For example, forward WAN port 8006 to LAN server 192.168.1.11:8006 WAN port name WAN
- Make sure ether1 is in the WAN list:
/interface list add name=WAN comment="WAN uplinks" ;# (skip if it already exists)
/interface list member add list=WAN interface=ether1- Reference the list in your rules:
# DNAT
/ip firewall nat add chain=dstnat in-interface-list=WAN protocol=tcp dst-port=8006 \
action=dst-nat to-addresses=192.168.1.11 to-ports=8006
# Allow the forwarded traffic (for any dst-nat)
/ip firewall filter add chain=forward connection-nat-state=dstnat action=accept- (Optional) General src-NAT / masquerade for outbound
If you don’t already have it:
/ip firewall nat add chain=srcnat out-interface-list=WAN action=masquerade- (Optional) Hairpin NAT (LAN clients hitting your public IP)
Replace <bridge> with your actual bridge name (often bridge):
/ip firewall nat add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.11 \
out-interface=<bridge> action=masquerade