( Click here for an example )

Assuming you know the IP of the device you are trying to port forward to -

In WinBox

  1. Click on IP, then Firewall, then click on the NAT tab.
  2. Click the + sign to add a new NAT rule.
  3. Change Chain to dstnat.
  4. Click the down arrow on the far right side of the Protocol line.  Click the drop-down menu that just appeared.
  5. Change Protocol to whatever you need.  It’s usually tcp. In fact, that’s what comes up by default.
  6. Change Dst. Port to the port you are trying to forward. **see below for another option
  7. Change In. Interface to ether1-gateway or whatever you may have renamed your WAN port to (and assuming you’re using port 1 for WAN, of course…)
  8. Click on the Action tab.
  9. Change Action to dst-nat.
  10. Change To Addresses to the IP of the device you are trying to reach remotely (DVR, etc)
  11. Change To Ports to the port you need to forward.
  12. Click Comment and name it something that makes sense.  “DVR port forwarding”, etc.
  13. Click OK in the New NAT Rule window you’ve been working in.
  14. That’s it.  Test it out.

** Depending on what you’re trying to do, you can also change the incoming port to something than the internal port.  For example, let’s say you want to set up an ssh connection to something on the internal network.  Every hacker in the world knows that ssh uses port 22 by default.  Leaving a common port like 22 open probably isn’t a good idea.  You could change what port you forward and still reach a device at port 22 internally.  You would change step #5 to use a different port like 12345, then in step #11 you would use port 22.  Now you the Mikrotik will take traffic coming in to port 12345 and send it to port 22 at the IP address you entered in step #10.

In Terminal

Let’s use the example of forwarding port 12345 to

add action=dst-nat chain=dstnat comment="my port forwarding rule" disabled=no \
 dst-port=12345 in-interface=ether1-gateway protocol=tcp to-addresses=\ to-ports=12345

(the slash (backslash?) just signifies to the router that the next line is a continuation of the current line… it sees those three lines as one single entry)


  • Geoff

    Is there anything special or different about port forwarding to different VLAN’s within your network?

    • admin

      Well I don’t know for sure, but I don’t see how it would make a difference. Each VLAN is going to be a different ‘network’ on a different subnet, so you should just have to do a dst-nat to whatever the IP address is you’re trying to reach. The VLAN shouldn’t have anything to do with getting from the internet to that specific internal IP.

  • Pingback: Changing the incoming port for port forwarding on a Mikrotik | Networking For Integrators()

  • neo

    Dears i have a problem with mikrotik Ros and i’m googling it since last month and many resets and rules and script with no use . and i hope you can help with it
    the problem is that i have 2 mikrotiks Ros one on routerboard 750 gl running 5.20 for dual Wan merging and then passing through the connection to mikrotik box (86X) for hotspot and distributing service to customers.
    the problem is that i cannot farward the Vpn pptp from the router bord to the other mikrotik to be able to open winbox from outside the network. i have ddns account and the port 1723 is forwarded from both modems to the routerbord ip and i used many dst nat and src nat rules but no use . also i’m managing this network remotly (45 miles away) and i need to travel all this distance to provide support .
    would any body help please ?

    • admin

      I would think that if you’re running two instances of RouterOS, one behind the other, then you would only need to VPN to the first one (the 750GL), then you would need a NAT rule on the second one (the x86) that allows incoming port 8291 to it.

      You would VPN to the 750GL, then open Winbox and type the IP on the WAN side of the x86 ROS since you’ll be coming into it from Internet side of things. Makes sense in my head, YMMV…