Port forwarding is essential when you need to make internal services (like web servers, surveillance cameras, or remote desktop) accessible from the internet. MikroTik routers fully support port forwarding using NAT (dst-nat), but many users struggle to make it work correctly.
In this guide, we’ll explain the most common port forwarding problems on MikroTik and provide a step-by-step solution to correctly configure both NAT and firewall rules.
Step-by-Step: Correct MikroTik Port Forwarding Setup
Step 1: Create the Port Forwarding Rule (NAT)
- Go to IP → Firewall → NAT and add:
- Chain: dstnat
- Protocol: tcp (or udp if needed)
- Dst. Port: External port you want to forward (e.g., 8080)
- In. Interface: Your WAN interface (e.g., ether1 or pppoe-out1)
- Action: dst-nat
- To Address: Internal device IP (e.g., 192.168.1.100)
- To Ports: Internal service port (e.g., 80)
Step 2: Allow Traffic in the Firewall (If Needed)
If your firewall is strict, add a rule in IP → Firewall → Filter Rules.
- Go to IP → Firewall → Filter Rules and add:
- Chain: forward
- Protocol: tcp
- Dst. Port: 8080
- Action: accept
Step 3: Test from External Network
Use your phone (disable WiFi) or ask a friend to test:
http://your-public-ip:8080
Step 4: (Optional) Add Hairpin NAT for Internal Access via Public IP
/ip firewall nat add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.100 out-interface=bridge action=masquerade
Most Common Port Forwarding Problems and Solutions
1. Incorrect NAT Rule
Problem: Missing or incorrect dst-nat rule.
Solution: Create a correct NAT rule for port forwarding:
/ip firewall nat add chain=dstnat protocol=tcp dst-port=8080 in-interface=ether1 action=dst-nat to-addresses=192.168.1.100 to-ports=80
2. Firewall Blocking Traffic
Problem: Traffic gets blocked by firewall filter rules even if NAT is correct.
Solution: Allow forwarded traffic in firewall:
/ip firewall filter add chain=forward protocol=tcp dst-port=8080 action=accept
3. Wrong Interface Selection
Problem: NAT rule applied to wrong interface (WAN interface not selected correctly).
Solution: Make sure your rule uses the correct WAN interface like ether1
, pppoe-out1
, or LTE interface.
4. Double NAT (Router Behind ISP Router)
Problem: ISP router blocks incoming traffic, so your MikroTik never sees it.
Solution: Either put the ISP router in bridge mode, or forward ports on both routers.
5. Testing from Inside the LAN (Missing Hairpin NAT)
Problem: Works from outside, but fails from inside your network when using public IP.
Solution: Add hairpin NAT rule:
/ip firewall nat add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.100 out-interface=bridge action=masquerade
6. ISP Blocks Certain Ports
Problem: ISP blocks common ports like 80 or 25 (especially on residential connections).
Solution: Use alternate ports like 8080, 8443, or 2222.
Bonus Tip: Dynamic DNS for Changing IPs
If your public IP changes frequently, use a free service like MikroTik’s built-in Cloud DNS, DuckDNS, or No-IP to always access your router via a hostname instead of IP.
Quick Checklist
- ✅ Correct NAT rule in place
- ✅ Firewall rule added if necessary
- ✅ Correct WAN interface selected
- ✅ External test works
- ✅ Hairpin NAT added if needed
Conclusion
Most port forwarding failures on MikroTik are caused by simple misconfigurations — wrong NAT rule, firewall blocking, or double NAT. By following this checklist, you can solve 90% of port forwarding issues quickly.
Need help with MikroTik hardware or configuration? Visit NASSTORE.eu for expert advice, support, and high-quality networking equipment.