all right we've been looking at the
mikrotik routers advanced routing with
these devices I mean they fall into this
interesting category all of their own in
a way because they're priced like a
consumer router but they have the
feature set of an enterprise router so
suddenly you're able to do so much more
you're able to protect your network way
better than you could with a consumer
router and you're you're able to do that
for about the same price or maybe a
little bit more but about the a tenth of
the price of an equivalent enterprise
level router so all that said they're
extremely cheap for what you get and
when you've used a mikrotik router for a
little while you start to realize wow
there's there's like no limits to this
it's like you can just you can code
stuff into it in their router OS
software and and you can manage all
kinds of stuff and all of a sudden you
start playing with caps man and your
mind is blown because you can do things
with a micro tech router for 30 40 50 a
hundred and fifty dollars that you would
be doing with a router of equivalent
specs that is seven eight hundred
dollars fifteen hundred dollars ten
thousand dollars and you're doing it on
these consumer priced devices from micro
tech so the device that I'm looking at
here at the studio is the router board
RB 9 6 2 UI GS and that model is what
I've selected for us here at the studio
but it might not be exactly what you
want for your house or your home network
or your business network however that's
what's really cool about micro tech I
mean one of the things is that you just
pick the hardware that works for you and
the software is going to be the same
from device to device to device whether
you buy the 30 dollar unit or the 150
dollar unit or the 600 dollar unit it
doesn't matter as far as the software
goes your only limitation is in the hard
we're so where my device has both 2.4
and 5 gigahertz Wi-Fi antennas and and
and transmitters you may buy a cheaper
device that only has 2.4 or only has 5
so those features will be limited only
by the hardware but the software itself
is the same so I I always start by
saying that because I want you to
understand you don't have to buy the
same one I bought you find the one that
works for you and then you can follow
along with this series and amazingly
even if you have a different model
altogether you're gonna be able to
follow the screen you're gonna be able
to follow the steps and it's going to be
exactly the same
that is amazing so this week I'm going
to be looking at how to set up port
forwarding we're gonna call it now
mikrotik is going to call it NAT
firewall rules I'm gonna talk a little
bit about that in a moment but we know
it as port forwarding or redirecting and
that is that when someone hits our
public IP address at a certain port if
it's a port that I have allowed and that
I recognize I want it to reroute to the
appropriate server so in my case I have
a server at 10.0.0.0
it's my own personal kind of alternative
to Google cloud services and drive and
onedrive and all those kinds of services
I'm able to put them on my own server
and it's mine it's my own hosted system
at 10.0.0.0 'pn ports 80 and port 443 so
if someone hits my IP or I actually have
a DNS record because we have category 5
TV of course so I have Studio dot
category 5 dot TV is going to route them
to here and that's going to then hit the
micro tech and the micro tech is going
to say ok what do I do with this traffic
what am I gonna do so I have to tell my
micro tech hey that's port 443 I want
wrote that to 10.0.0.0 because that is
presumably what this person is trying to
access so let's jump right into it I'm
gonna hop over to our mikrotik and
things are so sophisticated over here so
just follow along and you're gonna start
to pick up on how things work I've
clicked on IP last week we came here
because we started looking at the DHCP
server and static rules and things like
that which we'll expand upon in time I'm
gonna hit firewall these are the default
settings for my mikrotik firewall and i
want to add some rules that are going to
reroute traffic within my network now
we're a typical consumer firewall router
is going to say hey I'll take port 80
and I'll reroute it remember the
mikrotik allows me to have much more
control over that so I'm going to be
setting up NAT rules first that is
network address translation so those
rules are going to decide okay if
someone hits this port where do I want
to send it within the land okay where am
I going to allow them to access but then
it's still not going to work unlike a
consumer router that is just going to
say okay I'm just gonna basically D DMZ
that server and allow anyone to get
through and allow them to hack in and
whatever they want to do as soon as you
say go the the mikrotik is going to say
okay no I'll allow traffic through
however they are subject to some rules
you may have some other rules that
you've added to your mikrotik device
that say I'm only going to allow a
particular IP address to access this so
that might be my home IP address or my
office it may be that I've set up a rule
that says I never travel I'm always in
Canada I'm always in fact in Ontario so
if anyone ever tries to access my
servers from outside of Ontario block
them but open it for me if I'm in
Ontario so like there's all kinds of
like it's a hierarchal kind of way of
looking
at those router reto rules to redirect
traffic to certain servers within your
network you can imagine that's helpful
for home because it's giving you more
security but it's also exceptional for
business it whether you own or run an IT
department at a small medium-sized
business or even a large business
mikrotik is going to give you so much
more control over those kinds of rules
so let's start with our nat rule and
again NAT is a short form term that we
use a stands for network address
translation and it basically tells our
network traffic where to flow based on
the rules that I've set up but they're
still not going to be allowed I'm going
to show you that in just a couple of
