How to configure port forwarding on Mikrotik for an internal server and obtain a Let’s Encrypt certificate for internet access?
Situation:
- A static IP from Rostelecom is configured on a router that operates in bridge mode with Mikrotik
- The internal network contains a Nextcloud server (all other devices are in the same network)
- The domain name points to the static IP from point 1
Task:
Configure access for users from the internet to the internal Nextcloud server via HTTPS protocol.
Problem:
Unable to obtain an SSL certificate for the internal server using built-in Nextcloud tools.
Current situation:
Employees can access the server via http://domain.ru:1234, but cannot connect via HTTPS.
Additional question:
How to organize a similar configuration for multiple internal servers (e.g., a corporate website)?
Configuring Mikrotik Port Forwarding for Nextcloud and Let’s Encrypt Certificate
To configure port forwarding on Mikrotik for an internal Nextcloud server and obtain a Let’s Encrypt certificate, you need to properly configure NAT rules, create a rule for HTTPS access, and set up automatic certificate acquisition. When operating in bridge mode, special firewall configuration is required because bridge traffic doesn’t pass through standard NAT chains.
Table of Contents
- Mikrotik Bridge Configuration
- Port Forwarding Setup for Nextcloud
- Let’s Encrypt Configuration
- Multiple Servers Setup
- Troubleshooting Common Issues
- Conclusion
Mikrotik Bridge Configuration
When operating Mikrotik in bridge mode with another router (in this case with Rostelecom), special firewall configuration is required because bridge traffic is not processed by standard NAT chains. First, you need to enable bridge traffic processing in IP firewall.
# Enable bridge traffic processing in firewall
/interface bridge
set [find name=bridge1] use-ip-firewall=yes
For proper port forwarding in bridge mode, you need to configure the dstnat chain. According to the Mikrotik documentation, when using a bridge, you need to explicitly specify the destination interface.
# Configure bridge ports
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2 # Ports to which devices are connected
add bridge=bridge1 interface=ether3
It’s important to check that VLAN filtering is disabled if VLAN operation is not required:
/interface bridge
set [find name=bridge1] vlan-filtering=no
Port Forwarding Setup for Nextcloud
For HTTPS access (port 443) to Nextcloud, you need to create a dstnat rule. In bridge mode, you need to specify both the incoming interface and the destination address.
# Create port forwarding rule for port 443 for HTTPS
/ip firewall nat
add chain=dstnat action=dst-nat dst-port=443 protocol=tcp \
in-interface=ether1 to-addresses=192.168.88.10 to-ports=443 \
comment="Nextcloud HTTPS access"
Where:
in-interface=ether1- interface receiving traffic from Rostelecomto-addresses=192.168.88.10- internal IP address of the Nextcloud serverdst-port=443- port on the external interfaceto-ports=443- port on the internal server
For HTTP access (if required), add a similar rule:
# Port forwarding for port 80 for HTTP
/ip firewall nat
add chain=dstnat action=dst-nat dst-port=80 protocol=tcp \
in-interface=ether1 to-addresses=192.168.88.10 to-ports=80 \
comment="Nextcloud HTTP access"
If you’re using port 1234 for access, as indicated in the current situation:
# Port forwarding for port 1234 for temporary access
/ip firewall nat
add chain=dstnat action=dst-nat dst-port=1234 protocol=tcp \
in-interface=ether1 to-addresses=192.168.88.10 to-ports=80 \
comment="Nextcloud temporary access"
Let’s Encrypt Configuration
The problem with obtaining a Let’s Encrypt certificate for an internal server arises because Let’s Encrypt verifies the domain from the internet, while your server is on the local network. There are several solutions:
Option 1: Configure port forwarding at the Mikrotik level
Configure Mikrotik to forward ports 80 and 443 to the internal server:
# Complete configuration for Let's Encrypt
/ip firewall nat
add chain=dstnat action=dst-nat dst-port=80 protocol=tcp \
in-interface=ether1 to-addresses=192.168.88.10 to-ports=80 \
comment="Let's Encrypt HTTP challenge"
add chain=dstnat action=dst-nat dst-port=443 protocol=tcp \
in-interface=ether1 to-addresses=192.168.88.10 to-ports=443 \
comment="Let's Encrypt HTTPS"
Option 2: Use reverse proxy on Mikrotik
Create a reverse proxy on Mikrotik that will receive traffic and forward it to the internal server:
# Reverse proxy configuration
/ip firewall nat
add chain=dstnat action=dst-nat dst-port=80 protocol=tcp \
in-interface=ether1 to-addresses=192.168.88.10 to-ports=80 \
comment="Reverse proxy HTTP"
add chain=dstnat action=dst-nat dst-port=443 protocol=tcp \
in-interface=ether1 to-addresses=192.168.88.10 to-ports=443 \
comment="Reverse proxy HTTPS"
Option 3: Configure DNS for validation
Add a PTR record for your static IP so that Let’s Encrypt can verify domain ownership.
