Rule added by quickset is wrong. It will do dst-nat to all of packets coming from wan to lan AND from lan to wan. If you will add rule to port forward tcp:80 to 192.168.88.99:80, it will break all connections from lan to wan:80. It is because of in-interface or in-interface-list is not added.
Yes but you can add these in the NAT list. From his explanation this is clearly designed as a quick and simple way to forward specific individual ports to single IP's, not the blanket and generic forwarding you mentioned.
UPNP can be dangerous :) Someone printed a page on 80'000 printers because of this. There's an episode of darknet diaries about it. So if your router, devices and software has UPNP enabled. It can open ports you don't know about and don't need to have open to the internet. Manually you can limit access from certain countries, an ISP, IP range or even a single IP address.
You have to manually enable it also in the app, so at least you can’t have such things happen without knowing. Also, what printer needs to open ports from the internet? Curious 🤨😂
Yep, UPNP is as dangerous as "manually opening ports" You need to have whatever program to actually open it, instead of you doing the opening manually you let the app do it.
I know I'm 2 years too late, but I have UPnP enabled for my video game consoles in a specific IP range on the network, then I've set up firewall rules to accept UPnP traffic from that range, and deny it from any other IP. This is the unfortunate reality for consoles to get better NAT, and ports to open for specific games. /ip firewall filter add chain=forward src-address=192.168.88.151-192.168.88.160 action=accept /ip firewall filter add chain=forward src-address=!192.168.88.151-192.168.88.160 action=drop Adjust IP's for your environment
In case anyone is getting the "Couldn't add new port mapping - WAN port list is missing (6)" error message, here's how to fix it In Winbox, go to Interfaces>Interface List> Click on Lists > Add a new list and call it WAN > close the Interface Lists window>then in Interface List add your WAN interface to the WAN list
you can use the new input chain for some rare and complex scenarios, where your address should be changed before or after routing actions take place, see stuffphilwrites.com/wp-content/uploads/2014/09/FW-IDS-iptables-Flowchart-v2019-04-30-1.png
Good morning, I did it the same way as in your video with the difference that I have different ip address values. I think I should have it set up correctly. The only thing that bothers me is whether it works as it should. When I look into IP/Firewall/Nat - here I look at the created 4 port forwarding rules for one online game, so the first two rules are ( for port: 27015 and 27036 ) the other rules are for the TCP protocol and the others are the UDP protocol ( for the port: 27015 and 27031-27036 ) so I look at it and there is no data flowing at all. I still have 0 B in the Bytes column, so I doubt port forwarding is working for me :(
I am very "anti quickset". Opening Quickset and hitting apply on ANYTHING has broken running configurations, more than once. Could an option be added to hide quickset in winbox? Also... On NAT... Maybe show people how to use IP cloud to make NAT rules more specific.
Quickset should not break anything, if you do encounter such a scenario, let us know. By the way, closing and not using Quickset is also an option :) Why disable
@@mikrotik Quickset break the configuration when the PPPoE credential of the ISP need a VLAN Tag, if you apply you loose the connection. For the Quickset menu only eth1 or SFP can be WAN. But that not a big deal, more you dig in routerOS, less you need Quickset.
Last time I understood this properly was when I configured firewall on Slackware Linux in 2003 or so for dial up internet and one small company using iptables. But what I found somewhat weird on Mikrotik - I could not make it work. I used textbook example from manual. I tried to copy this rule to input and forward and nothing, not a single packet captured by rules. After tens minutes, I disconnected phone from wifi, used termux and ssh, it worked. It somehow seems like if connection comes from internal network, to WAN IP address, it's not captured. Is there a way how to fix this? Something like if destination IP from whatever interface matches IP assigned to router by DHCP then forward port 2222 to homeserver:22?
@@mikrotik Thanks, I solved it using claude ai. problem is missing SNAT rule for server reply - by default, it contacts client directly, so there's mismatch between request going to WAN IP and reply coming from server's IP.
Thanks for explaining. I am new to mikrotik still it is interesting, I need suggestion and help please, I have two mikrotik routers having different isps as well as different local networks " each ", however I connected them to each other through interface " 4" and I need to forward SIP telephone from one mikrotik to another another, is there any guide to do that? Thanks in advance...
