Unable to open ports on MikroTik routers at home? Some consumers struggle to open ports because of low technical expertise, while others can’t get around CGNAT. This guide explains how to port forward MikroTik routers using our systematic step-by-step guide.
Table of Contents
How to Port Forward on MikroTik Routers
Here’s a step-by-step guide on how to set up port forwarding on MikroTik routers:
- Access Your Router: Connect to your MikroTik router via WinBox or WebFig. Make sure you have administrative access.
- Open Firewall Settings: Go to the IP section and select Firewall.
- Add a NAT Rule: In the NAT tab, click Add New to create a new rule.
- Configure the Rule:
- Chain: Select dstnat to change the destination address of packets passing through the router.
- Protocol: Choose TCP (or another protocol as required).
- Dst. Port: Enter the external port number that you want to forward (e.g., 80 for HTTP).
- In. Interface: Specify the incoming interface, typically your WAN or external interface.
- Action: Select dst-nat to redirect the packet.
- To Addresses: Enter the internal IP address of the server where the traffic should be redirected.
- To Ports: Specify the internal port if different from the external port.
- Apply and Save: Confirm the settings and save the rule.
- Adjust Firewall Filters (if necessary): Check if your firewall settings allow traffic on the forwarded port. You might need to add a filter rule to accept inbound connections on the forwarded port:
- Go to the Filter Rules tab in the Firewall settings.
- Add a new rule to accept connections, specifying the same protocol and dst. port as in your NAT rule.
- Test the Configuration: To confirm that your port forwarding is set up correctly, you can use online port checking tools like CanYouSeeMe.org or PortCheckTool.com. Simply enter your public IP address and the port you configured for forwarding.
Why is port forwarding an issue on MikroTik routers?
Port forwarding issues on MikroTik routers can stem from your ISP using CGNAT, which assigns the same public IP address to multiple subscribers. This method is a workaround for the limited availability of IPv4 addresses, but it complicates direct internet access to specific devices on your home network.
When your network is under CGNAT, the absence of a unique public IP for your router means that externally initiated requests do not directly reach your internal network. This scenario applies to all routers, not just MikroTik, and generally requires alternative solutions such as coordinating with your ISP or using a VPN service to facilitate direct access.
What is CGNAT?
CGNAT (Carrier-Grade NAT) is a technology used by ISPs to conserve IPv4 addresses by allowing multiple customers to share a single public IP address. This helps extend the life of IPv4 addresses but makes it difficult for individual devices on your network to be accessed directly from the internet, complicating tasks like port forwarding.
Why Do ISPs Use CGNAT?
ISPs rely on CGNAT for:
- Managing IPv4 Shortage: IPv4 addresses are almost fully allocated. CGNAT helps ISPs stretch their IPv4 resources by allowing multiple customers to share one public IP address, relieving pressure on limited IPv4 supplies.
- Avoiding IPv6 Transition Cost: Moving to IPv6 is complex and costly. CGNAT provides a budget-friendly solution, enabling ISPs to handle network demands with fewer IPv4 addresses, delaying the expense and challenges of IPv6 migration.
- Ensuring Service Continuity: CGNAT allows ISPs to continue using existing IPv4 setups without major changes to network infrastructure or customer equipment, preserving service reliability as they prepare for future IPv6 integration.
The Downsides of CGNAT
If your MikroTik router is behind CGNAT, you will encounter:
- Complicated Port Forwarding: Under CGNAT, multiple users share a single public IP address, complicating port forwarding. This makes it challenging to set up home servers or remotely access devices, as direct access to individual devices on the network is hindered.
- Online Gaming Issues: CGNAT can significantly affect online gaming by introducing connectivity and latency issues. Many online games require a direct connection to other players, and CGNAT can lead to frequent disconnections and high ping times, degrading the gaming experience.
- Trouble Hosting Servers: Hosting services such as web, file, or game servers becomes difficult with CGNAT because it blocks incoming connections. This makes it impossible for external users to initiate contact with servers behind CGNAT.
- VoIP Functionality Problems: The additional layer of NAT imposed by CGNAT can disrupt VoIP services, causing connection delays and packet loss. Since VoIP relies on direct IP communication, CGNAT can degrade the quality and reliability of calls.
How to port forward on MikroTik and bypass CGNAT with PureVPN
With PureVPN’s port forwarding add-on, you can automatically open ports with extra security on most routers and even bypass CGNAT. The best part is that PureVPN comes with a multiport feature that picks the best port and defines which ones are open.
Follow the instructions below to configure port forwarding settings using PureVPN:
- Sign up for PureVPN, add Port Forwarding to your plan, and complete the payment.
- Download and install the PureVPN app, launch it, and log in using your credentials.
- Access the PureVPN Member Area, go to Subscription and click Configure next to Port Forwarding.
- Choose Enable specific ports, enter the ports you want to open, and click the Apply Settings button.
- Open the PureVPN app, connect to a port forwarding-supported server, and you are good to go!
Quickly and safely open ports using PureVPN
Opening ports is now as simple as 1, 2, and 3!
Host a server with dedicated IP and port forwarding add-on
A Dedicated IP allows you to create servers and external IP addresses to connect to your server without any IP mapping issues. You need a dedicated IP with a Port Forwarding add-on if you wish to host a game server, get your IP whitelisted, or want your friends to connect to your at-home devices.
Why choose PureVPN
Thousands of PureVPN customers are using PureVPN’s port forwarding add-on for their port forwarding needs. Our customer support representatives work round the clock to help customers at every step. More than 80% of our add-on users are happy with the results and open ports on many routers, including MikroTik.
Unlike your ISP, you can manually open ports on multiple routers rather than requesting your ISP or getting a VPS at a higher price. You can use the PureVPN add-on as a solution to bypass CGNAT gateways regardless of the router you are using at home.
Frequently Asked Questions
Port forwarding may not work on your Mikrotik router for several reasons, such as your ISP using CGNAT, which shares public IP addresses and blocks incoming connections. Additionally, incorrect firewall settings or errors in the port forwarding configuration can prevent successful connections.
The best workaround for Mikrotik CGNAT is using a port forwarding VPN like PureVPN. This allows you to route specific internet traffic directly to your device by bypassing the usual CGNAT limitations imposed by ISPs. This method ensures a smoother and more reliable connection for services that require stable internet access.
1- Enter your router’s IP address into your browser bar. Log in when prompted.
2- Navigate to the “Port Forwarding” section and fill out the forwarding form.
3- Check “Enabled” or “On” next to Port 80. Then, save your settings.
Wrapping up
Need any help with port forwarding routers? Reach out to one of our friendly reps via the Live Chat option anytime.
Sameed
March 14, 2025
2 months ago
