Are you just throwing your problem over the “Mikrotik Forum wall” hoping someone will catch and resolve for you?

What about giving additional info, how the device is configured firewall wise, etc.

What have you investigated and results thereof?

more info is needed but possibly

1. you don’t have L2 connectivity to the router. this could be a mismatch of subnet mask for example.
2. access to router is blocked by it’s firewall

As other posters above have said, more details of what really happened will hasten the help you will receive.
Questions like; is there ip address configured on the interface you’re connected to? and is there a firewall rule blocking ip access to the router?..

Sent from my LG-H810 using Tapatalk

Sorry for the missing information. I did not know how to post the info. So this is what I have:

DHCPClient

DHCPServer

BridgeOffice

Firewall

NAT

as mentioned before. The problem is that I cannot Access to the cameras or any other portforwarded devices in my LAN I can access only out of my LAN. I tried to do the hairpin what is suggested in the wiki but that did not work. Maybe I am doing something wrong.. I appreciate your help. @routik @Solar77

It is a bit confusing to see the topic subject to mention login to the router and the description to deal with login to cameras on LAN from other devices on the same LAN.

So

1. what is the actual issue you currently fight? Access to router’s IP address from a PC on LAN, or access to a camera on LAN from a PC on LAN via the router’s public IP?
2. can you click the Terminal button and post the output of /export hide-sensitive command issued in the window which opens, after systematically replacing each ocurrence of any public address you don’t want to publish by a distinctive meaningful string like my.public.ip.1?

Sindy, the problem I am facing is that first I had done a hairpin, but that did not allow me to access to the router, but only through the MAC Address, now that I delete that configuration I cannot access with my public Ip address to the cameras or others devices in my LAN.
So this is the problem that I have I cannot access to the NVR with the public IP on LAN. I tried to do what in the wiki teaches about hairpin, but that did not work. I appreciate your help and sorry for the confusion.

OK, so please re-add the rule which breaks access to the router and fixes access to the cameras but with disabled=yes, then follow point 2) above (export hide-sensitive etc.). The screenshots do not show all parameters of the firewall rules.

