Hello, I'm having a problem with my MikroTik. I don't know what's wrong, but I've connected my internet router to the MikroTik, then to the Mercusys router, where there are many CCTV cameras connected. The problem is when I want to connect to the device on the internet router because my server is located there. How can I connect to it when my IP address print looks like this?

[admin@MikroTik] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 ;;; defconf
192.168.88.1/24 192.168.88.0 bridge
1 D 192.168.1.30/24 192.168.1.0 ether1

But when I ping my server, it says host unreachable?

Pinging 192.168.1.253 with 32 bytes of data:
Reply from 192.168.88.1: Destination host unreachable.
Reply from 192.168.88.1: Destination host unreachable.
Reply from 192.168.88.1: Destination host unreachable.
Reply from 192.168.88.1: Destination host unreachable.

Ping statistics for 192.168.1.253:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Btw i don’t have admin and password for my internet router

Please show full config and draw the network diagram + info about used IPs for interfaces..
It's hard to understand the expected flow of packets without them.

Please reformat post with "preformatted text" tag < / > to make reading code easier. Do remove password and serials too.

Please remove serial Number, as a precautionary move.

Since you have masquerade appropriately applied, any traffic leaving your Routers WAN interface ( LAN interface of ISP router), it will get the IP address of 192.168.1.30 and thus be on the SAME LAN as the rest of the devices hanging off the ISP router. Any responses by the server should head back to your MT router and then the router should properly distribute the traffic back to any user on the MT router.

What cannot be done easily is for users on the ISP router to originate traffic to users/devices on non-local subnets ( aka the 192.168.88.0 subnet ). The ISP router would need a static route sending traffic for 192.168.88.0/24 to 192.168.1.30

If the request is from tripleNAT, the mercury router, depends........... if the mercury router is on the LAN subnet of the MT router ( as thus the WANIP of the mercury router is 192.168.88.XY ), some things need to be know.
a. what is the subnet LAN of the mercury router
b. do you masquerade its traffic out the WAN of the mercury router aka everything coming from it would have an IP of 192.168.88.XY?

Assuming it does........... and subnet of mercury is 10.10.10.0./24
Then to reach the server on the ISP router first you would simply initiate traffic to reach the server.
the traffic would leave the device with
src-address=10.10.10.5 dst-address=192.168.1.20
The traffic would go out the WAN of the mercury router (src address getting masqueraded) and hit the MT router with something like
src-address=192.168.88.XY dst-address= 192.168.1.20
The MT router would be quite aware of the 192.168.1.0 subnet and would send the traffic out the WAN of the MT upstream masqueraded with the wanip of the MT router.
The traffic would hit the ISP router with
Src-address=192.168.1.30 dst-address=192.168.1.20
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Response back from the server would leave the server with
src-address=192.168.1.20 dst-address=192.168.1.30
The MT Router would receive this traffic and unsrcnat the information such that the traffic is:
src-address=192.168.1.20 to to 192.168.88.XY. and would sent the traffic to the WAN port of the Mercury Router.
Response would then reach the mercury router and then be unsrcnatted there so that the traffic now reads
src-address=192.168.1.20 dst-address=10.10.10.5 and the traffic would be sent directly to that device.

jan/20/2026 02:48:08 by RouterOS 6.49.17
software id = [REDACTED]
model = RBD52G-5HacD2HnD
serial number = [REDACTED]
/interface bridge
add admin-mac=F4:1E:57:6D:91:7B auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] l2mtu=9214 mtu=9214
set [ find default-name=ether2 ] l2mtu=9214 mtu=9214
set [ find default-name=ether3 ] l2mtu=9214 mtu=9214
set [ find default-name=ether4 ] l2mtu=9214 mtu=9214
set [ find default-name=ether5 ] l2mtu=9214 mtu=9214
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk comment=defconf
disable-pmkid=yes mode=dynamic-keys supplicant-identity=MikroTik
wpa2-pre-shared-key=[REDACTED]
add authentication-types=wpa2-psk mode=dynamic-keys name=KEY
supplicant-identity="" wpa2-pre-shared-key="[REDACTED]"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX
disabled=no distance=indoors frequency=auto installation=indoor l2mtu=
2290 mode=ap-bridge mtu=2290 security-profile=KEY ssid="MIKROTIK CCTV"
wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto
installation=indoor l2mtu=2290 mode=ap-bridge mtu=2290 security-profile=
KEY ssid="MIKROTIK CCTV 5G" wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Asia/Jakarta
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Like this ?

I dont see anything on the MT setup that would block traffic coming from a natted router behind it, through to the ISP router and back??

Must be missing something obvious.

I've been frustrated for 3 days and can't solve the problem.

Are you sure the device is there.

You can do a /tool ip-scan interface=ether1 address-range=192.168.1.0/24

And see what devices come up.

If none come up, you can check the arp table. (Maybe device doesn't answer pings???)

/ip arp print
or optionally
/ip arp print where address~"192.168.1"

First can you ping the device on the ISP LAN:

a. from the ping function on the MT router itself,
b. from a PC on the MT lan 192.168.88.0/24

Random values? Random YouTube guide? Artificial Deficence?
Lack of understanding what L2 and L3 are?
Is bigger better? (This doesn't apply everywhere...)

If MTU is 9214, L2MTU must be at least(...) 9228, the same is for 2290, must be at least 2304...

From the description it is not clear where the devices are connected,
it would be better if you made a diagram that also specifies the IPs.

It's best you start from scratch and leave it alone,
then ask for help on the forum.

I have no clue about MTU stuff, so assume the OP knows what they are doing when they start changing those value LOL,

No, not in MikroTik world .

L2MTU indicates the maximum size of the frame without the MAC header that can be sent by this interface.

https://www.youtube.com/watch?v=7a_z1jAdIME&t=182s

image1037×319 66.3 KB

If you don't use VLAN or MPLS etc... then you can set MTU = L2MTU without problem. Also if you add a VLAN interface on top of an ethernet or bridge interface, the L2MTU of the VLAN interface is automatically reduced from the L2MTU of the parent interface, so for that VLAN interface you can set MTU = L2MTU (of the VLAN interface) too.

image445×104 3.24 KB

... Oh ...