There is a lot of ways to do it depending of your requirements, but if your SIP server had a static IP, you could add a static route on your network where you have your SIP device and put your SIP server as the destination and put the gateway as the IP of your second router where you want the traffic to go though. Just make sure the second gateway have route to reach back the main client.
A question ??? I have the Clients in PPPoE mode on the Mikrotiik CCR1009-7G-1C-1S+ but I want to add a MyCloudPR4100 NAS For Movies.. OK my Question how can I Install it on the Mikrotik CCR1009-7G-1C-1S+ So that my Clients can see it ???
Great, I added the Nat rule usign the advanced menu, but didn't work. Then I went to the same process using quickset and that did the trick. Strange, both rules were the same hahaha.
hi i need help i used winbox used the firewall NAT setted up tcp and udp dstnat because you need both for rust server and still it doesnt work i need help :D
@@robkojabko In Winbox, go to Interfaces>Interface List> Click on Lists > Add a new list and call it WAN > close the Interface Lists window>then in Interface List add your WAN interface to the WAN list
I'm trying to figure out port forwarding but this doesn't look anything like my router which is model hAP ac Lite. I'm in the UK, are they different here?
@@mikrotik I had the same problem, but figured out quickly that I was running routerOS v6 still on my router -> no port mapping, I have had it for year, I always though System -> Auto Upgrade being empty that there were no updates available, found out now that the updating part is actually in quick set menu lol
Why is your RouterOS set to v7.2.3, whereas mine is 6.49.6? Note: I have checked for updates and installed the latest updates according to my Winbox application. Perhaps you have different hardware and v6.49.6 is the latest OS for my hardware? Thank you for the video, and I love Mikrotik :)
I have an Ubuntu server from America and I have a MIKROTIK device at home (local) I want to connect my Ubuntu server to Mikrotik at home using ssh port Because in Iran VPN works with ssh port When I connect the ssh port of Ubuntu server to Mikrotik, my web traffic can open all sites Like a VPN server can pass traffic I request you to send me the tutorial for this item Or tell me its instructions Or send me a video tutorial of it Here we are under very bad conditions in terms of filtering sites And we cannot connect to the sites
Does not work if you are on a vlan. Just set it up in the firewall settings but add "ALL VLAN" under in-interface. That's for kiwi's with Mikrotik. Love to hate it!
@@mikrotik I was a mikrotik user, but no more. Instead of you working on network related topics, here you go promoting weaponry and death by association. Team Ubiquiti it is from now on 🙂 Nice way loosing your customers.
Why couldn't you just simply cast the desktop screen instead of showing a fancy studio...... seriously........................................ try following the video on your own
MIkrotik now focused mainly on consumer applications. Minecraft, seriously? Don't you need to specify the dst.address literally, or dst. address type 'local', so it only acts on the router's IPs? That's how I've always set up dst-nat.
We still make 100Gbit switches and routers, check our other videos. Yes, there are many ways to set up DST-NAT, you can specify interfaces etc. There are many ways to set up a MikroTik ;)
Technically, profesionnal/power user know what is a NAT and how it works. it's more for home user who have a mikrotik router in their home (from their ISP for exemple).
Why when i trying to telnet (public ip : forwarded port) , in terminal shows up this massage: 04:49:26 echo: system,error,critical login failure for user enable from 89.37.95.164 via telnet. And when i paste my public ip in search - it redirects me to Mikrotik login page
![Build your Own VPN Server - Simple and Easy [Tagalog]](/img/1.gif)
Here is the link to the documentation about NAT: help.mikrotik.com/docs/display/ROS/NAT
Have fun (seriously) :)
Awesome Saint Javelin t-shirt! Thanks for support both informational and hardware. Love you guys!
Is it a form of worship to governor's boot between breeches?
Hello, thank you for teaching how to port forward ipv6 in Mikrotik router❤❤❤
Nice T-Shirt, very strong statement!🔨💪
Saya dari indonesia terimakasih informasinya sangat membatu saya
To the point and accurate. Thank you.
Rule added by quickset is wrong. It will do dst-nat to all of packets coming from wan to lan AND from lan to wan. If you will add rule to port forward tcp:80 to 192.168.88.99:80, it will break all connections from lan to wan:80. It is because of in-interface or in-interface-list is not added.
You are completelty right, good eye. We will fix this bug, thanks!
Yes but you can add these in the NAT list. From his explanation this is clearly designed as a quick and simple way to forward specific individual ports to single IP's, not the blanket and generic forwarding you mentioned.
@@mikrotik When are you fixing this? I just ran into this problem.
@@mikrotik any update on this? I found a workaround, but having a simple way of port forwarding would be great
Thanks sir, its very help
THANK YOU!,
I finally got my minecraft server to work, i have littarly spent over 10h trying to fix it.....😄
UPNP can be dangerous :) Someone printed a page on 80'000 printers because of this. There's an episode of darknet diaries about it.
So if your router, devices and software has UPNP enabled. It can open ports you don't know about and don't need to have open to the internet. Manually you can limit access from certain countries, an ISP, IP range or even a single IP address.
You have to manually enable it also in the app, so at least you can’t have such things happen without knowing. Also, what printer needs to open ports from the internet? Curious 🤨😂
Yep, UPNP is as dangerous as "manually opening ports"
You need to have whatever program to actually open it, instead of you doing the opening manually you let the app do it.
I know I'm 2 years too late, but I have UPnP enabled for my video game consoles in a specific IP range on the network, then I've set up firewall rules to accept UPnP traffic from that range, and deny it from any other IP. This is the unfortunate reality for consoles to get better NAT, and ports to open for specific games.
/ip firewall filter add chain=forward src-address=192.168.88.151-192.168.88.160 action=accept
/ip firewall filter add chain=forward src-address=!192.168.88.151-192.168.88.160 action=drop
Adjust IP's for your environment
You should add a Disable option into the Quick Set's Port Mapping, like in Firewall tab.
In case anyone is getting the "Couldn't add new port mapping - WAN port list is missing (6)" error message, here's how to fix it
In Winbox, go to Interfaces>Interface List> Click on Lists > Add a new list and call it WAN > close the Interface Lists window>then in Interface List add your WAN interface to the WAN list
Hi normis,
in the next video , would be able to explain us what input/output dose for NAT on v7
you can use the new input chain for some rare and complex scenarios, where your address should be changed before or after routing actions take place, see stuffphilwrites.com/wp-content/uploads/2014/09/FW-IDS-iptables-Flowchart-v2019-04-30-1.png
Yo have so cool t- thist, thank for wearing it ! Дякую вам за те, що ви з нами !
Nice T-Shirt! Thanks from Ukraine! And thanks for the manual!
We dont need to add any filter rules to allow the NAT connection?
Good morning,
I did it the same way as in your video with the difference that I have different ip address values. I think I should have it set up correctly. The only thing that bothers me is whether it works as it should. When I look into IP/Firewall/Nat - here I look at the created 4 port forwarding rules for one online game, so the first two rules are ( for port: 27015 and 27036 ) the other rules are for the TCP protocol and the others are the UDP protocol ( for the port: 27015 and 27031-27036 ) so I look at it and there is no data flowing at all. I still have 0 B in the Bytes column, so I doubt port forwarding is working for me :(
I am very "anti quickset". Opening Quickset and hitting apply on ANYTHING has broken running configurations, more than once.
Could an option be added to hide quickset in winbox?
Also... On NAT... Maybe show people how to use IP cloud to make NAT rules more specific.
Quickset should not break anything, if you do encounter such a scenario, let us know. By the way, closing and not using Quickset is also an option :) Why disable
@@mikrotik Quickset break the configuration when the PPPoE credential of the ISP need a VLAN Tag, if you apply you loose the connection. For the Quickset menu only eth1 or SFP can be WAN.
But that not a big deal, more you dig in routerOS, less you need Quickset.
Awesome background 💛💙
can i specify which ip addresses can connect on my network?
