Configuring MikroTik RouterOS’s firewall, NAT, and DNS to act like a consumer router

Putting some quick notes up regarding configuration of a MikroTik device to behave like a consumer router, where accessing the router from inside accesses the router, and accessing the WAN IP from either inside or outside accesses an internal host via port forwarding.

All of these instructions are based around the command line interface, but you can do this through WebFig or Winbox as well (but then you can’t copy and paste). Also, I’m running RouterOS 6.21.1.

First, and most critical thing, is to add some firewall rules to keep outside hosts from accessing the administration services on the router – do this before connecting the router to a WAN! Mikrotik offers some rule suggestions, at minimum, use the Router protection rules (adapted for your network).

Edit 2015-06-05: Disregard any rules that were here before, they weren’t the most secure.

Now, once you’ve gotten that done, let’s set up NAT. I’m assuming you’ve already used QuickSet to configure the NAT initially, so…

/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.1.0/24 out-interface=bridge1
add chain=dstnat action=dst-nat dst-address=!192.168.1.1 dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.1.10 to-ports=80

The first rule enables hairpin NAT, so you can access your WAN IP from inside, and it gets sent through the port forwards as you’d expect. Otherwise, you’d have to use DNS trickery to get at your internal hosts using external hostnames, and that’s just not fun.

The second rule is an actual port forward. Leave dst-addresses alone (except to change the IP address to match your MikroTik device’s LAN IP), as that rule is necessary to allow accessing the MikroTik device from inside your LAN. dst-address-type=local is one of the three ways to actually get the traffic inside, and the only one that works with both hairpin NAT and dynamic WAN IP addresses (the other ways are to set dst-address to your WAN IP, but that doesn’t work with a dynamic WAN IP for obvious reasons, or to set in-interface to ether1 (assuming that that is your WAN interface), but that doesn’t work with hairpin NAT). The rest is fairly self-explanatory – dst-port is the port range (you can specify a range, not just a single port) on the outside that you want to forward, protocol is either tcp or udp as needed, to-addresses is the IP that you want to forward the traffic to, and to-ports is the port range on that IP that you want to forward to. Obviously, you’ll create as many of those lines as you need to forward your traffic in.

Finally, one behavior of consumer routers that’s extremely helpful is, when a host gets a DHCP lease, it also gets a DNS entry in the router’s DNS server. Out of the box, Mikrotik hardware doesn’t do this. However, many scripts have been written to do this automatically upon a DHCP lease being granted. I personally use the ROS-DDNS script written by Jonathan Karras, with one modification to grab the DNS domain name from the DHCP domain, as suggested by Etz in this MikroTik forum thread. To install the script from the command line, run /ip dhcp-server edit dhcp2 lease-script (assuming that dhcp2 is your LAN dhcp server). That will bring up the editor, and you can paste the script into your terminal, and press Ctrl-O to save and exit (you may need to reconfigure your terminal’s settings to allow Ctrl-O – on OS X, you’ll want to issue stty discard undef before connecting to the router). Myself, I pasted it into WebFig. Once that’s done, any new DHCP leases will result in a DNS entry automatically being made.

Hopefully this helps anyone that’s new to RouterOS, and is trying to get all of this working the way they’d expect, if they’re used to how consumer routers behave. I couldn’t find all of this in the same place, so I figured I might as well make a blog post with some simple instructions on how to get this working.


4 Replies to “Configuring MikroTik RouterOS’s firewall, NAT, and DNS to act like a consumer router”

  1. hey guyz …i am having problem in playing cod mw3…i have routerboard microtik sxt lite2 and os v 6.23…i have port forwarded the ports in NAT(firewall) and also enabled UPnP…
    The problem is that after playing for about 45 seconds the ping increases and times out completely both in the game and in cmd google ping test…plz help
    also i have an iball baton router in between functioning as an access point

  2. thanx for doing this…
    could u please explain the self-explainatory part as i’m a noob regarding these…
    thnx 😀

  3. I use your rules, but I have no access to WAN IP from insise (LAN). What is wrong? Thank you in advance.

    chain=srcnat action=masquerade out-interface=pppoe-out1 log=no log-prefix=””

    1 chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0/24 out-interface=pppoe-out1 log=no log-prefix=””

    2 chain=dstnat action=dst-nat to-addresses=192.168.88.253 to-ports=8888 protocol=tcp dst-address=!192.168.88.253 dst-address-type=local dst-port=8888 log=no log-prefix=””

    3 chain=dstnat action=dst-nat to-addresses=192.168.88.253 to-ports=12000 protocol=tcp dst-address=!192.168.88.253 dst-address-type=local dst-port=12000 log=no log-prefix=””

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.