Nat Problem

gotchagomez · September 17, 2020, 3:18pm

Hi everybody,

I’m new with the routerOS and I have a nat problem.
The network is this one:

the problem appear when I try to connect from Internet to any camera Ip (configured with fixed ip address inside the Dream Machine LAN).
If I connect to the Mikrotik lan (192.168.4.0/24) I can access the cameras IP without problems but from the Internet sometimes work and other time not. This is a true mistery for me.
I search at the mikrotik firewall connections and the attemps to connect to any of the 4 wans always appear, but when not connect appear with the tcp state “syn received” and seconds after disappear.

I also tryied to change the Nat masquerade to srcnat but the problem persist.

I will be very grateful for any possible clue or solution.

My config is this:

# sep/17/2020 13:11:57 by RouterOS 6.45.9
# software id = XYHS-0R2X
#
# model = CCR1016-12S-1S+
# serial number = 912A0B8801D0
/interface bridge
add name="LAN Bridge"
/interface ethernet
set [ find default-name=sfp1 ] comment=\
    "Vodafone 100 192.168.0.1" name=\
    "WAN1 - Vodafone 100"
set [ find default-name=sfp2 ] comment=\
    "Movistar2 192.168.1.1" name=\
    "WAN2 - Movistar 2"
set [ find default-name=sfp3 ] comment=\
    "Movistar1 192.168.2.1" name=\
    "WAN3 - Movistar 1"
set [ find default-name=sfp4 ] comment=\
    "Vodafone Oro- 192.168.3.1" name=\
    "WAN4 - Vodafone Oro"
set [ find default-name=sfp12 ] disabled=yes
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name="BridgeLan dhcp_pool" ranges=192.168.4.10-192.168.4.15
/ip dhcp-server
add address-pool="BridgeLan dhcp_pool" disabled=no interface="LAN Bridge" \
    name=dhcp1
/interface bridge port
add bridge="LAN Bridge" interface=sfp5
add bridge="LAN Bridge" interface=sfp6
add bridge="LAN Bridge" interface=sfp7
add bridge="LAN Bridge" interface=sfp8
add bridge="LAN Bridge" interface=sfp9
add bridge="LAN Bridge" interface=sfp10
add bridge="LAN Bridge" interface=sfp11
add bridge="LAN Bridge" interface=sfpplus1
/interface detect-internet
set detect-interface-list=all wan-interface-list=all
/ip address
add address=192.168.5.1/24 comment="Lan Mikrotik - Dream Machine UniFi" \
    disabled=yes interface="LAN Bridge" network=192.168.5.0
add address=192.168.0.2/29 comment="Vodafone 100" interface=\
    "WAN1 - Vodafone 100" network=192.168.0.0
add address=192.168.1.2/24 comment="Movistar 2" interface="WAN2 - Movistar 2" \
    network=192.168.1.0
add address=192.168.2.2/24 comment=Movistar interface="WAN3 - Movistar 1" \
    network=192.168.2.0
add address=192.168.3.2/29 comment="Vodafone Oro" interface=\
    "WAN4 - Vodafone Oro" network=192.168.3.0
add address=192.168.4.1/29 comment="SFP+ Mikrotik DreamMachinePro" interface=\
    sfpplus1 network=192.168.4.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=30m
/ip dhcp-server network
add address=192.168.4.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.4.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=213.37.91.28 comment=fonzo.servehttp.com list=host_metrodomos
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Accept connections from Metrodomos" \
    src-address-list=host_metrodomos
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="Allow Port Forwarding" \
    connection-nat-state=dstnat connection-state=new in-interface=\
    "WAN1 - Vodafone 100"
add action=accept chain=forward connection-nat-state=dstnat connection-state=\
    new in-interface="WAN4 - Vodafone Oro"
add action=accept chain=forward connection-nat-state=dstnat connection-state=\
    new in-interface="WAN3 - Movistar 1"
add action=accept chain=forward connection-nat-state=dstnat connection-state=\
    new in-interface="WAN3 - Movistar 1"
add action=accept chain=forward connection-nat-state=dstnat connection-state=\
    new in-interface="WAN2 - Movistar 2"
add action=drop chain=forward comment="Drop all Else" disabled=yes
/ip firewall mangle
add action=mark-connection chain=input in-interface="WAN1 - Vodafone 100" \
    new-connection-mark=wan1_conn passthrough=yes
add action=mark-connection chain=input in-interface="WAN2 - Movistar 2" \
    new-connection-mark=wan2_conn passthrough=yes
add action=mark-connection chain=input in-interface="WAN3 - Movistar 1" \
    new-connection-mark=wan3_conn passthrough=yes
add action=mark-connection chain=input in-interface="WAN4 - Vodafone Oro" \
