Mikrotik Port Forwarding to Local Server
If you want to host any web server (or any other service like RDP or Game Server) behind mikrotik server and you want it to be publicly available for all internet users, you can use port forwarding and create one dstnat rule as below.Just make sure this rule comes above any masquerading rule.
Scenario:
DSL MODEM WAN IP = 221.xxx.xxx.xxx
DSL LAN IP = 192.168.1.1
MIKROTIK WAN IP = 192.168.1.2
MIKROTIK LAN IP = 192.168.0.1
WEB SERVER IP = 192.168.0.50
First setup port forwarding in your dsl modem to forward port 80 request to your mikrotik, I am not showing DSL modem config, as its very different for every mode, search for your modem confg page on howto do port forwarding. Just an example here for my Wi.Fi MODEM page.
Then in mikrotik , add an rule to forward port 80 request to your local web server, (one that is hosted behind your mikrotik server, on local user LAN)
MIKROTIK RULE :
/ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=80 in-interface=WAN2-QUBEE protocol=tcp to-addresses=192.168.0.50 \ to-ports=80
The above rule result would be something like below.
Linux Port Forwarding to Local Server
Forward specific Port from Linux wan interface to local server
ppp0 wan link with static public IP address is connected this Linux server & we want to do port redirection and port forwarding from ppp0 to local/local servers
# Script by Syed Jahanzaib # 21-FEB-2016 iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X echo '1' | sudo tee /proc/sys/net/ipv4/conf/ppp0/forwarding echo '1' | sudo tee /proc/sys/net/ipv4/conf/eth0/forwarding #192.168.100.3 is Local LAN server sudo iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 50002 -j DNAT --to-destination 192.168.100.3:50002 sudo iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4444 -j DNAT --to-destination 192.168.100.3:4444 # Redirect request to server it self where ppp0 is connected. sudo iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 1236 -j REDIRECT --to-port 1236 sudo iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 1235 -j REDIRECT --to-port 80 iptables -t nat -A POSTROUTING -j MASQUERADE
Regard’s
Syed Jahanzaib
Syed Jahanzaib - Personal Blog to Share Knowledge ! 
my client needs to setup a cctv on his office
here is my network config.
Client wireless router IP (wisp mode) = 192.168.150.53
Client wireless router internal IP (dhcp) = 192.168.1.2 – 192.168.1.254
i already port forward the port 37777 IP 192.168.1.8 in client router
MIKROTIK Bridge IP = 192.168.200.4
( i didnt set ip for seperate wan & lan, instead of that , i add both interfaces on the bridge.)
AAA server IP = 192.168.150.1 (bandwidth controlling)
Wan IP = 59.144.xxx.xxx
how could i config in my mikrotik router.
help me
thanks in advance.
LikeLike
Comment by tamilmaran — January 29, 2012 @ 6:41 PM
thank’s my bro, it works for me, your tutorials is very great for teaching me
LikeLike
Comment by willykk — February 27, 2012 @ 8:34 AM
glad to help you.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — February 27, 2012 @ 8:51 AM
My network status is as follows :
1- Load balancer (rb 750)
WAN1 : 192.168.1.1 WAN2 : 192.168.2.1 WAN3 : 192.168.3.1 WAN4 : 192.168.4.1
LAN1 : 192.168.11.1
2- HOTSPOT :
WAN1 : 192.168.11.2
LAN1 : 192.168.10.1
What should I do.
Thank you.
LikeLike
Comment by Muhammad Fawad — March 21, 2012 @ 12:45 PM
what about a reversal of what you just did there? for instance having a local ip address forward to a website? how would this be done?
LikeLike
Comment by strider — September 16, 2012 @ 10:31 PM
Hi,
I had configure one static IP into my WIFI modem. I connect a server with this modem through lan .Now my requirement is how to access this server from other network.
Please help me.
Thanks in advance…
LikeLike
Comment by Rahul mahajan — September 18, 2012 @ 11:09 AM
Hi , from Mexico, i have a scenario like this … loadbalancer + port forwarding with issues
LikeLike
Comment by acriollo — September 26, 2012 @ 5:42 AM
i also do have issue with ( loadbalancer + port forwarding with issues)
LikeLike
Comment by owais ahmad — October 17, 2012 @ 8:40 PM
Dear Jahanzaib Bhai,
I want to Allow internet users to play Counter strike on LAN server. I have nth Loadbalancing mikrotik server. please provide the configuration to allow 27015 port.
