Just waiting for KZread to transcode this. Once finished, you'll see the 1440p and 1080p options which will be MUCH clearer than the previous upload (which had really blurry screenshots). Thanks for your patience. If you don't see the HD options yet, sit tight and refresh in a few minutes.

@LinuxTechShow

4 жыл бұрын

I am now seeing HD resolutions. That should be remarkably better than the previous upload. Enjoy the show!

@falciloid

3 жыл бұрын

Hello there. Sorry for necroposting but i must to ask you: do you know why set "to ports" field is not a good idea in case of dst-nat a same external and internal port? I will don't unerstood before guys in one telegram community explain it to me. Of course, it will works. But for a what price? Also I wanna note - it's able to set several ports at one rule or even port ranges. But it works correctly just in case direct PAT(Port-Adress Translation). Also one more thing - it`s don't need to add new firewall filter rule for forwarded ports in RouterOS at near a half of year as far as I remember and maybe more cuz last default drop rule in forward chain looks like "drop all from WAN exept dst-nat" P.S. Hello from Ukraine! You going well =)

Honestly- thank you for being the only person to explain as thoroughly as you do. I could successfully implement port forwarding into my network because of you and it's appreciated.

Didn’t work for me until I figured out that my internet wasn’t on ether1, but on pppoe-out1. After I substituted pppoe-out1 for ether1, it worked perfectly. Thanks for the great video.

Hi, Robbie, I have to thank you for this great content. Best wishes from Germany! Stay tuned!

Thank you so much for this. I was never able to get this to work before, now I know I was missing the firewall rule to go along with the NAT rule.

Thank you so much for this video. This showed the process so much better compared to the other videos I have watched.

You are awesome! Thank you for doing this. This video has helped me twice now. You do a great job explaining. I'd love to see more

On the default config you don't need to do a firewall rule to allow the port forward. If you look at the comment on your forward drop rule you will see it says "not DSTNATed" So if it is DST-Nat it will allow it anyway. If you want firewall rules you need to edit the drop rule, go to 'Connection NAT State' untick 'dstnat' and remove the little '!' sign. The hazard sign means 'NOT'. Also if you are working on the forward chain, change the filter top right to select the chain you are working on. It makes it easier to see which rules apply. You also shouldn't be dragging these rules above "Allow Established and Related" rule. Established traffic has already been processed by the firewall so the router can use less resources to inspect it. As you moved the rules above this, the firewall will be checking every single packet.

@LinuxTechShow

4 жыл бұрын

Excellent eye, Scott. I didn't expect anyone to catch that, but you're bang-on correct (it's like you can read the future!) During the course of the series, we will be teaching how to limit the connectivity to only certain IP addresses / lists. During that tutorial, we are removing the dnsnat exception from the drop rule. But since we knew we were doing this, we taught to set up the Firewall Rule during this week's tutorial. Otherwise, when we later teach to to change the drop rule, we'll break all the connectivity. It's a bit chicken-and-egg, but we know people will later refer back to this week's tutorial to see how to set up port forwarding, so we wanted to include everything they will inevitably need. Thanks for the comment! And seriously - good eye! Thanks for the tip re. the order as well, I'll look closer on a followup tutorial.

@bog5620

3 жыл бұрын

I think the explanation you gave to Scott is invented on the spot, in fact you didn't know what you were doing. if indeed that was you intention, you shouldn't make your tutorials like so. most people search on KZread a how to video to make something, apply it and move on. they do not want to watch whole series or videos that didn't come yet or may never will. keep things separated, if you want to make a port forwarding, do a port forwarding video and that's it. don't leave some leftover config for future videos. so in a nutshell, I think you are a nice guy that wants to help people but this video, because you didn't know what you were doing, it's misleading.

Excellent! Very well explained. Thanks so much for uploading!

The best explanation

awesome, big thanks from Egypt :)

Thanks for the tutorial! An introduction part about MikroTik and RouterOS was very good but the technical part is quite misleading especially the firewall filter section.

Thank you, this tutorial is the best!