moments time so I know that I'm gonna
need port 80 and port 443 to route my
traffic for next cloud and I should
start by showing you that hey if I
actually go to studio dot category-five
dot TV it's just gonna hang it's gonna
timeout it's not gonna go anywhere
because I haven't set up those rules yet
so that spin spin spin spin spin but
I'll leave that open
so my nat rule first of all i've created
a new nat rule so IP firewall nat new
rule and now I'm gonna change the chain
here I want to say it say that this is
the destination map because I'm setting
the destination within my internal
network I need to also set the protocol
because I want to specify that this is
actually TCP and you can see that there
are tons of protocols that you can
choose from I'm just setting up TCP on
port 80 and then port 443 to get us
started notice too that I am using web
fig in my web browser
I have not set up or and I'm also not
using wind box and that's partly because
I want to show you this through the
browser so that you can see that you
don't need to have a tool installed to
be able to administer your mikrotik
router I think there's a misconception
as soon as I say install wind box and
use that to connect to your rhetoric
creates a misconception
that makes you feel like oh this has to
be managed from a tool no but that's a
helpful tool to be able to give you
access to your router and it does
provide some exceptional additional
services like my multitasking so give it
a try but I'm gonna do most of this
through the browser because I think that
that's a better way to show you as
you're just learning your Microtech so
I've set it to destination that I've set
it to TCP as the protocol which is
number six and I need to set my
destination port and this destination
port is the port on the external network
so don't get confused with that which I
tend to sometimes do because sometimes
you may have a situation where your
public port is different than the
private port in this case as we're
setting up our NAT rule we are setting
the external port here so in in my case
it's going to match the internal port
but just keep that in mind that this
let's say your we want it to answer on
port 8080 you could add that there even
though the server in house is responding
on port 80 so just keep in mind that
might be different but in my case it's
in fact not different alright I need to
look at my interface so there's the in
interface I need to say this is going to
be Ethernet one in my case it may be a
little bit different for you just keep
in mind that what I am actually doing
there as I am selecting my internet
interface remember when I first set up
this router on our first episode of this
series I demonstrated that I was
plugging my internet modem into Ethernet
one port one and so that's what I'm
specifying here I want this to respond
on my internet interface and as you can
imagine you can dig deep and you can set
this up on you know you could be doing
things very sophisticated by specifying
different ports setting up VLANs all
that kind of stuff we're keeping things
fairly simple and just going about it
that way all right I'm gonna scroll Wade
here - action and just make sure that
this is set to DN DST net destination
net so that is going to route this
traffic to our server so now scroll down
a little ways here and you're gonna find
two ports there it is my two port is
actually going to be the same notice
that's giving me a range I'm just going
to specify port 80 and at the very very
bottom here there's an opportunity for
you to create a comment I'm going to do
that I'm gonna say next cloud 80 finally
the one last thing that I need to add
here is the destination IP address
internally on my network this is the
server as I mentioned 1000 to say that
this NAT rule is going to respond on
port 80 and redirect to 10.0.0.0 so now
I'm going to scroll all the way up and
hit OK and now we'll see that we have a
new rule called next cloud 80 and it's
responding DST net and it's pointing TCP
on port 80 through Ethernet one - as we
know from setting it up 10.0.0.0 secure
port as well follow those same steps I'm
going to change the chain to destination
that I'm gonna change my protocol to TCP
and then I'm going to change my external
my in interface to Ethernet one
destination port I know I'm a little bit
out of order that's okay you know what
I'm doing destination port is 4 4 3
let's scroll way down here and change
our action to DST nat and our to address
same server just different port and then
to port 443 and give it a comment here
next cloud 443 all right I think I've
got everything there looks good let's
hit OK so now I've got port 80 and port
443 NAT rules going to 10.0.0.0 net1
port over tcp it's still not gonna work
so if i jump over here i'm gonna hit f5
to refresh oh and it is working look at
that because i'm internal on the
internal land so i'm not actually on the
ethernet one it's not going to work from
the outside world yet because the
outside world is is coming in through
ethernet one I'm obviously internal I'm
on port 2 as you'll remember from last
week so in order to give access to the
outside world now I need to go over to
the firewall rules tab here and click on
add new so this is where I'm actually
saying ok if the firewall gets hit I
need to trigger that nat rule so let's
do that so we've added a new firewall
rule and I'm gonna change the chain
let's see no it's already defaulting to
forward so that's fine
source IP address this is kind of cool
I'm not going to set this but I just
want to I want you to see this this can
be the IP address that you want to allow
remember I mentioned you could set it so
that only your home network is allowed
to do this you could do that add your
home IP address you can even create
IP groups that would that would be set
up here that's down here source address
list see that so these are things that
we're gonna be learning in time right
now I'm not going to do that I'm not
gonna set a source address I'm going to
open this up to the world but I want you
