MikroTik NAT. The Port-Forwarding Rules That Unblock Everything

At the 2026-03-14 regional, the #1 most frequent error (5752 occurrences) was 'DNS EXT FWD can't contact DNS server'. and 90% of the time the root cause is a missing MikroTik DNAT rule, NOT a DNS problem. This lesson covers the six rules that have to exist.

Objectives

• Access MikroTik via SSH or WinBox
• Run `/ip firewall nat print` to audit existing rules
• Add missing `dst-nat` rules for the seven scored ports
• Verify externally with `nmap -Pn -p PORT <router-external-IP>`
• Back up the router config before and after each change

Quick reference

Common pitfalls

• Forgetting TCP **and** UDP for DNS (port 53 is both)
• Adding the rule but it's placed after a `drop` rule. order matters
• NAT rule points to the wrong internal IP (e.g., server vs DNS VM)
• Forgetting `masquerade` for outbound. you have NAT inbound but LAN can't reach outside
• Changes aren't persisted. MikroTik changes are live but reboot-volatile if you don't export

Skill drills

1. 1. NAT chain for inbound port-forwarding is ____?
   Reveal

   dstnat
2. 2. What two protocols does DNS use on port 53?
   Reveal

   TCP and UDP
3. 3. MikroTik command to save config to a file?
   Reveal

   /export file=<name>

NCAE scoreboard patterns this lesson prevents

• 15,977.8 DNS EXT FWD. Can't contact DNS Server on IP
• 144.4 DNS EXT FWD. Failed to lookup: ns1.team15.ncaecybergames.org, files.team15.ncaecybergames.org, shell.team15.ncaecybergames.
• 69.4 DNS EXT FWD. Connected to IP:53, no useful content though...
• 36.1 DNS EXT FWD. Failed to lookup: ns1.team18.ncaecybergames.org, files.team18.ncaecybergames.org, shell.team18.ncaecybergames.