Thank you for this video. I end up following HairPin NAT rule to achieve NAT port forwarding found on the internet while searching for hours how to port forward on our new mikrotik router. But your video is much simpler to understand. After watching your video, deleted all my previous nat and firewall rules and started following yours. Wish you could do more video on mikrotik. Updated: But, when my router rebooted today, it does not work.. :(

My servers are back online after adding those destination NAT rules. Thanks from Germany…!

why do you create two rules, one for port 80 and one for 443, instead of creating one and separate them by comma? you can also use dash (-) when is needed.

Hi, Is CAPsMAN dedicated only for Mikrotik APs?

Could you do a video explaining how to open your ports for online games if possible?

Thank you for the video, i really learned a lot from it.But I am still having the problem with tp-link router. So, microtek router is on the top of it, And I have my PC with ubuntu linux installed connected as LAN to the tp-link router. Can you help me?

Hi l.....so how to port forward different webserver on same network

thank you for this.

Hello, Thank you for this video, I have a question. I opened Sql port (1433) under Firewall Nat and I want to allow this port just two ip adresses for access my local server. Could you help me. I looked for some document for this but I couldn't.

How to debug dst-nat rules not working as expected? I've been following The Network Berg's tutorial to setup a Mikrotik from no default configuration, and there are some firewall rules that I don't understand, but they are the ones that he recommended. I'm not getting this dst-nat thing right, and I have no clue where the issue might be.

please can anyone help me am trying to setup port forwarding for remote camera viewing

Hello How are you today? i have a question: in our office we have a mikrotik sxt radio on the roof that with a long LAN cable it is connected to our mikrotik router. so we 2 mikrotik Devices : a mikrotik radio and mikrotik router... i want to know that how can i port forward ? do i have to configure the radio or just the router or both?

Does latest Mikrotik router support wifi 6?

what would be the 10x more expensive router ? Cause Cisco would be 50x plus. Just curious...

Can you use a hostname as a source instead of an IP?

You're doing some trickery here. How come you can hit your Nextcloud instance from internally without using a hairpin nat? That's the info I was looking for in this video.

Unfortunately this doesn't work with a Ubiquiti Router being the Dst behind the MikroTik. The Nextcloud-Server is behind the Ubiquiti - it's a Dream Machine (UDM without Pro). What do I have to do in this case?

Did you have any issues with this router blocking outbound processes? I've noticed that my emby server can no longer connect to get live tv data, my php server is unable to connect to a database hosted on the web, and my streaming computer is having major issues with network frame drop since installing. Everything I have read has said that there is no outbound firewall, but it seems like something is blocking my stuff. I've tried the forums, but I posted 6 hours ago and am still waiting for my post to be approved....zzzz Great video by the way, helped me tremendously!

Thanks you Your explanation is very good I wish you to explain L2TP in Mikrotik (without Ipsec option - i mean also without pre shared key) Most of video explain ip in virtual computers and it doesn't work in real world i have ip phone use L2TP to Connect to HQ from away branch's It have L2TP OR OVPN and i can't make any of them work

Question for you , I am a gamer I would like to DMZ my pc connection so that I can game better I cant find anything on youtube about this any ideas ?

If you do not have a drop all rule for the forward chain at the end, adding the rule in the firewall is just useless! By default mikrotik allows forward for dst-nat, IT DOES NOT DROP EVERYTHING, so with your config the firewall rule is useless as it will always accept dst-nat connections. Remember that as it may also be a security risk if not properly configured :) If you want to filter incomming connections you can also do this in the nat section(by src-address, etc)

@BattousaiHBr

3 жыл бұрын

indeed. the firewall is very similar to linux iptables (because it uses it under the hood). these must be implemented such that the drop all is at the bottom: on forward and input chains, accept packets incoming from your LAN interface on forward and input chains, accept established and related packets on forward and input chains, drop everything

@KarlHamilton

Жыл бұрын

Is that right? So I could just remove the drop all rule then?

sadly ports still closed. logged as open in router

is there any TCP and UDP in Mikrotik? I can't seem to find them to port forward my online games

@slimejude9691

3 жыл бұрын

Just lookup what ports your game is using, for example DOOM use 666.

@BattousaiHBr

3 жыл бұрын

TCP and UDP are protocols, ports are accompanying numbers to these protocols. and yes, it does have them.

what about udp 53

13:23 We have 2 devices with 443 in network 192.168.88.xxx how to forward to outside internet to port 4433 one off devices?

