How to porfoward using MikroTik with Al-Watani Telecom
If you’re using Al-Watani, you might face issues with port forwarding due to Carrier-Grade NAT (CGNAT). This guide explains how to set up port forwarding on your MikroTik router while accounting for CGNAT.
CGNAT Challenges
CGNAT assigns a shared public IP to multiple users, making traditional port forwarding difficult. Instead of using the WAN interface or PPPoE for forwarding, you�ll need to manually assign the current public IP in the destination address and set up hairpin NAT rules.
Steps for Port Forwarding on Al-Watani
1. Find Your Public IP
Your ISP assigns a dynamic public IP address. To find your current public IP:
-
Visit ip.wtf, or
-
Use MikroTik’s terminal command:
/ip cloud print
This will display your current public IP.
2. Create a Destination NAT Rule
Now, set up a DST-NAT rule for forwarding traffic:
/ip firewall nat add chain=dstnat dst-address=YOUR_PUBLIC_IP protocol=tcp dst-port=PORT_TO_FORWARD action=dst-nat to-addresses=LOCAL_DEVICE_IP to-ports=LOCAL_DEVICE_PORT
- Replace
YOUR_PUBLIC_IPwith the public IP found earlier. - Set
PORT_TO_FORWARDto the port number you want to forward (e.g.,80,443). - Replace
LOCAL_DEVICE_IPwith your device’s local IP (e.g., the server or service host). - Set
LOCAL_DEVICE_PORTto the local port the service uses.
3. Set Up Hairpin NAT
Hairpin NAT ensures that local devices can access the server using the public IP. Add this rule:
/ip firewall nat add chain=srcnat src-address=LOCAL_NETWORK_SUBNET dst-address=LOCAL_DEVICE_IP action=masquerade
- Replace
LOCAL_NETWORK_SUBNETwith your local network range (e.g.,192.168.1.0/24). - Replace
LOCAL_DEVICE_IPwith the internal IP of your server.
4. Add a Source NAT Rule (Optional)
If you need to ensure that your public IP is used for outgoing traffic, add a source NAT rule:
/ip firewall nat add chain=srcnat out-interface=WAN_INTERFACE action=masquerade
Replace WAN_INTERFACE with the name of your WAN or PPPoE interface.
5. Test the Setup
Test your port forwarding by accessing the service from an external device using the public IP and the forwarded port. Internally, you should also be able to access the service using the public IP to confirm that hairpin NAT is working.
Additional Notes
- Dynamic IP Changes: Since your public IP is dynamic, you will need to update the
dst-addressfield in the DST-NAT rule whenever your public IP changes. Consider using a DDNS service or MikroTik scripts to automate this. - Firewall Rules: Ensure that the required ports are allowed in your MikroTik firewall configuration.
By following these steps, you can configure port forwarding on MikroTik, even with the constraints of CGNAT from Al-Watani Telecom.
What is Hairpin NAT?
Hairpin NAT (also known as loopback NAT or NAT reflection) allows devices on the local network to access a service using the public IP address or domain name, even if the service is hosted within the same network.
For example, if you host a web server on your local network and forward its public IP, external users can access the server using that public IP. Hairpin NAT ensures that local users can also use the same public IP to access the server. Without hairpin NAT, the router wouldn’t know how to handle requests coming from inside the network but destined for the public IP.
This technique provides convenience and consistency, allowing both internal and external devices to use the same address to access local services.