FixPedia
Other

Port Forwarding on MikroTik: Set Up in 15 Minutes

This guide explains in detail how to set up port forwarding on MikroTik routers with RouterOS. You will learn to create NAT rules and configure the firewall to provide external access to local devices (web server, IP camera, game server).

Updated at February 17, 2026
15-20 minutes
Medium
FixPedia Team
Применимо к:MikroTik RouterOS v6.45+hEX, RB, CCR series routers

Introduction / Why This Is Needed

Port forwarding on a MikroTik router allows you to make services running in your local network (web server, security camera, game host, SSH server) accessible from the global internet. Without this configuration, all incoming connections from the internet will be blocked by the router's firewall, as internal devices are behind NAT.

After completing this guide, you will be able to:

  • Access the web interface of an IP camera from any computer in the world.
  • Allow connections to a remote desktop (RDP) or SSH server.
  • Set up hosting for a multiplayer game.

⚠️ Important: Port forwarding reduces security, as it "exposes" a service to the internet. Make sure to:

  1. Use strong passwords for the services.
  2. Restrict access by IP in firewall rules, if possible.
  3. Regularly update the service software and RouterOS.

Requirements / Preparation

Before you begin, ensure you have:

  1. Access to the MikroTik RouterOS interface (via WinBox, WebFig, or SSH).
  2. A working local service (e.g., a web server on 192.168.88.100:80), accessible from the internal network.
  3. A static IP address for the internal device (configured via DHCP Reservation or manually on the device itself).
  4. A public IP address from your ISP (if you have a dynamic IP, a DDNS service will be required).
  5. Basic knowledge of networking, IP addressing, and ports.

Step 1: Determining Port Forwarding Parameters

Before creating rules, gather the following information:

  • External Port (Public Port) — the port the router will listen on from the internet (e.g., 8080).
  • Internal IP Address — the local server address (e.g., 192.168.88.100).
  • Internal Port — the port on which the service runs on the server (e.g., 80 for HTTP).
  • ProtocolTCP, UDP, or both. For a web server, usually TCP; for VoIP or games, UDP may be required.

Example:
You want a security camera at 192.168.88.50:8080 to be accessible from the internet on port 8090. Then:

  • External Port: 8090
  • Internal IP: 192.168.88.50
  • Internal Port: 8080
  • Protocol: TCP (if the camera uses only TCP).

Step 2: Creating a NAT Rule (dst-nat)

A dst-nat (destination NAT) rule redirects incoming traffic from the external interface and port to the internal address.

  1. Open RouterOS.
  2. Go to IP → Firewall → NAT.
  3. Click the '+' (Add) button to create a new rule.
  4. Fill in the fields:
    • Chain: dstnat
    • Src. Address: leave blank (or specify a particular IP if you want to restrict access).
    • Dst. Address: your public IP (can leave 0.0.0.0/0 if you have a single public IP).
    • Protocol: select tcp, udp, or 6 (TCP) / 17 (UDP).
    • Dst. Port: the external port (e.g., 8090).
    • In. Interface: the interface from which traffic arrives (usually ether1 or sfp1 — the WAN port). Can be left blank for the rule to work on all interfaces.
  5. In the Action tab, select dst-nat.
  6. Specify:
    • To Addresses: the internal IP (192.168.88.50)
    • To Ports: the internal port (8080)
  7. Click OK.

Example rule in the RouterOS command line:

/ip firewall nat add chain=dstnat protocol=tcp dst-port=8090 \
in-interface=ether1 action=dst-nat to-addresses=192.168.88.50 to-ports=8080

Step 3: Configuring Firewall Rules (Filter Rules)

By default, RouterOS blocks all incoming connections except replies to outgoing ones. You must explicitly allow traffic on the forwarded port.