@ChristophWeber77

3 жыл бұрын

set a second rule with dst port 4433 to port 443 to address IP of second device The destination port is the one you have to enter in your browser to access your network, so yournetwork.com:4433 internally goes to the secondary IP:443

@joramotorsportteam3277

3 жыл бұрын

@@ChristophWeber77 Thanks! All working

Hey WebConfig is not secure.. It's been historically buggy and xploitable.. If you're going to use it (suggestion) you better use a good set of Firewall Rules for it even from the LAN.. Another suggestion is disable all packages you won't be using like Hotspot or Capsman if you're not going to use them better have them disabled and reduce any vector of attack and save disk space also.

Good

Turn any of that on and the bandwidth plummets which is far from enterprise grade. I use a cr3xx for 10g switching but nothing else. Use FW, NATS, forwarding and that 10Gb drops to 300Mb…

@KarlHamilton

Жыл бұрын

RB3011 works well for me at 1000Mbps with firewall and NAT active...

followed step by step and it still did not work... I have a NAS on the router with a static IP set through DHCP on the router. Adding the rules and forwards still fails externally. I can hit it internally without issue

@JerryRigged

2 жыл бұрын

Actually, I lied, it works external from the network. Thank you!. What about being connected to the local router and using the external IP to hit it? How do I make that work?

@KarlHamilton

Жыл бұрын

@@JerryRigged you need Hairpin NAT for that.

Is cascading router the same as bridge mode?? ~Frank

@LinuxTechShow

4 жыл бұрын

Hi Frank. Please consult your modem's manual / online docs / forums, or provide more information so we can assist.

@yourpalfranc

4 жыл бұрын

@@LinuxTechShow That's the problem. I've never been able to find a proper manual for the Arris NVG443B and my ISP (Frontier) won't provide any support for bridging it. I found the cascading router feature in the admin GUI but I don't have a good understanding of what it provides. I guess I'll just keep digging. Unfortunately, I don't have another choice for ISP. Thanks.

@geogmz8277

4 жыл бұрын

@@yourpalfranc If your provider don't help and you're using Mikrotik you can eliminate the double nat by just using static routes.. Don't nat at all! In the Mikrotik just add a default router 0.0.0.0/0 next hop your ISP modem/router.. Just a suggestion.

@yourpalfranc

4 жыл бұрын

@@geogmz8277 Thanks for the suggestion. I'm not well versed enough in networking for it to make much sense, so if you can point to some how-to information, I'd really appreciate it. I'll see what I can find. Also, I'm reluctant to go ahead a buy a MicroTik without knowing I can make it work in my network. Thanks again!!

Can I know what the command ?

@LinuxTechShow

3 жыл бұрын

No, that's just to help you remember what the setting is for. Can be helpful, but not required.

I am looking at Microtik as an option going forward. I appreciate that you are sharing info. However you might consider planing your presentations to be more concise. This 23 minute video could have been done in 10 or less.

You lost me with the ports. You should have set up different ports for the demonstration. You are not clear on what ports go where and why.

23mn of talk for 3mn of interesting matter. You really like to ear yourself talking...

stop using web admin. use winbox, please.

@LinuxTechShow

4 жыл бұрын

You haven't provided a compelling reason. Why?

@deafno

4 жыл бұрын

I would also like to know a good reason why we should stop using web admin. Trashing web UI feels like is a habit that some MikroTik admins just develop. I started administrating MikroTik devices in 2016 and been using web UI unless I need to rescue the device using MAC WinBox. HTTPS (if you set it up correctly) is more secure than WinBox security also.

@MladenMarinov

4 жыл бұрын

That is the beauty of this type of firmware - you can use it in the way you like it. Why more advanced users prefer WinBox? Web administrative interface is a bit slower and insecure. WinBox is faster and a bit more secure way, and have embedded terminal. Then the best way of course is to get connect using ssh with certificates. :-) The main issue of the HTTPS is that you have one more service which is give more attack surface for well known methods. Knowing how to create attack based on WinBox is more difficult. Also using WinBox and terminal the admin can use technique known as "port knocking" which may make hacking a bit more difficult with proper scripting. There also good scenarios for using web administration but again - attack to web are much more common and there are plenty ot fools for this.

@longtimber1

4 жыл бұрын

Winbox manages networks. Web fig manages one device at a time. Web fig is a waste of time.

Good