    new-connection-mark=wan4_conn passthrough=yes
add action=mark-routing chain=output connection-mark=wan1_conn \
    new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=output connection-mark=wan2_conn \
    new-routing-mark=to_wan2 passthrough=yes
add action=mark-routing chain=output connection-mark=wan3_conn \
    new-routing-mark=to_wan3 passthrough=yes
add action=mark-routing chain=output connection-mark=wan4_conn \
    new-routing-mark=to_wan4 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade Vodafone Oro" \
    disabled=yes out-interface="WAN4 - Vodafone Oro"
add action=masquerade chain=srcnat comment="Masquerade Movistar 1" disabled=\
    yes out-interface="WAN3 - Movistar 1"
add action=masquerade chain=srcnat comment="Masquerade Movistar2" disabled=\
    yes out-interface="WAN2 - Movistar 2"
add action=masquerade chain=srcnat comment="Masquerade Vodafone 100" \
    out-interface="WAN1 - Vodafone 100"
add action=src-nat chain=srcnat comment="srcnat masquerade" disabled=yes \
    out-interface="WAN1 - Vodafone 100" to-addresses=192.168.0.2
add action=src-nat chain=srcnat out-interface="WAN2 - Movistar 2" \
    to-addresses=192.168.1.2
add action=src-nat chain=srcnat out-interface="WAN3 - Movistar 1" \
    to-addresses=192.168.2.2
add action=src-nat chain=srcnat out-interface="WAN4 - Vodafone Oro" \
    to-addresses=192.168.3.2
add action=src-nat chain=srcnat disabled=yes src-address=192.168.4.0/24 \
    to-addresses=192.168.3.2
add action=dst-nat chain=dstnat comment=\
    "PortForwarding from Mikrotik to Dream Machine" dst-address=192.168.0.2 \
    dst-port=22221-22237 protocol=tcp to-addresses=192.168.4.2 to-ports=\
    0-65535
add action=dst-nat chain=dstnat dst-address=192.168.1.2 dst-port=22221-22237 \
    protocol=tcp to-addresses=192.168.4.2
add action=dst-nat chain=dstnat dst-address=192.168.2.2 dst-port=22221-22237 \
    protocol=tcp to-addresses=192.168.4.2
add action=dst-nat chain=dstnat dst-address=192.168.3.2 dst-port=22221-22237 \
    protocol=tcp to-addresses=192.168.4.2
/ip route
add distance=1 gateway=192.168.0.1 routing-mark=to_wan1
add distance=1 gateway=192.168.1.1 routing-mark=to_wan2
add distance=1 gateway=192.168.2.1 routing-mark=to_wan3
add distance=1 gateway=192.168.3.1 routing-mark=to_wan4
add comment="Multi Wan" distance=1 gateway=\
    192.168.2.1,192.168.3.1,192.168.1.1,192.168.0.1
add distance=1 dst-address=192.168.0.0/29 gateway="WAN1 - Vodafone 100" \
    pref-src=192.168.0.2
add distance=1 dst-address=192.168.1.0/24 gateway="WAN2 - Movistar 2" \
    pref-src=192.168.1.2
add distance=1 dst-address=192.168.2.0/24 gateway="WAN3 - Movistar 1" \
    pref-src=192.168.2.2
add distance=1 dst-address=192.168.3.0/29 gateway="WAN4 - Vodafone Oro" \
    pref-src=192.168.3.2
/ip route rule
add action=lookup-only-in-table dst-address=192.168.4.0/24 table=main
add action=lookup-only-in-table disabled=yes dst-address=192.168.5.0/24 \
    table=main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2022
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=Logos
/system package update
set channel=long-term
/system scheduler
add interval=30m name="Relsolve Hostnames" on-event=resolvehostname policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=sep/03/2020 start-time=07:42:53
/system script
add dont-require-permissions=no name=resolvehostname owner=useradmin policy=\
    read,write source="# define variables\r\
    \n:local list\r\
    \n:local comment\r\
    \n:local newip\r\
    \n:local oldip\r\
    \n\r\
    \n# Loop through each entry in the address list.\r\
    \n:foreach i in=[/ip firewall address-list find] do={\r\
    \n\r\
    \n# Get the first five characters of the list name\r\
    \n  :set list [:pick [/ip firewall address-list get \$i list] 0 5]\r\
    \n\r\
    \n# If they're 'host_', then we've got a match - process it\r\
    \n  :if (\$list = \"host_\") do={\r\
    \n \r\
    \n# Get the comment for this address list item (this is the host name to u\
    se)\r\
    \n    :set comment [/ip firewall address-list get \$i comment]\r\
    \n    :set oldip [/ip firewall address-list get \$i address]\r\
    \n    :set newip [:resolve \$comment]\r\
    \n\r\
    \n# Resolve it and set the address list entry accordingly.\r\
    \n    :if (\$newip != \$oldip) do={\r\
    \n      /ip firewall address-list set \$i address=\$newip\r\
    \n    }\r\
    \n  }\r\
    \n}"