Port forwarding is an essential networking feature that allows external devices to access services hosted inside your private network. Whether it’s for remote desktop access,OLT, game servers, FTP servers,Linux Servers,Windows Servers or CCTV systems, configuring port forwarding on a MikroTik router ensures smooth connectivity from the internet to your internal devices.
Why You Should Configure Port Forwarding
Port forwarding allows external users to reach a specific device or service inside your LAN without exposing the entire network. It is crucial for:
- Hosting web servers or FTP servers.
- Remotely Accessing OLT.
- Remote desktop (RDP) access to internal computers.
- Connecting to CCTV or DVR remotely.
- Running multiplayer game servers.
- Accessing NAS devices or IoT equipment from outside.
- Remotely Accessing Linux Servers.
- Remotely Accessing Windows Servers.
Step 1: Access Your MikroTik Router
Log in to your MikroTik router using WinBox. Ensure you have admin credentials for full access to NAT and firewall settings.
MikroTik Default IP
IP Address: 192.168.88.1
Username: admin
Password: (your password)
Connect via WinBox → Enter IP → Login with credentials
Once logged in, navigate to: IP → Firewall → NAT to configure port forwarding rules.
Step 2: Add a New NAT Rule
Click the “+” button to add a new NAT rule. Configure as follows:
General Tab Settings:
- Chain: dstnat
- Protocol: tcp
- Dst. Port: 8080 (external port you want to open)
- Dst. Address: Your public IP (optional)
Action Tab Settings:
- Action: dst-nat
- To Addresses: 192.168.88.100 (internal device IP)
- To Ports: 80 (service port on internal device)
IP → Firewall → NAT → Add New Rule Set Chain=dstnat, Protocol=tcp, Dst.Port=8080 Action=dst-nat, To Address=192.168.88.100, To Port=80
*OLT IP Port Forwaring
Now we will forward the private IP of our OLT (Optical Line Terminal) through a public IP. This will allow us to access our OLT globally from any network. Each OLT typically uses port 80 by default, though sometimes it may differ. When you configure port forwarding, first check which port is set on your OLT, and then configure the router accordingly. If the port is incorrect, the port forwarding will not work.
/ip firewall nat> add action=dst-nat chain=dstnat dst-port=1000 protocol=tcp to-addresses=192.168.0.88 to-ports=80 disabled=no
*Linux Ubuntu Servers IP Port Forwarding
Now we will learn how to forward the SSH access port of our Linux Server. Suppose you have a Linux server — it could be an FTP, DNS, LAN cache, etc. — and it is set up with a private IP. If you want to access it from any network using a Public IP, then you need to configure port forwarding.
Ubuntu Linux Server does not have a single default port; each service uses its own port. Below are some commonly used default ports. Along with that, the script for forwarding the SSH access port is provided below.
Service Default Port SSH (remote login) 22 HTTP (Apache/Nginx) 80 HTTPS 443 FTP 21 MySQL 3306 PostgreSQL 5432
Ubuntu Servers Port Forwarding
/ip firewall nat> add action=dst-nat chain=dstnat dst-port=8080 protocol=tcp to-addresses=10.255.255.202 to-ports=22 comment=Ubuntu-Live-server-1 disabled=no
Step 3: Add Firewall Filter Rule (Optional)
To ensure the forwarded port is allowed, add a firewall filter rule:
- Go to IP → Firewall → Filter Rules
- Click “+” to add a new rule.
- Chain: forward
- Protocol: tcp
- Dst. Port: 8080
- Dst. Address: 192.168.88.100
- Action: accept
/ip firewall filter add chain=forward protocol=tcp dst-port=8080 dst-address=192.168.88.100 action=accept
- Go to IP → Firewall → Filter Rules
- Click “+” to add a new rule.
- Chain: forward
- Protocol: tcp
- Dst. Port: 80
- Dst. Address: 192.168.0.88
- Action: accept
/ip firewall filter add chain=forward protocol=tcp dst-port=80 dst-address=192.168.0.88 action=accept
- Go to IP → Firewall → Filter Rules
- Click “+” to add a new rule.
- Chain: forward
- Protocol: tcp
- Dst. Port: 8080
- Dst. Address: 10.255.255.202
- Action: accept
/ip firewall filter add chain=forward protocol=tcp dst-port=8080 dst-address=10.255.255.202 action=accept
Step 4: Test the Port
Use online port checkers such as YouGetSignal or Ping.eu to test if the port is open. Make sure the internal service is running.
Troubleshooting Tips
- Ensure the NAT rule is at the top of the list.
- Use a static IP for your internal device.
- Verify the service (HTTP, FTP, RDP) is running on the internal device.
- Check that the firewall rule allows traffic through the forwarded port.
- If using double NAT, configure DMZ or bridge mode on the ISP router.
- Disable FastTrack if port forwarding fails.
Conclusion
By following these steps, you can easily configure port forwarding on a MikroTik router for any service, ensuring remote access while keeping your network secure and organized. Proper NAT and firewall configuration ensures smooth connectivity for your applications, servers, or devices.