancing?

    Comment by cp — November 22, 2013 @ 6:29 AM

  13. Thanks Buddy, that port forward topic was bugging me and thanks to your Blog it got solved!
    Greets from Germany🙂

    Comment by ragnar — January 12, 2014 @ 7:33 PM

  14. MY FTP Server on Sub mask get way
    Now I want to forward my REAL IP to port 21 for for FTP server

    Comment by iarifbd — May 15, 2015 @ 1:26 PM

  15. ftp port forwarding mikrotik 450g need help

    Comment by dfghjkl — May 15, 2015 @ 11:25 PM

  16. Sir, Salam and I want to know it is possible to port forwarding In this way…
    Main Wateen router then tplink router then mikrotik router then from mikrotik router with pppoe account to media conveters and again in new tplink router and then into again a mikrotik now I want to port forward for HFS Server and access mikrotik from everywhere port….
    Please reply…

    Comment by Asher Abaid — July 29, 2015 @ 12:30 PM

  17. Assalam Walikum
    Jahanzaib Bhai ek cheez maloom karni thi for webserver behind mikrotik we mark packet and then exempt it in queue but in new version of mikrotik 6.18 they have removed global-in, global-out and global-total so i tried global which is added in MT 6.x but it’s not being exempt


    /ip firewall mangle add chain=prerouting src-address-list=userlist dst-address=webserver action=mark-packet new-packet-mark=ftp-up
    /ip firewall mangle add chain=postrouting dst-address-list=userlist src-address=webserver action=mark-packet new-packet-mark=ftp-down

    /queue type add name=ftp-exempt kind=sfq
    /queue tree add name=ftp-up parent=global packet-mark=ftp-up queue=ftp-exempt max-limit=1000M
    /queue tree add name=ftp-down parent=global packet-mark=ftp-down queue=ftp-exempt max-limit=1000M

    this script is not working and clients are going through their usual limit for webserver and same script if working perfect on other MT v5.18 any suggestion on howto exempt clients on MT v6.18 ?

    waiting for your positive response

    Tahir Ali

    Comment by Tahir — November 23, 2015 @ 4:09 AM

    • use simple queue in 6.x i mentioned about it in my blog as well. for 5.x method is different, for 6.x method is different.

      Comment by Syed Jahanzaib / Pinochio~:) — November 23, 2015 @ 8:47 AM

  18. correction:
    /ip firewall mangle add chain=prerouting src-address-list=userlist dst-address-list=webserver action=mark-packet new-packet-mark=ftp-up
    /ip firewall mangle add chain=postrouting dst-address-list=userlist src-address-list=webserver action=mark-packet new-packet-mark=ftp-down

    Tahir Ali

    Comment by Tahir — November 23, 2015 @ 4:11 AM

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at

%d bloggers like this: