Rule added by quickset is wrong. It will do dst-nat to all of packets coming from wan to lan AND from lan to wan. If you will add rule to port forward tcp:80 to 192.168.88.99:80, it will break all connections from lan to wan:80. It is because of in-interface or in-interface-list is not added.
Yes but you can add these in the NAT list. From his explanation this is clearly designed as a quick and simple way to forward specific individual ports to single IP's, not the blanket and generic forwarding you mentioned.
Good morning, I did it the same way as in your video with the difference that I have different ip address values. I think I should have it set up correctly. The only thing that bothers me is whether it works as it should. When I look into IP/Firewall/Nat - here I look at the created 4 port forwarding rules for one online game, so the first two rules are ( for port: 27015 and 27036 ) the other rules are for the TCP protocol and the others are the UDP protocol ( for the port: 27015 and 27031-27036 ) so I look at it and there is no data flowing at all. I still have 0 B in the Bytes column, so I doubt port forwarding is working for me :(
UPNP can be dangerous :) Someone printed a page on 80'000 printers because of this. There's an episode of darknet diaries about it. So if your router, devices and software has UPNP enabled. It can open ports you don't know about and don't need to have open to the internet. Manually you can limit access from certain countries, an ISP, IP range or even a single IP address.
You have to manually enable it also in the app, so at least you can’t have such things happen without knowing. Also, what printer needs to open ports from the internet? Curious 🤨😂
Yep, UPNP is as dangerous as "manually opening ports" You need to have whatever program to actually open it, instead of you doing the opening manually you let the app do it.
I know I'm 2 years too late, but I have UPnP enabled for my video game consoles in a specific IP range on the network, then I've set up firewall rules to accept UPnP traffic from that range, and deny it from any other IP. This is the unfortunate reality for consoles to get better NAT, and ports to open for specific games. /ip firewall filter add chain=forward src-address=192.168.88.151-192.168.88.160 action=accept /ip firewall filter add chain=forward src-address=!192.168.88.151-192.168.88.160 action=drop Adjust IP's for your environment
I am very "anti quickset". Opening Quickset and hitting apply on ANYTHING has broken running configurations, more than once. Could an option be added to hide quickset in winbox? Also... On NAT... Maybe show people how to use IP cloud to make NAT rules more specific.
Quickset should not break anything, if you do encounter such a scenario, let us know. By the way, closing and not using Quickset is also an option :) Why disable
@@mikrotik Quickset break the configuration when the PPPoE credential of the ISP need a VLAN Tag, if you apply you loose the connection. For the Quickset menu only eth1 or SFP can be WAN. But that not a big deal, more you dig in routerOS, less you need Quickset.
In case anyone is getting the "Couldn't add new port mapping - WAN port list is missing (6)" error message, here's how to fix it In Winbox, go to Interfaces>Interface List> Click on Lists > Add a new list and call it WAN > close the Interface Lists window>then in Interface List add your WAN interface to the WAN list
you can use the new input chain for some rare and complex scenarios, where your address should be changed before or after routing actions take place, see stuffphilwrites.com/wp-content/uploads/2014/09/FW-IDS-iptables-Flowchart-v2019-04-30-1.png
Last time I understood this properly was when I configured firewall on Slackware Linux in 2003 or so for dial up internet and one small company using iptables. But what I found somewhat weird on Mikrotik - I could not make it work. I used textbook example from manual. I tried to copy this rule to input and forward and nothing, not a single packet captured by rules. After tens minutes, I disconnected phone from wifi, used termux and ssh, it worked. It somehow seems like if connection comes from internal network, to WAN IP address, it's not captured. Is there a way how to fix this? Something like if destination IP from whatever interface matches IP assigned to router by DHCP then forward port 2222 to homeserver:22?
@@mikrotik Thanks, I solved it using claude ai. problem is missing SNAT rule for server reply - by default, it contacts client directly, so there's mismatch between request going to WAN IP and reply coming from server's IP.
Thanks for explaining. I am new to mikrotik still it is interesting, I need suggestion and help please, I have two mikrotik routers having different isps as well as different local networks " each ", however I connected them to each other through interface " 4" and I need to forward SIP telephone from one mikrotik to another another, is there any guide to do that? Thanks in advance...
There is a lot of ways to do it depending of your requirements, but if your SIP server had a static IP, you could add a static route on your network where you have your SIP device and put your SIP server as the destination and put the gateway as the IP of your second router where you want the traffic to go though. Just make sure the second gateway have route to reach back the main client.
A question ??? I have the Clients in PPPoE mode on the Mikrotiik CCR1009-7G-1C-1S+ but I want to add a MyCloudPR4100 NAS For Movies.. OK my Question how can I Install it on the Mikrotik CCR1009-7G-1C-1S+ So that my Clients can see it ???
Why is your RouterOS set to v7.2.3, whereas mine is 6.49.6? Note: I have checked for updates and installed the latest updates according to my Winbox application. Perhaps you have different hardware and v6.49.6 is the latest OS for my hardware? Thank you for the video, and I love Mikrotik :)
hi i need help i used winbox used the firewall NAT setted up tcp and udp dstnat because you need both for rust server and still it doesnt work i need help :D
I'm trying to figure out port forwarding but this doesn't look anything like my router which is model hAP ac Lite. I'm in the UK, are they different here?
@@mikrotik I had the same problem, but figured out quickly that I was running routerOS v6 still on my router -> no port mapping, I have had it for year, I always though System -> Auto Upgrade being empty that there were no updates available, found out now that the updating part is actually in quick set menu lol
Great, I added the Nat rule usign the advanced menu, but didn't work. Then I went to the same process using quickset and that did the trick. Strange, both rules were the same hahaha.
@@robkojabko In Winbox, go to Interfaces>Interface List> Click on Lists > Add a new list and call it WAN > close the Interface Lists window>then in Interface List add your WAN interface to the WAN list
I have an Ubuntu server from America and I have a MIKROTIK device at home (local) I want to connect my Ubuntu server to Mikrotik at home using ssh port Because in Iran VPN works with ssh port When I connect the ssh port of Ubuntu server to Mikrotik, my web traffic can open all sites Like a VPN server can pass traffic I request you to send me the tutorial for this item Or tell me its instructions Or send me a video tutorial of it Here we are under very bad conditions in terms of filtering sites And we cannot connect to the sites
Does not work if you are on a vlan. Just set it up in the firewall settings but add "ALL VLAN" under in-interface. That's for kiwi's with Mikrotik. Love to hate it!
@@mikrotik I was a mikrotik user, but no more. Instead of you working on network related topics, here you go promoting weaponry and death by association. Team Ubiquiti it is from now on 🙂 Nice way loosing your customers.
MIkrotik now focused mainly on consumer applications. Minecraft, seriously? Don't you need to specify the dst.address literally, or dst. address type 'local', so it only acts on the router's IPs? That's how I've always set up dst-nat.
We still make 100Gbit switches and routers, check our other videos. Yes, there are many ways to set up DST-NAT, you can specify interfaces etc. There are many ways to set up a MikroTik ;)
Technically, profesionnal/power user know what is a NAT and how it works. it's more for home user who have a mikrotik router in their home (from their ISP for exemple).
Why couldn't you just simply cast the desktop screen instead of showing a fancy studio...... seriously........................................ try following the video on your own
Why when i trying to telnet (public ip : forwarded port) , in terminal shows up this massage: 04:49:26 echo: system,error,critical login failure for user enable from 89.37.95.164 via telnet. And when i paste my public ip in search - it redirects me to Mikrotik login page
Here is the link to the documentation about NAT: help.mikrotik.com/docs/display/ROS/NAT
Have fun (seriously) :)
Awesome Saint Javelin t-shirt! Thanks for support both informational and hardware. Love you guys!
Is it a form of worship to governor's boot between breeches?
Rule added by quickset is wrong. It will do dst-nat to all of packets coming from wan to lan AND from lan to wan. If you will add rule to port forward tcp:80 to 192.168.88.99:80, it will break all connections from lan to wan:80. It is because of in-interface or in-interface-list is not added.
You are completelty right, good eye. We will fix this bug, thanks!
Yes but you can add these in the NAT list. From his explanation this is clearly designed as a quick and simple way to forward specific individual ports to single IP's, not the blanket and generic forwarding you mentioned.
@@mikrotik When are you fixing this? I just ran into this problem.
@@mikrotik any update on this? I found a workaround, but having a simple way of port forwarding would be great
Thanks sir, its very help
Nice T-Shirt, very strong statement!🔨💪
Good morning,
I did it the same way as in your video with the difference that I have different ip address values. I think I should have it set up correctly. The only thing that bothers me is whether it works as it should. When I look into IP/Firewall/Nat - here I look at the created 4 port forwarding rules for one online game, so the first two rules are ( for port: 27015 and 27036 ) the other rules are for the TCP protocol and the others are the UDP protocol ( for the port: 27015 and 27031-27036 ) so I look at it and there is no data flowing at all. I still have 0 B in the Bytes column, so I doubt port forwarding is working for me :(
UPNP can be dangerous :) Someone printed a page on 80'000 printers because of this. There's an episode of darknet diaries about it.
So if your router, devices and software has UPNP enabled. It can open ports you don't know about and don't need to have open to the internet. Manually you can limit access from certain countries, an ISP, IP range or even a single IP address.
You have to manually enable it also in the app, so at least you can’t have such things happen without knowing. Also, what printer needs to open ports from the internet? Curious 🤨😂
Yep, UPNP is as dangerous as "manually opening ports"
You need to have whatever program to actually open it, instead of you doing the opening manually you let the app do it.
I know I'm 2 years too late, but I have UPnP enabled for my video game consoles in a specific IP range on the network, then I've set up firewall rules to accept UPnP traffic from that range, and deny it from any other IP. This is the unfortunate reality for consoles to get better NAT, and ports to open for specific games.
/ip firewall filter add chain=forward src-address=192.168.88.151-192.168.88.160 action=accept
/ip firewall filter add chain=forward src-address=!192.168.88.151-192.168.88.160 action=drop
Adjust IP's for your environment
You should add a Disable option into the Quick Set's Port Mapping, like in Firewall tab.
THANK YOU!,
I finally got my minecraft server to work, i have littarly spent over 10h trying to fix it.....😄
Saya dari indonesia terimakasih informasinya sangat membatu saya
I am very "anti quickset". Opening Quickset and hitting apply on ANYTHING has broken running configurations, more than once.
Could an option be added to hide quickset in winbox?
Also... On NAT... Maybe show people how to use IP cloud to make NAT rules more specific.
Quickset should not break anything, if you do encounter such a scenario, let us know. By the way, closing and not using Quickset is also an option :) Why disable
@@mikrotik Quickset break the configuration when the PPPoE credential of the ISP need a VLAN Tag, if you apply you loose the connection. For the Quickset menu only eth1 or SFP can be WAN.
But that not a big deal, more you dig in routerOS, less you need Quickset.
Hello, thank you for teaching how to port forward ipv6 in Mikrotik router❤❤❤
In case anyone is getting the "Couldn't add new port mapping - WAN port list is missing (6)" error message, here's how to fix it
In Winbox, go to Interfaces>Interface List> Click on Lists > Add a new list and call it WAN > close the Interface Lists window>then in Interface List add your WAN interface to the WAN list
We dont need to add any filter rules to allow the NAT connection?
Yo have so cool t- thist, thank for wearing it ! Дякую вам за те, що ви з нами !
can i specify which ip addresses can connect on my network?
Yes, you can use the src-address property help.mikrotik.com/docs/display/ROS/NAT#NAT-Properties
Hi normis,
in the next video , would be able to explain us what input/output dose for NAT on v7
you can use the new input chain for some rare and complex scenarios, where your address should be changed before or after routing actions take place, see stuffphilwrites.com/wp-content/uploads/2014/09/FW-IDS-iptables-Flowchart-v2019-04-30-1.png
Last time I understood this properly was when I configured firewall on Slackware Linux in 2003 or so for dial up internet and one small company using iptables.