may/22/2018 05:12:53 by RouterOS 6.39.2

software id = SZXF-N2Q7

/interface bridge
add arp=reply-only name=BridgeOffice
add name=BridgeVlan5
add arp=reply-only name=Fatima
/interface ethernet
set [ find default-name=ether9 ] arp=reply-only
/interface vlan
add arp=reply-only interface=ether2 name=vlan5 vlan-id=5
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods=“” management-protection=
allowed mode=dynamic-keys name=“WLAN WORK” supplicant-identity=“”
/interface wireless
/ip dhcp-server
add add-arp=yes disabled=no interface=BridgeOffice name=DHCPServerLAN
/ip pool
add name=PoolGuest ranges=10.10.5.2-10.10.5.30
add name=dhcp_pool1 ranges=10.10.10.2-10.10.10.30
add name=PoolFatima ranges=192.168.25.2
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=BridgeVlan5 name=
DHCPServerGuest
add add-arp=yes address-pool=PoolFatima disabled=no interface=Fatima name=
ServerDHCP
/ppp profile
add local-address=10.5.5.5 name=**** remote-address=10.6.6.6
/queue simple
add max-limit=10M/10M name=queue1 target=10.10.10.16/32
add max-limit=5M/5M name=QueueVLAN5 target=BridgeVlan5
add max-limit=3M/3M name=QueueFatima target=Fatima
/interface bridge port
add bridge=BridgeOffice interface=ether2
add bridge=BridgeVlan5 interface=vlan5
add bridge=Fatima interface=ether4
add bridge=BridgeOffice interface=ether5
add bridge=BridgeOffice interface=ether6
add bridge=BridgeOffice interface=ether3
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/ip address
add address=128.10.5.254/24 comment=OfficeNetwork interface=BridgeOffice
network=128.10.5.0
add address=192.168.25.1/30 comment=Fatima interface=Fatima network=
192.168.25.0
add address=10.10.10.1/27 interface=BridgeVlan5 network=10.10.10.0
set ddns-enabled=yes
/ip dhcp-client
add comment=“DHCP Client From IPS - Ether WAN” dhcp-options=hostname,clientid
disabled=no interface=ether1
/ip dhcp-server network
add address=10.10.10.0/27 gateway=10.10.10.1 netmask=27
add address=128.10.5.0/24 gateway=128.10.5.254 netmask=
24
add address=192.168.1.0/30 gateway=192.168.1.1
add address=192.168.25.0/30 gateway=192.168.25.1 netmask=30
/ip dns
set servers=8.8.8.8
/ip firewall address-list
add address=10.5.5.0/24 list=allow-ip
add address=10.10.1.0/24 list=allow-ip
add address=10.10.10.0/27 list=allow-ip
add address=128.10.5.0/24 list=allow-ip
add address=186.3.147.96/27 list=allow-ip
add address=192.168.1.0/24 list=allow-ip
add address=192.168.25.0/30 list=allow-ip
/ip firewall filter
add action=accept chain=input comment=PPTPConfig dst-port=1723 protocol=tcp
add action=accept chain=forward dst-address=128.10.5.2 src-address=10.10.10.16
add action=drop chain=forward dst-address=128.10.5.0/24 src-address=
10.10.10.0/24
add action=drop chain=forward dst-address=128.10.5.0/24 src-address=
192.168.25.0/30
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-address=186.3.147.xxx dst-port=5000
in-interface=ether1 protocol=tcp to-addresses=128.10.5.2 to-ports=5000
add action=dst-nat chain=dstnat dst-address=186.3.147.xxx dst-port=8086
in-interface=ether1 protocol=tcp to-addresses=128.10.5.50 to-ports=8086
add action=dst-nat chain=dstnat dst-address=186.3.147.xxx dst-port=8001
in-interface=ether1 protocol=tcp to-addresses=128.10.5.50 to-ports=8001
add action=dst-nat chain=dstnat dst-address=186.3.147.xxx dst-port=554
in-interface=ether1 protocol=tcp to-addresses=128.10.5.50 to-ports=554
add action=masquerade chain=srcnat dst-address=128.10.5.50 dst-port=8086
out-interface=ether1 protocol=tcp src-address=128.10.5.0/24
/ip route
add distance=1 dst-address=10.5.5.0/24 gateway=F00093
add distance=1 dst-address=10.10.1.0/24 gateway=F00093
add distance=1 dst-address=192.168.1.0/24 gateway=BridgeOffice
/ip service
set telnet disabled=yes
/system clock
set time-zone-name=America/Guayaquil
/system identity
set name=*
/system logging
set 0 disabled=yes
set 1 disabled=yes
set 2 disabled=yes
set 3 disabled=yes
/system note
set note=“The security flaw for Hajime is closed by the firewall. Please update
RotherOS. Gratitude is accepted on WebMoney Z399578297824 or BTC 14qiYkk3nUg
sdqQawiMLC1bUGDZWHowix1”

I have a feeling your router has been compromised…

1. your firewall filter rules indicate that you have some gaps in understanding how Mikrotik’s firewall works. Please look here for a supercharged introduction and modify your firewall rules so that they provide better protection. Then, I would strongly recommend to export the configuration to a file, download it outside the 'Tik, and upgrade to at least 6.40.8 (latest bugfix release) and later maybe even to 6.42.2 (latest current release).

2. you haven’t added any firewall rule with disabled=yes so it is hard to guess which one causes the conflict. But from the history, I suppose that it is this one:

/ip firewall nat
...
add action=masquerade chain=srcnat dst-address=128.10.5.50 dst-port=8086 out-interface=ether1 protocol=tcp src-address=128.10.5.0/24

The problem is that I cannot understand why this rule should have any effect at all. It cannot help access cameras’ port 8086 from LAN via the public IP of the 'Tik because in your configuration, out-interface=ether1 is never true simultaneously with dst-address=128.10.5.50 src-address=128.10.5.0/24.