Option 4: Manual certificate acquisition
Obtain the certificate manually on another server with internet access and transfer it to your Nextcloud server.
Example of successful bridge configuration with port forwarding from the Mikrotik forum:
In bridge mode, you can assign a public IP to the bridge itself:
/ip address add address=92.62.3.13/32 interface=bridgeThis allows you to configure port forwarding for servers on the local network.
Multiple Servers Setup
To organize access to multiple internal servers (corporate website, mail server, etc.), use different ports or subdomains:
Option 1: Different ports
# Corporate website on port 8080
/ip firewall nat
add chain=dstnat action=dst-nat dst-port=8080 protocol=tcp \
in-interface=ether1 to-addresses=192.168.88.20 to-ports=80 \
comment="Corporate website HTTP"
# Mail server on port 25
/ip firewall nat
add chain=dstnat action=dst-nat dst-port=25 protocol=tcp \
in-interface=ether1 to-addresses=192.168.88.30 to-ports=25 \
comment="Mail server SMTP"
Option 2: Subdomains using reverse proxy
Configure Mikrotik as a reverse proxy with SNI support:
# Virtual host configuration
/ip firewall nat
add chain=dstnat action=dst-nat dst-port=443 protocol=tcp \
in-interface=ether1 to-addresses=192.168.88.10 to-ports=443 \
comment="HTTPS for all services"
# Domain-based routing (requires additional configuration)
Option 3: Using VLAN
If servers are in different VLANs, configure port forwarding considering VLAN tagging:
# VLAN configuration on bridge
/interface bridge
set [find name=bridge1] vlan-filtering=yes
# Adding VLAN interfaces
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20
# Port forwarding for different VLANs
/ip firewall nat
add chain=dstnat action=dst-nat dst-port=443 protocol=tcp \
in-interface=vlan10 to-addresses=192.168.10.10 to-ports=443 \
comment="Nextcloud in VLAN 10"
add chain=dstnat action=dst-nat dst-port=443 protocol=tcp \
in-interface=vlan20 to-addresses=192.168.20.10 to-ports=443 \
comment="Corporate site in VLAN 20"
Troubleshooting Common Issues
Issue 1: Let’s Encrypt certificate cannot be obtained
Cause: Let’s Encrypt cannot verify the domain due to network configuration.
Solution:
- Check that ports 80 and 443 are open and forwarded on Mikrotik
- Ensure the domain name points to your static IP
- Temporarily open port 80 on Mikrotik for testing
- Use the
certbotutility to manually obtain the certificate
Issue 2: HTTPS access doesn’t work
Cause: Incorrect firewall configuration or conflict with other equipment.
Solution:
# Check firewall rules
/ip firewall nat print
/ip firewall filter print
# Temporarily disable firewall for testing
/ip firewall filter
set [find chain=input] action=accept
Issue 3: Traffic doesn’t pass through the bridge
Cause: IP traffic processing is disabled in the bridge.
Solution:
# Enable IP firewall for bridge
/interface bridge
set [find name=bridge1] use-ip-firewall=yes
Issue 4: Conflict with Rostelecom
Cause: Rostelecom blocks certain ports.
Solution:
- Use alternative ports (8080, 8443, etc.)
- Contact Rostelecom support to open the required ports
- Configure Mikrotik to work with forwarded ports
Important note: When operating in bridge mode, Mikrotik behaves as a switch rather than a router. For proper port forwarding operation, you must explicitly specify interfaces and enable IP traffic processing as described in the Mikrotik documentation.
Conclusion
-
Main configuration steps: Enable IP traffic processing in the bridge, create dstnat rules for ports 80 and 443, configure DNS for the domain name.
-
Obtaining Let’s Encrypt certificate: Configure port forwarding for ports 80 and 443 to the internal server, or use a reverse proxy, or obtain the certificate manually.
-
For multiple servers: Use different ports, subdomains, or VLANs to separate access to different internal resources.
-
Recommendations: Regularly check port forwarding operation, update Let’s Encrypt certificates, monitor firewall logs to identify issues.
-
Alternative solutions: If you encounter difficulties with bridge mode, consider configuring Mikrotik in router mode with double NAT, which may simplify port forwarding configuration.
Sources
- MikroTik Documentation - Bridging and Switching
- MikroTik Wiki - Manual:Interface/Bridge
- Bridge NAT Port Forwarding - MikroTik Forum
- Use MikroTik Bridge as a Public IP Firewall - Server Fault
- Is it OK to set public IP to bridge? - MikroTik Forum
- Quick Set - RouterOS - MikroTik Documentation
- Bridge - RouterOS - MikroTik Documentation
- NAT Port Forwarding — Manito Networks
- How to port forward on MikroTik - YouTube
- Port Forwarding Step by Step - Mikrotik Tutorial - YouTube
- Getting Started: MikroTik Bridge Configuration - YouTube