Masquerading errors but not sure how to fix.

RouterOS Beginner Basics
1

I am trying to enable RTSP streaming but I am getting errors in the logs.
dstnat: in:ether1 out:(unknown 0), connection-state:new src-mac 00:ff:ff:ff:ff:fd, proto TCP (SYN), MYPCIPWAN:57138->MIKROTIKROUTERWANIP:554, len 60
192.168.0.2 is the server that has the open ports specifically port 554 RTSP
thank you for looking :slight_smile:


Firewall rules are

/ip firewall address-list
add address=WANIPREMOVED comment="Intranet Server" list=AllowRemoteIPS
add address=DNSIPREMOVED comment="Allow House Dyndns " list=AllowRemoteIPS
add address=VPNSERVERREMOVED comment="VPN Server" list=AllowRemoteIPS
add address=MYOFFICEIPREMOVED comment="Corporate TEMP IP FOR REMOVE IN CASE HOUSE FAILED REMOVE" list=AllowRemoteIPS
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat in-interface=ether1
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat connection-state=established,related,new
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add chain=input comment="Remote Management Policys" dst-port=8291 protocol=tcp src-address-list=AllowRemoteIPS
add chain=input connection-state=established
add action=accept chain=input connection-state="" dst-port=554 protocol=tcp src-address-list=AllowRemoteIPS
add action=accept chain=input dst-port=554 protocol=udp src-address-list=AllowRemoteIPS
add action=accept chain=input dst-port=80 protocol=tcp src-address-list=AllowRemoteIPS
add action=accept chain=input protocol=icmp src-address-list=AllowRemoteIPS
add action=drop chain=input protocol=icmp
add action=drop chain=input in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=3389
add action=dst-nat chain=dstnat comment="Hikvision Ports" dst-port=443 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=443
add action=dst-nat chain=dstnat dst-port=8000 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=8000
add action=dst-nat chain=dstnat dst-port=8001 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=8001
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=80
add action=dst-nat chain=dstnat dst-port=83 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=83
add action=dst-nat chain=dstnat dst-port=1935 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=1935
add action=dst-nat chain=dstnat dst-port=7661 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=7661
add action=dst-nat chain=dstnat dst-port=559 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=559
add action=dst-nat chain=dstnat dst-port=554 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=554
add action=dst-nat chain=dstnat dst-port=554 in-interface=ether1 log=yes protocol=udp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=554
add action=dst-nat chain=dstnat dst-port=16000-16005 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=16000-16005
add action=dst-nat chain=dstnat dst-port=7668 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=7668
add action=dst-nat chain=dstnat dst-port=7662 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=7662
add action=dst-nat chain=dstnat dst-port=6204 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=6204
add action=dst-nat chain=dstnat dst-port=6203 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=6203
add action=dst-nat chain=dstnat dst-port=6111 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=6111
add action=dst-nat chain=dstnat dst-port=6011 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=6011
add action=dst-nat chain=dstnat dst-port=8686 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=8686
add action=dst-nat chain=dstnat dst-port=10015 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=10015
add action=dst-nat chain=dstnat dst-port=8877 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=8877
add action=dst-nat chain=dstnat dst-port=7666 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=7666
add action=dst-nat chain=dstnat dst-port=8555 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=8555
add action=dst-nat chain=dstnat dst-port=7660 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=7660
add action=dst-nat chain=dstnat dst-port=7334 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=7334
add action=dst-nat chain=dstnat dst-port=7332 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=7332
add action=dst-nat chain=dstnat dst-port=15443 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=15443
add action=dst-nat chain=dstnat dst-port=15310 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=15310
add action=dst-nat chain=dstnat dst-port=15300 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=15300
add action=dst-nat chain=dstnat dst-port=18001-18020 in-interface=ether1 log=yes protocol=tcp src-address-list=AllowRemoteIPS to-addresses=192.168.0.2 to-ports=18001-18020
2

why did you mess with default firewall rules, and then mix up chains etc…
Seems like you are hosting RDP…its not the best security practice anymore hint…
Also you seem to think its okay to have your winbox port (still in default) to be accessible over the WWW and not via VPN.
I have no desire to provide any advice for such an insecure setup.
If you want to improve security and are willing to listen, then I can provide some assistance.

3

All ports are secured by an Allowed IP list.
So all these ports only get 4 ips allowed in from the public internet.

I would have to check a fresh install of mikrotik X86 PC as this isn’t a router install.
Nothing was deleted as far as I am aware.
I will test this later tonight with a fresh install of PC Mikrotik.
I would of course listen to any suggestions hence the reason for posting help.
The unsecured thing i am unsure on as all ports are locked down to a allow list which was tested and port scanned from a non allowed IP.
All ports locked and closed.
Thanks
Steven

4

All is well on this issue is fixed I had a Vender check over rules.
We just added a rule to allow the outbound port back to the main ip and it now works on my select ips.
Thanks
S