All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Cannot set up port forwarding on Mikrotik
Hi guys,
Hope someone here will be able to help me.
My ISP provides a ZTE router, to which I have my MikroTIK RB4011 connected. I also have public IPv4 (dynamic = changes when ZTE router is rebooted)
The IP of Mikoritk in ZTE network is 192.168.1.4/24
Network on Mikrotik is: 192.168.64.0/18 with masquerade enabled, so all devices have access to internet.
DMZ on ZTE is enabled and set up for 192.168.1.4
Now, what I want to reach is:
When reaching my public IP 109.XXX.XXX.XXX, I want this traffic to be forwarded to VM with IP 192.168.88.123.
I tested several rules, but none of them worked
/ip/firewall/nat> add chain=dstnat action=dst-nat dst-port=80 dst-address=192.168.1.1 protocol=tcp to-addresses=192.168.88.123
Another
ip firewall/ nat add chain=srcnat src-address=192.168.1.1 dst-address=192.168.88.123 out-interface=ether10 action=masquerade /ip/firewall/filter> add action=accept chain=foward comment="Allow port forwarding" connection-nat-state=dstnat connection-state=new disabled=no in-interface=ether1
Both rules I tried to set up did not work.
The schema of what I want to reach looks like below:
109.XXX.XXX.XXX/192.168.1.1 -> 192.168.1.4 (192.168.64.0/18) -> 192.168.88.123
Does anyone of you know how can I fix this? I tried many more solutions found in Google, but none of them worked
Comments
So you have a double incoming NAT? Why? Setup your ZTE as a bridge or a modem.
Anyhow all rules will only work if your ZTE forwards dst NAT as well, but it seems stupid.
Obviously it "might" work but what you are looking for is ZTE manual, not RouterOS.
Provider allows setting up ZTE in bridge mode, I tested it, but it caused a lot of trouble including lack of TV over IP.
Completely unrelated. Unless you have some ZTE box with IPTV subscription in it.
In any case, look at my reply above. You first need to make your previous box to NAT you inside
your Mikrotik box, then DNAT it and SNAT it back as you wish.
In the second rule, the source won't be 192.168.1.1, it'll be the public IPV4 from somewhere on the Internet. (The original IP needs to be retained so the receiver can reply back).
But double NAT is almost always bad. Try and figure out the ZTE modem in bridge mode by seeing what other routes and rules it has. TV stuff might be IGMP related or some multicast stuff.
Or replace the Mikrotik with a simple GUI NAT router.
/ip/firewall/nat> add chain=dstnat action=dst-nat dst-port=80 dst-address=192.168.1.1 protocol=tcp to-addresses=192.168.88.123
dst-address should be 192.168.1.4
If ZTE run in route wan mode, there is no need to add firewall nat rules/masquerade on mikrotik. Just add static route on ZTE: 192.168.64.0 gateway 192.168.1.4 subnet 255.255.192.0. This will prevent double NAT.