RouterOS

Securing your router

Check the official confluence page for more details. The wiki page is more for reference.

• https://help.mikrotik.com/docs/spaces/ROS/pages/328353/Securing+your+router
• https://wiki.mikrotik.com/Manual:Securing_Your_Router

Port forwarding

You need a NAT rule per port that you're trying to forward.

Traffic that comes in from the WAN interface list on a specific port, should be forwarded (dst-nat) to a specific IP and port.

/ip firewall nat
add chain=dstnat protocol=tcp dst-port=80 in-interface-list=WAN action=dst-nat to-address=192.168.1.10 to-ports=80
add chain=dstnat protocol=tcp dst-port=443 in-interface-list=WAN action=dst-nat to-address=192.168.1.10 to-ports=443

See also: https://help.mikrotik.com/docs/spaces/RKB/pages/154042388/Port+forwarding

Referencing dynamic public IP address

For some firewall rules you're required to provide the public IP address. With a dynamic IP you would have to update the firewall rule every time the IP changes, which can be rather annoying and with many rules also time consuming.

Instead it's best to just add a new address list which then can be referenced and if the IP changes there's only one place you need to update.

/ip firewall address-list add address <IP>

The command line will then prompt you for a name, pick something descriptive like for example PUBLIC.

Hairpin NAT / NAT loopback

/ip firewall nat

add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.10 out-interface-list=LAN action=masquerade

add chain=dstnat dst-address-list=PUBLIC action=dst-nat to-address=192.168.1.10