Yes, you can use the src-address property help.mikrotik.com/docs/display/ROS/NAT#NAT-Properties
It's a good video, but if you're using Minecraft as an example, you should use port 25565, as you can mislead unfamiliar people. :)
Last time I understood this properly was when I configured firewall on Slackware Linux in 2003 or so for dial up internet and one small company using iptables.
But what I found somewhat weird on Mikrotik - I could not make it work. I used textbook example from manual. I tried to copy this rule to input and forward and nothing, not a single packet captured by rules. After tens minutes, I disconnected phone from wifi, used termux and ssh, it worked. It somehow seems like if connection comes from internal network, to WAN IP address, it's not captured. Is there a way how to fix this? Something like if destination IP from whatever interface matches IP assigned to router by DHCP then forward port 2222 to homeserver:22?
Post your config on our forum forum.mikrotik.com
@@mikrotik Thanks, I solved it using claude ai. problem is missing SNAT rule for server reply - by default, it contacts client directly, so there's mismatch between request going to WAN IP and reply coming from server's IP.
Mikrotik RB4011iGS+RM how many rules does this support?
No limit, you can make 1000, 2000 rules if you want.
@@mikrotik thank you
I need help with a mikrotiq extender
Thanks for explaining. I am new to mikrotik still it is interesting, I need suggestion and help please, I have two mikrotik routers having different isps as well as different local networks " each ", however I connected them to each other through interface " 4" and I need to forward SIP telephone from one mikrotik to another another, is there any guide to do that? Thanks in advance...
There is a lot of ways to do it depending of your requirements, but if your SIP server had a static IP, you could add a static route on your network where you have your SIP device and put your SIP server as the destination and put the gateway as the IP of your second router where you want the traffic to go though. Just make sure the second gateway have route to reach back the main client.
A question ??? I have the Clients in PPPoE mode on the Mikrotiik CCR1009-7G-1C-1S+ but I want to add a MyCloudPR4100 NAS For Movies.. OK my Question how can I Install it on the Mikrotik CCR1009-7G-1C-1S+ So that my Clients can see it ???
Great, I added the Nat rule usign the advanced menu, but didn't work. Then I went to the same process using quickset and that did the trick. Strange, both rules were the same hahaha.
hi i need help i used winbox used the firewall NAT setted up tcp and udp dstnat because you need both for rust server and still it doesnt work i need help :D
I open correctly port on pc, but block the internet connection why?
This must have been changed since then. following these instructions leads to an error "Couldn't add new port mapping - WAN port list is missing (6)"
have you ever solved this?
@@robkojabko yeah, I bought a ubiquiti UDM SE
@@robkojabko In Winbox, go to Interfaces>Interface List> Click on Lists > Add a new list and call it WAN > close the Interface Lists window>then in Interface List add your WAN interface to the WAN list
it doesn't port forward on LAN only the WAN / static ip... wtf is up with that - i don't get it
I'm trying to figure out port forwarding but this doesn't look anything like my router which is model hAP ac Lite. I'm in the UK, are they different here?
No, the interface is identical. Are you connecting to the right device? Send us a screen capture, email support@mikrotik.com and we will help
@@mikrotik I had the same problem, but figured out quickly that I was running routerOS v6 still on my router -> no port mapping,
I have had it for year, I always though System -> Auto Upgrade being empty that there were no updates available, found out now that the updating part is actually in quick set menu lol
What about a video: how to setup 802.11r fast roaming? 😏
@@orgind7778 the original comment was sarcastic and aiming at a lack of 802.11 k v r and wave 2 and wifi 6
There is no button called port mapping in my winbox
i have container inside MikroTik, how to forward the port?
We talk about it in this video ruclips.net/video/UMcJs4oyHDk/видео.html
I have a problem.
Couldn't add new port mapping - WAN port list missing
Can You help me?, please
have you ever solved this?
No port mapping button for me 🤷🏾♂️
Why is your RouterOS set to v7.2.3, whereas mine is 6.49.6? Note: I have checked for updates and installed the latest updates according to my Winbox application. Perhaps you have different hardware and v6.49.6 is the latest OS for my hardware? Thank you for the video, and I love Mikrotik :)
Choose upgrade channel UPGRADE, this at you can move to next big version
Love the t-shirt!