But what I found somewhat weird on Mikrotik - I could not make it work. I used textbook example from manual. I tried to copy this rule to input and forward and nothing, not a single packet captured by rules. After tens minutes, I disconnected phone from wifi, used termux and ssh, it worked. It somehow seems like if connection comes from internal network, to WAN IP address, it's not captured. Is there a way how to fix this? Something like if destination IP from whatever interface matches IP assigned to router by DHCP then forward port 2222 to homeserver:22?
Post your config on our forum forum.mikrotik.com
@@mikrotik Thanks, I solved it using claude ai. problem is missing SNAT rule for server reply - by default, it contacts client directly, so there's mismatch between request going to WAN IP and reply coming from server's IP.
Thanks for explaining. I am new to mikrotik still it is interesting, I need suggestion and help please, I have two mikrotik routers having different isps as well as different local networks " each ", however I connected them to each other through interface " 4" and I need to forward SIP telephone from one mikrotik to another another, is there any guide to do that? Thanks in advance...
There is a lot of ways to do it depending of your requirements, but if your SIP server had a static IP, you could add a static route on your network where you have your SIP device and put your SIP server as the destination and put the gateway as the IP of your second router where you want the traffic to go though. Just make sure the second gateway have route to reach back the main client.
A question ??? I have the Clients in PPPoE mode on the Mikrotiik CCR1009-7G-1C-1S+ but I want to add a MyCloudPR4100 NAS For Movies.. OK my Question how can I Install it on the Mikrotik CCR1009-7G-1C-1S+ So that my Clients can see it ???
Why is your RouterOS set to v7.2.3, whereas mine is 6.49.6? Note: I have checked for updates and installed the latest updates according to my Winbox application. Perhaps you have different hardware and v6.49.6 is the latest OS for my hardware? Thank you for the video, and I love Mikrotik :)
Choose upgrade channel UPGRADE, this at you can move to next big version
hi i need help i used winbox used the firewall NAT setted up tcp and udp dstnat because you need both for rust server and still it doesnt work i need help :D
Mikrotik RB4011iGS+RM how many rules does this support?
No limit, you can make 1000, 2000 rules if you want.
@@mikrotik thank you
I'm trying to figure out port forwarding but this doesn't look anything like my router which is model hAP ac Lite. I'm in the UK, are they different here?
No, the interface is identical. Are you connecting to the right device? Send us a screen capture, email support@mikrotik.com and we will help
@@mikrotik I had the same problem, but figured out quickly that I was running routerOS v6 still on my router -> no port mapping,
I have had it for year, I always though System -> Auto Upgrade being empty that there were no updates available, found out now that the updating part is actually in quick set menu lol
To the point and accurate. Thank you.
Nice T-Shirt! Thanks from Ukraine! And thanks for the manual!
I need help with a mikrotiq extender
I open correctly port on pc, but block the internet connection why?
i have container inside MikroTik, how to forward the port?
We talk about it in this video th-cam.com/video/UMcJs4oyHDk/w-d-xo.html
I have a problem.
Couldn't add new port mapping - WAN port list missing
Can You help me?, please
have you ever solved this?
it doesn't port forward on LAN only the WAN / static ip... wtf is up with that - i don't get it
Great, I added the Nat rule usign the advanced menu, but didn't work. Then I went to the same process using quickset and that did the trick. Strange, both rules were the same hahaha.
There is no button called port mapping in my winbox
i did all you said but still my freinds couldnt connect to my server
No port mapping button for me 🤷🏾♂️
This must have been changed since then. following these instructions leads to an error "Couldn't add new port mapping - WAN port list is missing (6)"
have you ever solved this?
@@robkojabko yeah, I bought a ubiquiti UDM SE
@@robkojabko In Winbox, go to Interfaces>Interface List> Click on Lists > Add a new list and call it WAN > close the Interface Lists window>then in Interface List add your WAN interface to the WAN list
I have an Ubuntu server from America
and I have a MIKROTIK device at home (local)
I want to connect my Ubuntu server to Mikrotik at home using ssh port
Because in Iran VPN works with ssh port
When I connect the ssh port of Ubuntu server to Mikrotik, my web traffic can open all sites
Like a VPN server can pass traffic
I request you to send me the tutorial for this item
Or tell me its instructions
Or send me a video tutorial of it
Here we are under very bad conditions in terms of filtering sites
And we cannot connect to the sites
Awesome background 💛💙
Does not work if you are on a vlan. Just set it up in the firewall settings but add "ALL VLAN" under in-interface. That's for kiwi's with Mikrotik. Love to hate it!