Thanks
LikeLike
Comment by Conquerer — November 12, 2012 @ 3:22 PM
Hi everybody, i tried to do this configuration, but it works only on my LAN. When I try to access my server outside it doesn’t work. Please can you help me ?
LikeLike
Comment by Yves — November 22, 2012 @ 7:33 PM
Asalamualikum Sir …
I can get access to mikrotik configured as bridge Point to Point wireless from another place but same big network through a bypass made by my isp
I wan to accecc the routers connected after that mikrotik bidge mode , how to make forward in bridge mode mikrotik ?
Please …
LikeLike
Comment by esalehnet — January 22, 2013 @ 3:50 PM
I have no idea with the mikrotik bridge.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — January 23, 2013 @ 11:05 AM
Dear Syed Jahanzaib vai,
I am using duel wan pcc load balance in RB450G router. one of my local user (182.16.157.82 (real ip) assigned on his TP-Link router’s wan port) using a server connected to his TP-Link router’s Lan port. Now he wants to access the server from outside. though i have given him above mentioned real ip but he can not access the server. he can only ping the server.he also done the port forwarding from his router(TP-Link). what is the solution? plz help me..
Thanks
Md.Arifujjaman
LikeLike
Comment by Md.Arifujjaman — October 6, 2013 @ 7:05 PM
How does this change if you would like to forward to multiple hosts on the LAN serving the same web site, ie load balancing?
LikeLike
Comment by cp — November 22, 2013 @ 6:29 AM
I have not worked with it yet 🙂
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — December 7, 2013 @ 8:49 AM
Thanks Buddy, that port forward topic was bugging me and thanks to your Blog it got solved!
Greets from Germany 🙂
LikeLike
Comment by ragnar — January 12, 2014 @ 7:33 PM
MY FTP Server on 192.168.2.223 Sub mask 255.255.255.0 get way 192.168.2.1
Now I want to forward my REAL IP to port 21 for 192.168.2.223 for FTP server
thanks http://www.iarifbd.com
LikeLike
Comment by iarifbd — May 15, 2015 @ 1:26 PM
ftp port forwarding mikrotik 450g need help http://www.iarifbd.com
LikeLike
Comment by dfghjkl — May 15, 2015 @ 11:25 PM
Sir, Salam and I want to know it is possible to port forwarding In this way…
Main Wateen router then tplink router then mikrotik router then from mikrotik router with pppoe account to media conveters and again in new tplink router and then into again a mikrotik now I want to port forward for HFS Server and access mikrotik from everywhere port….
Please reply…
LikeLike
Comment by Asher Abaid — July 29, 2015 @ 12:30 PM
Assalam Walikum
Jahanzaib Bhai ek cheez maloom karni thi for webserver behind mikrotik we mark packet and then exempt it in queue but in new version of mikrotik 6.18 they have removed global-in, global-out and global-total so i tried global which is added in MT 6.x but it’s not being exempt
userlist=192.165.0.0/24
webserver=10.15.200.0/24
/ip firewall mangle add chain=prerouting src-address-list=userlist dst-address=webserver action=mark-packet new-packet-mark=ftp-up
/ip firewall mangle add chain=postrouting dst-address-list=userlist src-address=webserver action=mark-packet new-packet-mark=ftp-down
/queue type add name=ftp-exempt kind=sfq
/queue tree add name=ftp-up parent=global packet-mark=ftp-up queue=ftp-exempt max-limit=1000M
/queue tree add name=ftp-down parent=global packet-mark=ftp-down queue=ftp-exempt max-limit=1000M
this script is not working and clients are going through their usual limit for webserver and same script if working perfect on other MT v5.18 any suggestion on howto exempt clients on MT v6.18 ?
waiting for your positive response
Regards
Tahir Ali
LikeLike
Comment by Tahir — November 23, 2015 @ 4:09 AM
use simple queue in 6.x i mentioned about it in my blog as well. for 5.x method is different, for 6.x method is different.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — November 23, 2015 @ 8:47 AM
correction:
/ip firewall mangle add chain=prerouting src-address-list=userlist dst-address-list=webserver action=mark-packet new-packet-mark=ftp-up
/ip firewall mangle add chain=postrouting dst-address-list=userlist src-address-list=webserver action=mark-packet new-packet-mark=ftp-down
Regards
Tahir Ali
LikeLike
Comment by Tahir — November 23, 2015 @ 4:11 AM
Helloo all i want to open port for counter strike 1.6 server . Any one can help me ?? I use a Wifi Modem !
LikeLike
Comment by gamelovers6 — March 29, 2017 @ 12:45 AM