Port Forwarding on MikroTik -The Double NAT Edition

Let’s create robust Port Forwards for a Minecraft server (Java & Bedrock) that work for both external friends and internal family.

The Strategy: Address Lists Over Interfaces

Standard MikroTik guides tell you to use in-interface=ether1. Do not do this if you are behind Double NAT. Your ether1 only sees a private IP (like 192.168.1.x). Instead, we tell the router to look for traffic hitting our actual Public IP stored in the WAN_IP list.

1. Port Forwarding (Destination NAT)

We need two rules: one for Java Edition (TCP) and one for Bedrock Edition (UDP).

Run these in your MikroTik Terminal:

Where 172.16.222.142 is my minecraft server

/ip firewall nat
# Java Edition (TCP 25565)
add action=dst-nat chain=dstnat comment="Minecraft Java (TCP)" \
    dst-address-list=WAN_IP dst-port=25565 protocol=tcp \
    to-addresses=172.16.222.142 to-ports=25565

# Bedrock Edition (UDP 19132)
add action=dst-nat chain=dstnat comment="Minecraft Bedrock (UDP)" \
    dst-address-list=WAN_IP dst-port=19132 protocol=udp \
    to-addresses=172.16.222.142 to-ports=19132

2. The “Hairpin” Fix (Source NAT)

If you try to connect to your public domain while sitting on your home WiFi, the connection will fail without this rule. This “Hairpin” rule forces the traffic to loop back inside correctly.

Run this in your MikroTik Terminal:

Where 172.16.222.142 is my minecraft server and 10.0.0.0/8 is my internal network subnet

Note: Ensure src-address matches your local network range (e.g., 10.0.0.0/8 or 192.168.88.0/24).

/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" \
    dst-address=172.16.222.142 src-address=10.0.0.0/8

3. Don’t Forget the ISP Router!

Because we are in a Double NAT setup, your ISP’s modem/router is the first gatekeeper. You must log into that device and forward ports 25565 and 19132 to the MikroTik’s WAN IP (the 192.168.x.x address on its ether1).

Service	Port	Protocol	Target (ISP Router)
Minecraft Java	25565	TCP	MikroTik WAN IP
Minecraft Bedrock	19132	UDP	MikroTik WAN IP

How to Verify

Once applied, go to IP > Firewall > NAT and watch the Packets column.

External Test: Have a friend try to join. You should see packets climb on rules 1 or 2.
Internal Test: Join using your domain (myminecraft.armand.nz) while on WiFi. You should see packets climb on the Hairpin NAT rule.

If the counters are moving, your traffic is flowing!