To make the hairpin NAT work, you need to make the cameras think that Mikrotik is the client, so that they would send their responses to Mikrotik rather than directly to the real client. If the real client sends the SYN packet to the WAN address of the Mikrotik but receives the SYN,ACK response from the LAN address of the camera, it doesn’t recognize it as a response to the SYN. So just removing the out-interface=ether1 from the rule should be enough to make the access to cameras work. You could replace it by out-interface=BridgeOffice but it is not necessary as the combination of dst-address and src-address has the same effect.

It would also be cleaner to replace action=masquerade by action=src-nat to-addresses=128.10.5.254 in the rule, but it is not the essence of the trouble.

Thank you Sindy, but that did not work. So I have updated the firewall rules, and also followed your instruction, but still not able to access to the NVR (recorder) with the public IP within my lan. It seems to be a problem with the port forwarding because I can access to my router with my public ip, but when i try to acccess with the public IP and the port I have no access…

How do the /ip firewall filter and /ip firewall nat rules look right now, and what is the address of the PC in the LAN you use to access the NWR?

You have several LAN subnets there, and the src-nat rule I’ve suggested you to modify only works for one of them.

Yes I have tree subnets. The first one is for the Devices in the office, the second is for the guest, the third is to share internet with other office.
The 128.10.5.0/24 is the network where the NVR (128.10.5.50) is connected and my laptop so. I now that the rule you provided only applies to the network which is part of the Bridge office interface.
This is how the rules look like right now
/ip firewall filter
add action=accept chain=input comment=PPTPConfig dst-port=1723 protocol=tcp
add action=accept chain=forward dst-address=128.10.5.2 src-address=10.10.10.16
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=drop chain=forward dst-address=128.10.5.0/24 src-address=10.10.10.0/24
add action=drop chain=forward dst-address=128.10.5.0/24 src-address=192.168.25.0/30
add action=drop chain=input connection-state=invalid/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=8086 in-interface=ether1 protocol=tcp to-addresses=128.10.5.50
to-ports=8086
add action=dst-nat chain=dstnat dst-port=5000 in-interface=ether1 protocol=tcp to-addresses=128.10.5.2
to-ports=5000
add action=dst-nat chain=dstnat dst-port=8001 in-interface=ether1 protocol=tcp to-addresses=128.10.5.50
to-ports=8001
add action=dst-nat chain=dstnat dst-port=554 in-interface=ether1 protocol=tcp to-addresses=128.10.5.50
to-ports=554
add action=src-nat chain=srcnat dst-address=128.10.5.50 out-interface=BridgeOffice protocol=tcp
src-address=128.10.5.0/24 to-addresses=128.10.5.254

I could figure it out…and It got like this
[admin@***] > ip firewall nat print detail
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=“”

1 chain=srcnat action=masquerade protocol=tcp src-address=128.10.5.0/24 dst-address=128.10.5.50
out-interface=BridgeOffice log=no log-prefix=“”

2 chain=dstnat action=dst-nat to-addresses=128.10.5.50 to-ports=8086 protocol=tcp dst-port=8086 log=no
log-prefix=“”
3 chain=dstnat action=dst-nat to-addresses=128.10.5.50 to-ports=8001 protocol=tcp dst-port=8001 log=no
log-prefix=“”

4 chain=dstnat action=dst-nat to-addresses=128.10.5.50 to-ports=554 protocol=tcp dst-port=554 log=no
log-prefix=“”
[admin@****] >

Thank you so much Sindy for your help!!

I had same issue - I was able to connect Winbox to my MikroTik router
only via MAC address, but not with it internal IP address within LAN network,
my problem was in IP limitation under section IP → Services

Had the same issue. Consul’s tip fixed for me.
I had forgotten my IP to 172.16.0.0/16 in IP → Services, in SSH and WINBOX entries.
After adjusting to my current network IP address, it all worked out in app’s end.
Thanks!