Destination NAT elements: 1. Destination IP called external IP which is WAN IP that can be accessed from outside. Usually it is a public IP (or CPE IP). For example: 204.16.x.x 2. Destination port called external port, can be any port that you want to set to access the device from outside. For example: 8089 3. Translated address, or to-address which is IP of the device that cannot be accessed, called internal IP. For example: 192.168.1.20 4. Translated port, or to-ports which is the specific port to access the internal device. For example 443 (https), (or 80 for http). Destination NAT rule on mikrotik from GUI: IP>Firewall>NAT, add. Chain: dstnat Dst. Address: 204.16.x.x Protocol: tcp Dst. Port: 8089 Action: dst-nat To-Addresses: 192.168.1.20 To-ports: 443 RULE to access device: https:// 204.16.x.x:8089 Example from command line: /ip firewall nat add action=dst-nat chain=dstnat dst-address=”external IP” dst-port=”external port” protocol=tcp toaddresses=”internal IP” to-ports=”internal port” Example: just replace: external IP: 204.16.x.x external port: 8089 internal IP: 192.168.1.20 internal port: 443 So the command would be: /ip firewall nat add action=dst-nat chain=dstnat dst-address=204.16.x.x dst-port=8089 protocol=tcp toaddresses=192.168.1.20 to-ports=443 Note: just paste the commands on terminal of mikrotik, and place the rule on top as first rule.