Very nice shirt!
I have an Ubuntu server from America
and I have a MIKROTIK device at home (local)
I want to connect my Ubuntu server to Mikrotik at home using ssh port
Because in Iran VPN works with ssh port
When I connect the ssh port of Ubuntu server to Mikrotik, my web traffic can open all sites
Like a VPN server can pass traffic
I request you to send me the tutorial for this item
Or tell me its instructions
Or send me a video tutorial of it
Here we are under very bad conditions in terms of filtering sites
And we cannot connect to the sites
i did all you said but still my freinds couldnt connect to my server
And let holy Javelin bless you.
Great t-short 😇
Nice shirt!
Love the t-shirt lol
Hi from Ukraine 💛💙
Does not work if you are on a vlan. Just set it up in the firewall settings but add "ALL VLAN" under in-interface. That's for kiwi's with Mikrotik. Love to hate it!
valheim mentioned
That studio colors and Normis shirt, THX Normis/Mikrotik. You are AWESOME. SLAVA UKRAJINI !!!
Дякую!!!
all i wish from winbox is ability to hide config menus for users :( there are so many i want to hide some for myself.
There is such possibility. Will make a video about it
Nice shirt 🚀
For the uninformed of us, the image on the shirts is one of "st. Javelin". A photoshopped icon of Mary hold a Javelin missile launcher.
Not just that, it's a symbol for a movement
@@mikrotik Wolfsangel it's a symbol too. as a black sun. what's your next t-short ?
@@alexandroskolkov2231 burned ruzzian flag
Nice lighting !
Thanks, hope you like the shirt too :)
Maybe the next video could be on blocking Countries by IP address lists?
@@mikrotik I was a mikrotik user, but no more. Instead of you working on network related topics, here you go promoting weaponry and death by association. Team Ubiquiti it is from now on 🙂
Nice way loosing your customers.
Thanks, nice t-shirt
25565
1:32 until he stops talking about the obvious and starts explaining how to do it
Actually mate I think everything you said before 1:32 is the very reason why somebody would watch your video in the first place.
When you did get on topic your advice and description was clear and precise and easy to follow. Thank you. Really helpful.
Nice T-Shirt 👌
Nice T-Shirt and background
Like for T-Shirt
Nice shirt)
hi, l2tp + ipsec is very slow, around 1Mbit. how to fix speed?
On what kind of device?
@@mikrotik CRS112-8G-4S-IN
@@BlackDwarfa this is a switch. You need a router to do VPN
@@normis99 ok, but it works. it's not big problem...
move to wireguard?
Cool t-shirt!
L2TP hungup disconnected every 2 minutes.
I do not understand how incompatibility between devices of the same brand is possible.
Need to check logs. Devices can’t be incompatible, but configuration can be incomplete
like
Why couldn't you just simply cast the desktop screen instead of showing a fancy studio...... seriously........................................ try following the video on your own
the more I watch the angrier I get. seriously...
God bless Saint Javelin! Slava Ukraini!
Nice T-shirt Javelin for more freedom 🙄
T-shirt 5+
MIkrotik now focused mainly on consumer applications. Minecraft, seriously? Don't you need to specify the dst.address literally, or dst. address type 'local', so it only acts on the router's IPs? That's how I've always set up dst-nat.
We still make 100Gbit switches and routers, check our other videos.
Yes, there are many ways to set up DST-NAT, you can specify interfaces etc. There are many ways to set up a MikroTik ;)
Technically, profesionnal/power user know what is a NAT and how it works. it's more for home user who have a mikrotik router in their home (from their ISP for exemple).
Wine sucks! Mikrotik should build a proper Winbox for MacOS.
Did you watch the video at all? 🙄
Skip to 7:05 and listen closely.
fuu
Why when i trying to telnet (public ip : forwarded port) , in terminal shows up this massage: 04:49:26 echo: system,error,critical login failure for user enable from 89.37.95.164 via telnet. And when i paste my public ip in search - it redirects me to Mikrotik login page
And my friends cant connect to minecraft server :) Слава Україні!!!
great tutorial except it is not working on default mikrotik config. congratulations for posting not working tutorial