Need help on Port Forward on Multiple WAN with double NAT

Halfeez92 · December 18, 2024, 12:36am

Hi, first of all I would like to apologize if this topic has been raised for multiple time by others. I have already searched and do some of the said solution, but none of them works. Hence, I am creating this based on my own situation and network environment.

First of all, this is my network diagram:
issb.drawio (3).png
What I intend to do is, I want to port forward http port 80 to the LAN inside. But the thing is, my LAN is on the double NAT. I have no problem doing port forward from the ISP router to the Mikrotik router itself. But I got problem when I tried to port forward from the ISP router to the LAN behind the Mikrotik router.

Together, I attached the configuration I have made. Please note I also have PCC mangle load balancing running as well. I don’t want to lose that since I have 2 WAN links connected. What should I add if I want to port forward from the WAN 2 or from both?

# 2024-12-18 08:20:49 by RouterOS 7.16.2
# software id = <redacted>
#
# model = CCR2004-16G-2S+
# serial number = <redacted>
/interface bridge
add name=Vlan1_User-L1
/interface ethernet
set [ find default-name=ether13 ] comment="Connection to ISSB-SW-L3"
set [ find default-name=ether15 ] comment="Connection to TM-Unifi"
set [ find default-name=ether16 ] comment="Connection to TIME"
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no comment=\
    "Connection to ISSB-SW-L1" speed=10G-baseSR-LR
set [ find default-name=sfp-sfpplus2 ] auto-negotiation=no comment=\
    "Connection to ISSB-SW-L4" speed=10G-baseSR-LR
/interface wireguard
add comment=back-to-home-vpn listen-port=28089 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=Vlan1_User-L1 name=Vlan2_User-L3 vlan-id=2
add interface=Vlan1_User-L1 name=Vlan3_Server vlan-id=3
add interface=Vlan1_User-L1 name=Vlan4_User-L4 vlan-id=4
add interface=Vlan1_User-L1 name=Vlan5_CCTV vlan-id=5
add interface=Vlan1_User-L1 name=Vlan6_wAP+VoIP vlan-id=6
add interface=Vlan1_User-L1 name=Vlan10_Mgmt vlan-id=10
/interface list
add name=WAN
add name=LAN
add name=Internal
/ip pool
add name=dhcp_pool0 ranges=10.10.1.31-10.10.1.253
add name=dhcp_pool1 ranges=10.10.2.31-10.10.2.253
add name=dhcp_pool2 ranges=10.10.4.31-10.10.4.253
add name=dhcp_pool3 ranges=10.10.5.1-10.10.5.253
add name=dhcp_pool4 ranges=10.10.6.1-10.10.6.253
add name=dhcp_pool5 ranges=10.10.3.1-10.10.3.253
add name=dhcp_pool6 ranges=10.10.10.1-10.10.10.253
/ip dhcp-server
add address-pool=dhcp_pool0 interface=Vlan1_User-L1 lease-time=12h name=\
    User-L1 use-framed-as-classless=no
add address-pool=dhcp_pool1 interface=Vlan2_User-L3 lease-time=12h name=\
    User-L3
add address-pool=dhcp_pool2 interface=Vlan4_User-L4 lease-time=12h name=\
    User-L4
add address-pool=dhcp_pool3 interface=Vlan5_CCTV lease-time=12h name=CCTV
add address-pool=dhcp_pool4 interface=Vlan6_wAP+VoIP lease-time=12h name=\
    wAP+VoIP
add address-pool=dhcp_pool5 interface=Vlan3_Server lease-time=12h name=Server
/port
set 0 name=serial0
/routing table
add disabled=no fib name=TM-Unifi
add disabled=no fib name=TIME
/interface bridge port
add bridge=Vlan1_User-L1 interface=sfp-sfpplus1
add bridge=Vlan1_User-L1 interface=sfp-sfpplus2
add bridge=Vlan1_User-L1 interface=ether13
add bridge=Vlan1_User-L1 interface=ether12
add bridge=Vlan1_User-L1 interface=ether14
/ip neighbor discovery-settings
set discover-interface-list=!all discover-interval=1m lldp-mac-phy-config=yes \
    lldp-max-frame-size=yes lldp-med-net-policy-vlan=1 lldp-vlan-info=yes \
    protocol=lldp
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
