In case of you are hosting a web server over port number 80 in your private network and you would like to allow anyone on the Internet to access your web server, you have to do several changes in your MikroTik router. This use-case is a little bit different by a classic port forwarding configuration because it involves also changing of ports for router standard services (web console that works also on tcp/80)
So, let’s suppose that your router works over IP 192.168.1.1 and the internal compputer (that should have public services) has allocated the IP 192.168.1.200;
Use-case 1: Publishing an web server hosted in you private network; you have to change the port of the router web console (from 80 to e.g. 1080) and then to configure in router firewall a dedicated port forwarding rule to route traffic that comes on 80 in your router.
1) Change http service port
ip service set www port=70802) Create port forwarding rule for 192.168.1.200 tcp/80
ip firewall nat add chain=dstnat protocol=tcp dst-port=80 action=dst-nat \
to-addresses=192.168.1.200 to-ports=80 in-interface=pppoe-out1 \
comment="NAT for TCP/80 (HTTP): forward port to an internal IP"
Note: in-interface has to be specified accoding to your router configuration
In case of your router has also a public address or a public name (using a standard or dynamic DNS) and if you want to access the HTTP service in your private network using the public name you have to add additional two rules:
ip firewall nat add chain=dstnat dst-address-type=local protocol=tcp dst-port=80 \
action=dst-nat to-address=192.168.1.200 to-port=80 \
comment="NAT for TCP/80 (HTTP): rewrite the port forwarding to use local address type"
ip firewall nat add chain=srcnat src-address=192.168.1.0/24 \
dst-address=192.168.1.200 protocol=tcp dst-port=80 out-interface=bridge-local \
action=masquerade comment="NAT for TCP/80 (HTTP): add the hairpin NAT"
Use-case 2: Making available a VNC connection to 192.168.1.200;in this case you have create the port forwarding rule and optional to define additional two traverse rules to access the VNC connection from internal network using public IP or name.
ip firewall nat add chain=dstnat protocol=tcp dst-port=5900 action=dst-nat \
to-addresses=192.168.1.200 to-ports=5900 \
comment="NAT for TCP/5900 (VNC): forward port to an internal IP"
ip firewall nat add chain=dstnat dst-address-type=local protocol=tcp dst-port=5900 \
action=dst-nat to-address=192.168.1.200 to-port=5900 \
comment="NAT for TCP/5900 (VNC): rewrite the port forwarding to use local address type"
ip firewall nat add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.200 \
protocol=tcp dst-port=5900 out-interface=bridge-local action=masquerade \
comment="NAT for TCP/5900 (VNC): add the hairpin NAT"
Note:out-interface has to be defined according to your router configuration