Configuring Mikrotik, ripping ports rdp and ftp. How to make a port forwarding in Mikrotik?

For Mikrotik brand routers, port forwarding is required quite often. However, for network administrators, and for unprepared users, the solution to this problem is often quite difficult. The following is a brief instruction, following which you can easily carry out any operations of this type, however, you will have to tinker with a little.

Configuring Mikrotik with port forwarding. Why is this necessary?

Before proceeding with configuring the router, it is necessary to dwell a bit on the principles of port forwarding and on what is used for all this.

The default setting for Mikrotik is that computers located in the internal or external network do not see the IP addresses assigned to other terminals. Here the rule of the so-called masquerade is used, when the router itself replaces the address of the machine to which it is destined by its own external IP, when it receives a request, although it opens the necessary port. It turns out that all the devices that are connected to the network, see only the router, and among themselves remain invisible.

In this connection, in some situations for Mikrotik devices, port forwarding becomes an absolute necessity. The most common cases are:

• Organization of remote access to devices in the network based on RDP technologies;
• The creation of a game or FTP-server;
• Organization of peer-to-peer networks and setting up the correct functioning of torrent clients;
• Access to cameras and video surveillance systems from the outside via the Internet.

Access to the web interface

So, we proceed. For Mikrotik routers, port forwarding (RDP, FTP, etc.) begins with the logon to the device management system, called the web interface. And if for most known routers as standard addresses 192.168 combinations with endings either 0.1 or 1.1 are used, this variant does not work here.

For access in a web browser (it's best to use standard Internet Explorer), the combination 192.168.88.1 is prescribed in the address bar, admin is entered in the login field, and the password line, as a rule, remains empty. In the case when access for some reason is blocked (the router does not accept the login), you will need to reset the settings by clicking on the appropriate button or disconnecting the device from the power supply for 10-15 seconds.

General Settings and Settings

The interface has been entered. Now the most important thing: in Mikrotik, port forwarding is based on the creation of so-called exclusion rules for the Masquerade function (the same masquerade with the substitution of IP addresses, which was mentioned above).

In the general settings of the Firewall / NAT section, you can notice that one rule already exists. It is set as one of the factory settings. Port forwarding in the general case consists in adding a new rule by pressing the button with a plus sign, after which it will be necessary to fill out several basic settings fields.

Examples of used ports

Now let's look at some possible examples of using ports. Depending on what exactly each open port will be used for, the values can be:

• Torrent: tcp / 51413;
• SSH: tcp / 22;
• SQL Server: tcp / 1433;
• WEB Server: tcp / 80;
• Telnet: tcp / 23;
• RDP: tcp / 3389;
• Snmp: udp / 161 etc.

These values will just be used to skip each such port.

Creating rules and selecting actions

Now create a new rule and proceed to fill in the settings fields. Here you need to be very careful and proceed from exactly what access is necessary to implement (from the inside out or vice versa).

Parameters should be:

• Chain: srcnat is used for access from the local network, so to speak, to the outside world, dstnat - to access the local network from the outside (choose the second option for incoming connections);
• Address fields Src. And Dst. Leave empty;
• In the protocol field, select either tcp or udp (usually set to 6 (tcp);
• Src. Port is left blank, i.e. Outgoing port for external connections is not important;
• Dst. Port (port of destination): Specify the port for the above examples (for example, 51413 for torrents, 3389 for RDP, etc.);
• Any Port can be left blank, but if you specify a number, one port will be used both as an incoming and as an outgoing one;
• In. Interface: the port of the router itself (usually ether1-gateway) is entered;
• Out. Interface: specifies the outgoing interface (can be skipped).

Note: in case of port forwarding for remote connection from outside (RDP) in the Src field. Address specifies the IP of the remote computer from which it is intended to access. The standard RDP connection port is 3389. However, most professionals do not recommend doing this because it is much safer and easier to configure on the VPN router.

Further in the Mikrotik router, port forwarding assumes the choice of an action. Actually, here it is enough to specify only three parameters:

• Action: accept (simple reception), but for external access, dst-nat is specified (you can specify a more advanced netmap setting);
• To Addresses: the internal address of the machine to which the redirection should occur is entered;
• To Ports: in general, the value is set to 80, but 51413 is indicated for the correct operation of the same torrent.

Configuring Mikrotik: FTP Port Forwarding

Finally, a few words about what settings will be needed for FTP. First of all, you need to configure the FTP server itself, for example, based on FileZilla, but this is a separate conversation. In this case, we are more interested in the migration of FTP ports Mikrotik, and not the configuration of the server part.

It is believed that the FTP server, although it requires the specification of a certain range of ports, but it perfectly works on the control port 21. It must be enabled.

As in the general case, first you need to create a new rule, only in this situation there will be two: for the control port and for the entire range of ports.

For port 21, the parameters should be:

• Chain: dst-nat;
• Dst. Address: external address of the router (for example, 1.1.1.28);
• Protocol: 6 (tcp);
• Dst. Port: 21
• In. Interface: ether1-gateway.

The following values are set for the Action tab of the Action:

• Action: dst-nat;
• Dst. Address: the address of the terminal where the FTP server is installed;
• To Ports: 21.

For a range (for example, 50000-50050), all options are similar except for two parameters:

• In the general settings for Dst. Port indicates the entire range of ports;
• When you select an action, the same range fits in the To Ports field.

Note that when configuring the FTP forwarding, you need to follow the router documentation, and it says that it is not recommended to use the initial threshold of the port range below the value of 1024. This point should also be taken into account.

In principle, you can still use the function Hairpin NAT Mikrotik, but it is only needed when you need to enter an external IP from the local network. In general, you do not need to activate it.