It's a good video, but if you're using Minecraft as an example, you should use port 25565, as you can mislead unfamiliar people. :)
What about a video: how to setup 802.11r fast roaming? 😏
@@orgind7778 the original comment was sarcastic and aiming at a lack of 802.11 k v r and wave 2 and wifi 6
all i wish from winbox is ability to hide config menus for users :( there are so many i want to hide some for myself.
There is such possibility. Will make a video about it
That studio colors and Normis shirt, THX Normis/Mikrotik. You are AWESOME. SLAVA UKRAJINI !!!
valheim mentioned
L2TP hungup disconnected every 2 minutes.
I do not understand how incompatibility between devices of the same brand is possible.
Need to check logs. Devices can’t be incompatible, but configuration can be incomplete
hi, l2tp + ipsec is very slow, around 1Mbit. how to fix speed?
On what kind of device?
@@mikrotik CRS112-8G-4S-IN
@@BlackDwarfa this is a switch. You need a router to do VPN
@@normis99 ok, but it works. it's not big problem...
move to wireguard?
Very nice shirt!
And let holy Javelin bless you.
For the uninformed of us, the image on the shirts is one of "st. Javelin". A photoshopped icon of Mary hold a Javelin missile launcher.
Not just that, it's a symbol for a movement
@@mikrotik Wolfsangel it's a symbol too. as a black sun. what's your next t-short ?
@@alexandroskolkov2231 burned ruzzian flag
Nice shirt!
Hi from Ukraine 💛💙
Love the t-shirt!
Nice lighting !
Thanks, hope you like the shirt too :)
Maybe the next video could be on blocking Countries by IP address lists?
@@mikrotik I was a mikrotik user, but no more. Instead of you working on network related topics, here you go promoting weaponry and death by association. Team Ubiquiti it is from now on 🙂
Nice way loosing your customers.
Nice shirt 🚀
MIkrotik now focused mainly on consumer applications. Minecraft, seriously? Don't you need to specify the dst.address literally, or dst. address type 'local', so it only acts on the router's IPs? That's how I've always set up dst-nat.
We still make 100Gbit switches and routers, check our other videos.
Yes, there are many ways to set up DST-NAT, you can specify interfaces etc. There are many ways to set up a MikroTik ;)
Technically, profesionnal/power user know what is a NAT and how it works. it's more for home user who have a mikrotik router in their home (from their ISP for exemple).
Great t-short 😇
25565
Like for T-Shirt
Nice T-Shirt and background
Love the t-shirt lol
Дякую!!!
1:32 until he stops talking about the obvious and starts explaining how to do it
Actually mate I think everything you said before 1:32 is the very reason why somebody would watch your video in the first place.
When you did get on topic your advice and description was clear and precise and easy to follow. Thank you. Really helpful.
Why couldn't you just simply cast the desktop screen instead of showing a fancy studio...... seriously........................................ try following the video on your own
the more I watch the angrier I get. seriously...
Thanks, nice t-shirt
Why when i trying to telnet (public ip : forwarded port) , in terminal shows up this massage: 04:49:26 echo: system,error,critical login failure for user enable from 89.37.95.164 via telnet. And when i paste my public ip in search - it redirects me to Mikrotik login page
And my friends cant connect to minecraft server :) Слава Україні!!!
Nice T-Shirt 👌
Nice shirt)
Cool t-shirt!
Wine sucks! Mikrotik should build a proper Winbox for MacOS.
Did you watch the video at all? 🙄
Skip to 7:05 and listen closely.
T-shirt 5+
like
Nice T-shirt Javelin for more freedom 🙄
God bless Saint Javelin! Slava Ukraini!
fuu
great tutorial except it is not working on default mikrotik config. congratulations for posting not working tutorial