Mikrotik - Setup DMZ

[My_King]

Need some help setting up a DMZ host on my network using Mikrotik.

I have a Nintendo switch and 3DS. Sometimes these devices dont like NAT and can cause other players trying to connect to you to fail.
On a normal router its easy to set a device(Like the 3DS) as the DMZ host and all gaming connections then work perfectly.

Played around with some masquerade settings but each time when testing the connection it keeps saying NAT type B on my Nintendo Switch.

Anybody here know how to setup a DMZ IP on a MIkrotik, would appreciate any assistance.

 

[My_King]

Had to switch to using a Mikrotik as main router to separate VLANs and have a DHCP for each one.

Also the control one has is much better.

Security is still a big issue so I must ensure all is done correctly.

 

[websquadza]

Can you share your current filter and nat config? DM me any sensitive info.

DMZ is a very simple way of running a 1:1 NAT.

With MikroTik you do this by DST-NATting all traffic on your wan to a particular IP. You also need to take care of other Nat traffic.

Rather than DMZ, do you have an idea of the port range that Nintendo uses? I’m guessing it’s some sort of RTP protocol (UDP 10000-20000)?

DST-NAT rule with the port ranges should work and keep you safer than forwarding all inbound traffic to the console.

 

[My_King]

Can you share your current filter and nat config? DM me any sensitive info.

DMZ is a very simple way of running a 1:1 NAT.

With MikroTik you do this by DST-NATting all traffic on your wan to a particular IP. You also need to take care of other Nat traffic.

Rather than DMZ, do you have an idea of the port range that Nintendo uses? I’m guessing it’s some sort of RTP protocol (UDP 10000-20000)?

DST-NAT rule with the port ranges should work and keep you safer than forwarding all inbound traffic to the console.

Thank you... will PM you the details. Nintendo is not very clear on this but perhaps each game have their own.
I will get all info and get back to you

 

[r00igev@@r]

Need some help setting up a DMZ host on my network using Mikrotik.

I have a Nintendo switch and 3DS. Sometimes these devices dont like NAT and can cause other players trying to connect to you to fail.
On a normal router its easy to set a device(Like the 3DS) as the DMZ host and all gaming connections then work perfectly.

Played around with some masquerade settings but each time when testing the connection it keeps saying NAT type B on my Nintendo Switch.

Anybody here know how to setup a DMZ IP on a MIkrotik, would appreciate any assistance.

Enable upnp on the tik.

 

[Went_For_Beer]

Enable upnp on the tik.

This yes. And you can do a port/protocol scan to see what ports are being used

 

[websquadza]

Thank you... will PM you the details. Nintendo is not very clear on this but perhaps each game have their own.
I will get all info and get back to you

Cool let me know when you do. In the meanwhile, I did some research. Nintendo games each use different ports but all in the 45000-65535 range.

So use dhcp to assign a static ip to your switch console. Then NAT > dst-nat in-interface-list=wan (assuming you have a wan list, otherwise interface) protocol udp dst-port= 45000-65535 action=dstnat dst-ip=your consoles ip dst-port=45000-65535

This means you don’t open up your whole switch to the internet (which is irresponsible advice for Nintendo to officially give out).

 

[My_King]

Cool let me know when you do. In the meanwhile, I did some research. Nintendo games each use different ports but all in the 45000-65535 range.

So use dhcp to assign a static ip to your switch console. Then NAT > dst-nat in-interface-list=wan (assuming you have a wan list, otherwise interface) protocol udp dst-port= 45000-65535 action=dstnat dst-ip=your consoles ip dst-port=45000-65535

This means you don’t open up your whole switch to the internet (which is irresponsible advice for Nintendo to officially give out).

First off, thank you and for also doing research on my behalf.

This worked. Got my setup running in a bridge and set ETH1(Which has the ONT plugged in) as the interface-list. Switch did a test and got a NAT rating of A.

On my many other attempts I did not specify an interface nor did I select protocol UDP. I just used TCP. I also selected all ports.

Just one last question - Can this be done for a second device with the same ports or can you do this NATing only on one device at a time?

 

[websquadza]

First off, thank you and for also doing research on my behalf.

This worked. Got my setup running in a bridge and set ETH1(Which has the ONT plugged in) as the interface-list. Switch did a test and got a NAT rating of A.

On my many other attempts I did not specify an interface nor did I select protocol UDP. I just used TCP. I also selected all ports.

Just one last question - Can this be done for a second device with the same ports or can you do this NATing only on one device at a time?

Glad to hear you got it working!

Unfortunately this won't work for a second natted device if you use the same ports - Mikrotik reads your NAT rules and firewall filters in the order in which they are listed, so first NAT rule will always take precedence. I'm not sure how Nintendo works, what I'm guessing is that it scans available ports in that range to connect. You could try reduce the port window for Nintendo 1 to a smaller group (try 45000-55000) and set a second rule to run from 55000-65000 and test to see if that works on Nintendo 2. If it's for any other device, you should be able to still set up specific port forwards similarly to the method above (specifying interface and port and protocol) as most devices use lower ports anyway.