nSolo Inbound¶
NAT port forwards on your nSolo dedicated public IP. Plus members with the nSolo add-on, and all Pro members.
Where it lives
Sidebar: nSolo Inbound (under Reachability). Section ID: port-mapping-section. Loader: loadPortMapping().
What this gives you¶
You have an nSolo IP — say 193.143.16.78. You want SSH on port 22 of your mesh-side host (10.254.100.42) reachable from the public internet via that nSolo IP. nSolo Inbound is the form for that.
The platform pushes a DSTNAT rule onto the eu-west-2 NAT-0 RouterOS: dst-port=22 dst-address=193.143.16.78 protocol=tcp → to-addresses=10.254.100.42 to-ports=22. Done.
Creating a mapping¶
Form fields:
- External port — what attackers / users hit. e.g.
22,443,25565(Minecraft),554(RTSP) - Internal port — where your service actually listens on your mesh side. Often the same as external; can be different
- Protocol —
tcp/udp/tcp+udp - Internal target — defaults to your mesh IP (you can pick another mesh IP if you're routing for an nLAN)
Submit → rule pushed to RouterOS within seconds. The card shows live and the external URL (tcp://193.143.16.78:22).
Differences from jumphost tunnel¶
See the comparison table on Jumphost tunnel.
Quick rule of thumb: if you want SSH / Minecraft / IRC / anything non-HTTP exposed → nSolo Inbound. If you have a website and want a nice hostname → jumphost tunnel.
Existing mappings¶
Each card shows:
- External
<nsolo-ip>:<port>/<proto> - Internal
<mesh-ip>:<port> - Status —
live(RouterOS rule present) /pending(just submitted, not yet pushed) /error(push failed; details in the card) - Bytes through — counter for this billing cycle
- Actions —
edit(change ports/target),pause(rule removed but kept; quick re-enable),delete
Empty state is the Kernel callout — share-network icon, "No inbound ports", + bullets.
Constraints¶
- Common privileged ports (
22,80,443,25) — fine - Reserved by the platform:
51820(WireGuard),53(DNS),8728/8729(RouterOS API) - Soft limit: 10 mappings per nSolo IP; more on request
Security warning¶
nSolo Inbound is raw NAT. There's no auth at the platform layer — whatever connects to your nSolo IP hits your internal service. Your service is responsible for its own security (auth, TLS, firewall).
Common mistake: forwarding 5900 (VNC) to a Windows box without auth. Don't do this. Run VNC behind SSH instead.
Troubleshooting¶
Mapping shows live but connections time out
Check your service is bound to the right interface on your mesh side. If it's bound to 127.0.0.1, nothing external can reach it.
Connections work for a few seconds then drop
Possible NAT translation timeout. For long-lived connections (SSH, IRC), set keep-alives on your client. RouterOS default TCP NAT timeout is 24h, UDP is 10m.