  1. Go to IP → Firewall → Filter Rules.
  2. Create a new rule ('+').
  3. Configure:
    • Chain: input
    • Protocol: the same as in the NAT rule (tcp).
    • Dst. Port: the external port (8090).
    • In. Interface: the same interface as in the NAT rule (ether1).
  4. In the Action tab, select accept.
  5. Place this rule above the rules that block everything (usually the rule with action=drop in the input chain). In the interface, you can drag it or change the number.

💡 Tip: For security, restrict the rule by source (Src. Address) if you know a static office IP or use DDNS. For example: Src. Address=94.25.150.32/32.

Example firewall rule:

/ip firewall filter add chain=input protocol=tcp dst-port=8090 \
in-interface=ether1 action=accept comment="Allow camera access"

Step 4: Verification

  1. Local check: Ensure the service is accessible from the local network via the internal IP and port.
  2. External check:
    • Find your public IP (visit a site like 2ip.ru or whatismyip.com).
    • From another device (e.g., mobile internet), open in a browser: http://your_public_ip:external_port (e.g., http://95.142.12.34:8090).
    • If the service requires HTTPS, use https://.
  3. Port check: Use online port scanners (e.g., ping.eu/port-chk) to confirm the port is open and the router is listening.
  4. RouterOS Logs: In Log, you can see if packets are arriving. Filter by topic=firewall,debug.

Step 5: Advanced Settings (Optional)

Port Range Forwarding

If you need to forward a range (e.g., for P2P games), specify ports with a hyphen: Dst. Port=3478-3480.

Forwarding UDP and TCP Simultaneously

Create two separate NAT rules (with protocol=tcp and protocol=udp) and two firewall rules, or one rule with protocol=udp,tcp (in RouterOS, you can specify with a comma).

Hairpin NAT (Access from Local Network via External IP)

If you want devices on the local network to access the service via the external IP and port, set up Hairpin NAT. This is a separate topic, but briefly:

  1. In NAT, add a rule with chain=srcnat, src-address=192.168.88.0/24, action=masquerade.
  2. In dstnat, add a rule with in-interface=bridge-local (or your local interface) and to-addresses=192.168.88.50.

Common Issues

ProblemSolution
Port closed, external scanner doesn't see it1. Check that the NAT and firewall rules are active and in the correct order.
2. Ensure your ISP isn't blocking the port (try a different one, like 8080).
3. Verify the service is listening on the internal port (netstat -an on the server).
Access exists, but service doesn't respond1. Check that the internal service is configured to listen on all interfaces (0.0.0.0), not just 127.0.0.1.
2. Ensure there is no firewall on the server itself (e.g., iptables on Linux).
Works only from local network1. Check your public IP — you might have CG-NAT from your ISP. You'll need a static IP or carrier-level port forwarding.
2. Ensure you are using the correct public IP (not an internal 192.168.x.x address).
Rules disappear after router rebootSettings should persist. If not — check for write permissions and whether scripts or configuration backups are overwriting them.
Port conflictIf the internal server already uses the port you are forwarding, change the internal service port or choose a different external port.

Final Recommendations

  • Document your rules: Use the comment field in NAT and Filter Rules so you don't forget what each rule does later.
  • Test from different networks (mobile internet, a friend's house).
  • Keep RouterOS updated for security.
  • Use monitoring: In Tools → Torch, you can observe traffic on the port.

If access still doesn't work after all checks, temporarily disable the firewall (/ip firewall set [find] disabled=yes) to rule out rule issues, but do this only for diagnostics and for a short time.

F.A.Q.

What is port forwarding and why is it needed?
Why isn't my port forwarding working after setup?
Which ports are safe to open for remote access?
Can I forward a port without a static IP on the internal device?

Hints

Preparation: Determine local IP and port
Create the NAT rule (dst-nat)
Configure the firewall rule
Verify functionality

Did this article help you solve the problem?

FixPedia

Free encyclopedia for fixing errors. Step-by-step guides for Windows, Linux, macOS and more.

© 2026 FixPedia. All materials are available for free.

Made with for the community