Multiple network dst-nat problem

RouterOS Beginner Basics
1

Hi,

I have a mikrotik rb750gr3 router.

I want to set up 3 different networks on it.

eth1-internet
eth2-192.168.2.0/24
eth3-192.168.6.0/24
eth4-192.168.88.0/24

I can make it work in this way:

/ip address
add interface=ether2 address=192.168.2.254/24
add interface=ether3 address=192.168.6.254/24
add interface=ether4 address=192.168.88.254/24

/ip pool
add name=pool1 ranges=192.168.2.10-192.168.2.253
add name=pool2 ranges=192.168.2.10-192.168.6.253
add name=pool3 ranges=192.168.2.10-192.168.88.253

/ip dhcp-server
add disabled=no authoritative=yes bootp-support=none name=dhcp1 interface=ether2 address-pool=pool1
add disabled=no authoritative=yes bootp-support=none name=dhcp2 interface=ether3 address-pool=pool2
add disabled=no authoritative=yes bootp-support=none name=dhcp1 interface=ether4 address-pool=pool1

/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.254
add address=192.168.6.0/24 gateway=192.168.6.254
add address=192.168.88.0/24 gateway=192.168.88.254

/ip dhcp-client
add disabled=no interface=ether1 use-peer-dns=yes add-default-route=yes

/ip firewall connection tracking
set enabled=yes

/ip firewall filter
add chain=forward action=accept connection-state=established
add chain=forward action=accept connection-state=related
add chain=forward action=drop connection-state=invalid
add chain=forward action=drop out-interface=!ether1 src-address=192.168.2.0/24 comment=“Prevent inter-subnet communication”
add chain=forward action=drop out-interface=!ether1 src-address=192.168.6.0/24 comment=“Prevent inter-subnet communication”
add chain=forward action=drop out-interface=!ether1 src-address=192.168.88.0/24 comment=“Prevent inter-subnet communication”

/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1
Everything works well, except I can’t forward 8000 port to an address.

I’m trying to dstnat in this way:

/ip firewall nat
add chain=dstnat dst-address=routerip protocol=tcp dst-port=8000 action=dst-nat to-addresses=192.168.6.2 port=8000
But if I try to connect to routerip:8000 I get a connection error. If I’m on the same network of the device I can connect to port 8000.

Any suggestion?

2

Take another good look at the ip pools and dhcp servers info you posted.

3

There is no rule in your firewall filter that allows the dstnat’d traffic through from internet to your LAN.
It is there in the default config but you apparently deleted it.
Also, when filtering inter-subnet traffic I would advise matching by in/out interface instead of IP address, and also not use the !interface construct.
It could be helpful to make an interface list (there should already be one) containing your LAN interfaces and drop all forwards from this list to this list in a single drop rule.