to know that that is available to you so
moving along destination I address is in
fact the internal server so that's 10
0.017 protocol we already know that is
TCP so click that and it TCP is in fact
the default so that just kind of saves
us a quick time but you can see all the
protocols that are available to us next
step is we need to set the service port
so destination port is going to be port
80 we're gonna start with we need to do
both but I need to set up each rule
separately so there we go in interface
is going to be my Ethernet 1 port as we
already established and so what I'm
doing here is I'm actually telling the
firewall that I'm going to allow this
traffic from the the first Ethernet port
which is my internet connection and this
is the one where action needs to be set
to accept so this is where I'm saying
yeah you know what I'm going to allow
this you could also set this to reject
in certain cases or you know various
different settings but we're gonna say
except we're going to allow this and
then create a comment just like we did
before I'm gonna call this firewall rule
comment next cloud 80 scroll way up and
notice that if you leave off the NAT
rule or you leave off the firewall rule
well you're missing some of the chains
so it's not going to actually respond
outside of your network so you need to
make sure that this is done next step is
I'm going to add 4 for 3 in the firewall
rules so forward is already selected
source address we're not going to do
this time around destination address
we're gonna set to 1000 dot 1 7 protocol
is going to be TCP an interface is going
to be ether 1
and what else in my destination port
I need that there as well bah bah that
is going to be 4 4 3 scroll down make
sure it's set to accept and then set our
comment is going to be next cloud 4 4 3
there we go everything looks like I've
got everything in there I miss anything
folks you tell me I'm gonna hit ok so
now here's the final step you notice
that these two items here are drop
forward rules in the fire law now it's
important to note that mikrotik works in
it basically in order so from top to
bottom so when you're looking at your
firewall rules if you're wondering why
are these still not working well it's
because before my rules that I just
configured there's already a rule that
says drop everything so basically this
is saying hey if you've passed all this
past all this past all this now drop the
connection right because these that's a
pretty solid firewall well then it never
gets here so I actually need to reorder
these and the way I'm gonna do that is I
want these to happen or I want my custom
forwarding rules to happen right after
the final input rule so I should be able
to simply drag that up to here there we
go and grab the last one my next cloud 4
for 3 rule rang that up and there we go
and now we're in so now I don't have to
restart the router I don't have to do
anything this is I'm able to see it but
our discord server you can confirm for
me head on over to studio doc category 5
TV and without having to reboot my
router without having to restart
anything you should now be seeing that
same login prompt as well so head on
over to studio category 5 dot TV I'm
sorry and and bp9 is just
our pardon me no man five you're just
commenting that when I add the comments
you're not actually seeing them on the
screen and that's because category five
is 18 over nine and my computer screen
is sixteen over nine so that's a that's
something that I'll have to figure out
how to fix in the future that's my
mistake but you can see those comments
have been entered it's a comment field
it's just a text field at the bottom of
your of your window while you're adding
it and there's that's what I entered
next cloud 18x cloud 443 I apologize
that I didn't catch that but I
appreciate you noting it so mo maravilla
says yep I see the login a bp9 also says
yeah works for me as well so without
those rules they would not it would not
respond whatsoever but now that I've
added those rules now y'all are able to
connect so the next thing that I could
do if I wanted to is I could set up
those source address lists and those
lists can contain IP addresses of my
home network of my work network of my
friends networks of my staff's networks
and allow them to follow through those
rules but drop everyone else so that
those hackers that are on my discord
server can't get into my next cloud
server and so on and so forth so that's
essentially you know those are your
steps so looking let's backtrack a
little bit and understand that okay I
set up two ports today port 80 and port
443 those are port 80 is an insecure
HTTP port and port 443 is a secure SSL
encrypted HTTP port I want both of those
so that if someone doesn't actually
physically type in HTTP colon slash
slash studio category five dot TV it
will instead hit the port 80 and
redirect automatically to 443 if I
didn't have port 80 open they would
never get that redirect they would just
get a server not found error so backing
up we need to go into our mikrotik
configuration i'm using web fig
and click on IP click on firewall click
on NAT tab at the top and create a new
NAT rule that NAT rule is going to tell
it where do you want to go with this
with this port what do you want to do
with it but it's not actually going to
open up open it up to the public that's
where the firewall rule comes in now so
click on firewall rules on that same IP
firewall and we need to create a new
firewall rule that's going to accept
that connection and allow those
connections through and you can further
hone in on IP addresses or IP source
groups and things like that there are so
many different options that we're not
able to cover today but you can get the
idea that this is going to give us a lot
of configurability and a lot of control
over not only how traffic is routed
through our networks but who and and
what IP addresses and what networks are
able to connect through our network and
how that's going to be routed once it
hits our Microtech