Posted on

MikroTik Guide: Port Forwarding Not Working? Here’s How to Fix It

Port forwarding is essential when you need to make internal services (like web servers, surveillance cameras, or remote desktop) accessible from the internet. MikroTik routers fully support port forwarding using NAT (dst-nat), but many users struggle to make it work correctly.

In this guide, we’ll explain the most common port forwarding problems on MikroTik and provide a step-by-step solution to correctly configure both NAT and firewall rules.

Step-by-Step: Correct MikroTik Port Forwarding Setup

Step 1: Create the Port Forwarding Rule (NAT)

  • Go to IP → Firewall → NAT and add:
  • Chain: dstnat
  • Protocol: tcp (or udp if needed)
  • Dst. Port: External port you want to forward (e.g., 8080)
  • In. Interface: Your WAN interface (e.g., ether1 or pppoe-out1)
  • Action: dst-nat
  • To Address: Internal device IP (e.g., 192.168.1.100)
  • To Ports: Internal service port (e.g., 80)

Step 2: Allow Traffic in the Firewall (If Needed)

If your firewall is strict, add a rule in IP → Firewall → Filter Rules.

  • Go to IP → Firewall → Filter Rules and add:
  • Chain: forward
  • Protocol: tcp
  • Dst. Port: 8080
  • Action: accept

Step 3: Test from External Network

Use your phone (disable WiFi) or ask a friend to test:

http://your-public-ip:8080

Step 4: (Optional) Add Hairpin NAT for Internal Access via Public IP

/ip firewall nat add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.100 out-interface=bridge action=masquerade

Most Common Port Forwarding Problems and Solutions

1. Incorrect NAT Rule

Problem: Missing or incorrect dst-nat rule.

Solution: Create a correct NAT rule for port forwarding:

/ip firewall nat add chain=dstnat protocol=tcp dst-port=8080 in-interface=ether1 action=dst-nat to-addresses=192.168.1.100 to-ports=80

2. Firewall Blocking Traffic

Problem: Traffic gets blocked by firewall filter rules even if NAT is correct.

Solution: Allow forwarded traffic in firewall:

/ip firewall filter add chain=forward protocol=tcp dst-port=8080 action=accept

3. Wrong Interface Selection

Problem: NAT rule applied to wrong interface (WAN interface not selected correctly).

Solution: Make sure your rule uses the correct WAN interface like ether1, pppoe-out1, or LTE interface.

4. Double NAT (Router Behind ISP Router)

Problem: ISP router blocks incoming traffic, so your MikroTik never sees it.

Solution: Either put the ISP router in bridge mode, or forward ports on both routers.

5. Testing from Inside the LAN (Missing Hairpin NAT)

Problem: Works from outside, but fails from inside your network when using public IP.

Solution: Add hairpin NAT rule:

/ip firewall nat add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.100 out-interface=bridge action=masquerade

6. ISP Blocks Certain Ports

Problem: ISP blocks common ports like 80 or 25 (especially on residential connections).

Solution: Use alternate ports like 8080, 8443, or 2222.

Bonus Tip: Dynamic DNS for Changing IPs

If your public IP changes frequently, use a free service like MikroTik’s built-in Cloud DNS, DuckDNS, or No-IP  to always access your router via a hostname instead of IP.

Quick Checklist

  • ✅ Correct NAT rule in place
  • ✅ Firewall rule added if necessary
  • ✅ Correct WAN interface selected
  • ✅ External test works
  • ✅ Hairpin NAT added if needed

Conclusion

Most port forwarding failures on MikroTik are caused by simple misconfigurations — wrong NAT rule, firewall blocking, or double NAT. By following this checklist, you can solve 90% of port forwarding issues quickly.

Need help with MikroTik hardware or configuration? Visit NASSTORE.eu for expert advice, support, and high-quality networking equipment.