HomeJoin InArticles and Reference Pages

Changing Mikrotik settings to provide access to internal devices

Our main Golden Hill network uses a gateway box running MikroTik software. If we want to monitor boxes via snmp or access the admin interfaces of a device within the network, we configure MikroTIk to forward traffic appropriately.

The general approach is to pick a port number and then have MikroTik forward all traffic that comes into that port on the main IP to the specfic device, remapping the port in the process.

Typically we need either http, https or ssh access and also snmp. As the former are tcp protocols and the latter is udp, we use the same port number for both to simplify things a little.

Here are the basic steps for adding a new device to forwarded list sing the MikroTik winbox interface.

For the following example, we assume port 1234 and an internal destination IP of 10.0.0.250.

  1. Go to IP -> Firewall -> Destination NAT
  2. click on the '+' symbol and fill in the following on the resulting dialog
    1. 'In Interface' choose Wan
    2. 'Dst Address' enter the outside IP, 66.93.33.41 / 32
    3. 'Protocol' select tcp
    4. 'Dst Port' select the right hand side checkbox and enter 1234
  3. Click on the 'Action' tab (previously on General) and
    1. Action is set to nat
    2. Both to Dst Addresses are set to 10.0.0.250
    3. To Dst Ports is set to 80 for http (or 22 for ssh, or 443 for https)
  4. Click on OK to save the rule
  5. Scroll to the bottom of the list where the new rule will appear
  6. Select the rule by clicking on it, then click on the yellow 'comment' button on the toolbar and name the rule (e.g. HTTP to SH ap2)
  7. drag the rule up match to the other similar rules.

Note that the winbox UI gets confused with dragging sometimes. If you suspect this, log out of winbox and log back in again - its possible to cause major damage to rulesets by dragging them when the UI is messed up.

Now the outside world can get into the AP, but it can't get out because of the captive portal. The following steps allow it to bypass the portal:

  1. On the IP -> Firewall window, click on the Filter Rules tab
  2. In the dropdown on the right hand side, choose "Hotspot temp"
  3. Click on the red '+' and in the resulting box:
  4. Under the 'Action' tab, change Action to 'return'
  5. Under the 'General' tab change, set Src Address to 10.0.0.250 / 32
  6. Click on OK
  7. In the resulting rule list, drag the rule above the last rule and add a comment using the Yellow comment button

That's it. You should now be able to access the box from the outside using an url like https://66.93.33.41:1234.

‹ Transparent Squid Proxying with MikroTikupDo-It-Yourself POE ›

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

POrtforwarding

On December 27th, 2010 Anonymous (not verified) says:
Hey, I have linksys router going to a mikrtoik router. I want to portforward for online gaming. I treid typing in Username: admin Pword: admin to long in to the router but its way to advabced and doesnt seem to work...any help Blessings*

Post new comment

The content of this field is kept private and will not be shown publicly.

Back to top