I'm trying to open a port on mikrotik. This is what i've done :
Menu: IP > Firewall > NAT
Add new
In general Section, I set: Chain :dstnat , Protocol : 6(TCP) , DstPort : 5252
In Action Section, I set: Action : dst-nat , To Addresses : 192.168.1.236 ,To ports: 5252
I save the configuration.
But when I test the port , it says Port is closed. What have I done wrong ? What else should I do ? Thank you !
First, the DNAT rule only performs address rewriting – you also need a filter rule that allows the packets to be forwarded. Add one under IP > Firewall > Filter to the forward chain.
"Port forwarding" in home routers usually combines both rules into one configuration, but under the hood they're two separate things and RouterOS also keeps them separate (very much like iptables does on Linux).
'Forward' filtering is checked after DNAT (but before SNAT), so if you're adding individual rules for each forwarded port, the filter rule should check for the new destination address and port, e.g.:dst-address=192.168.1.236 protocol=tcp dst-port=5252 action=accept.
Alternatively, you can add a catch-all rule that automatically allows everything that has already matched a DNAT rule by checking conntrack, e.g.:connection-nat-state=dstnat action=accept
Second, look at your rule counters to make sure the rule is actually being matched; it could be that your ISP (or something else along the way) prevents the inbound packets from arriving at your router in the first place. If needed, enable logging on your rules or even add some additional action=log, and use the packet capture tool (/tool/sniffer/quick) if you have any doubts about packets arriving.
Finally, external tests can't really distinguish between "rejected by th erouter" and "rejected by the internal host", as the internal host borrows the router's IP address so they both look the same from the outside. That is to say, even if your port-forwarding rules are all good, the server itself needs to accept the connection – it needs to have something listening on that port and its firewall rules need to accept it on input – for the port to appear "open".
What you've done should work.
So the next step is troubleshooting why it isn't working.
If you have a laptop, connect your wifi with your mobile hotspot to place yourself outside of the network.
Assuming you are on windows, download paping. After you saved it, open a command prompt and navigate to the location you saved paping to.
run paping and ping to the WAN IP and port: eg paping 123.45.67.89 -p 5252
Paping will now test the connection every second. Either it times out (with red text) or it pings succesfully (with green text).
If its green, everything works.
While the paping runs, go to your NATRule, statistics page, and make sure you see spikes in the graph. If you see them, the mikrotik side is setup correctly. If you don't, then the NAT rule is not even reached.
If the NAT rule works, make sure that the server you're connecting to is not blocking the connection or that the service is down. also double check the ip address.
If the NAT rule doesn't work, ensure that you are testing from OUTSIDE and that internal routing and firewall rules are not blocking it. Also, you may need to add a mascerade rule if you are indeed inside.