    all wan-interface-list=all
/interface list member
add interface=ether15 list=WAN
add interface=ether16 list=WAN
add interface=Vlan1_User-L1 list=LAN
add interface=Vlan2_User-L3 list=LAN
add interface=Vlan3_Server list=LAN
add interface=Vlan4_User-L4 list=LAN
add interface=Vlan5_CCTV list=LAN
add interface=Vlan6_wAP+VoIP list=LAN
add interface=Vlan10_Mgmt list=LAN
add interface=Vlan1_User-L1 list=Internal
add interface=Vlan2_User-L3 list=Internal
add interface=Vlan3_Server list=Internal
add interface=Vlan4_User-L4 list=Internal
add interface=Vlan5_CCTV list=Internal
add interface=Vlan6_wAP+VoIP list=Internal
add interface=Vlan10_Mgmt list=Internal
/interface wireguard peers
add allowed-address=192.168.216.9/32,fc00:0:0:216::9/128 client-address=\
    192.168.216.9/32,fc00:0:0:216::9/128 client-dns=192.168.216.1 \
    client-endpoint=<redacted> client-keepalive=30s \
    comment="back-to-home-vpn test" interface=back-to-home-vpn is-responder=\
    yes name=peer6 persistent-keepalive=30s private-key=\
    "<redacted>" public-key=\
    "<redacted>"
/ip address
add address=10.10.1.254/24 interface=Vlan1_User-L1 network=10.10.1.0
add address=10.10.6.254/24 interface=Vlan6_wAP+VoIP network=10.10.6.0
add address=10.10.10.254/24 interface=Vlan10_Mgmt network=10.10.10.0
add address=10.10.2.254/24 interface=Vlan2_User-L3 network=10.10.2.0
add address=10.10.3.254/24 interface=Vlan3_Server network=10.10.3.0
add address=10.10.5.254/24 interface=Vlan5_CCTV network=10.10.5.0
add address=10.10.4.254/24 interface=Vlan4_User-L4 network=10.10.4.0
/ip arp
add address=10.10.2.201 interface=Vlan2_User-L3 mac-address=F8:0D:AC:D4:B3:D4
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip cloud back-to-home-users
/ip dhcp-client
add interface=ether15
add interface=ether16
/ip dhcp-server network
add address=10.10.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.1.254 \
    netmask=24
add address=10.10.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.2.254
add address=10.10.3.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.3.254
add address=10.10.4.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.4.254
add address=10.10.5.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.5.254
add address=10.10.6.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.6.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4 verify-doh-cert=yes
/ip firewall address-list
add address=10.10.1.0/24 list=User-L1
add address=10.10.2.0/24 list=User-L3
add address=10.10.3.0/24 list=Server
add address=10.10.4.0/24 list=User-L4
add address=10.10.5.0/24 list=CCTV
add address=10.10.6.0/24 list=wAP+VoIP
add address=10.10.10.0/24 list=Management
add address=10.10.5.0/24 list=LANs
add address=10.10.10.0/24 list=LANs
add address=10.10.3.0/24 list=LANs
add address=10.10.1.0/24 list=LANs
add address=10.10.2.0/24 list=LANs
add address=10.10.4.0/24 list=LANs
add address=10.10.6.0/24 list=LANs
add address=192.168.216.0/24 list=BTH
add address=<redacted> list=WANs
add address=10.10.1.254 list=GWs
add address=10.10.2.254 list=GWs
add address=10.10.3.254 list=GWs
add address=10.10.4.254 list=GWs
add address=10.10.5.254 list=GWs
add address=10.10.6.254 list=GWs
add address=10.10.10.254 list=GWs
add address=<redacted> list=WANs
add address=192.168.216.1 list=GWs
/ip firewall filter
add action=accept chain=input comment="firewall rules start here" \
    connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=drop chain=forward connection-state=invalid
/ip firewall mangle
add action=accept chain=prerouting in-interface=ether15
add action=accept chain=prerouting in-interface=ether16
add action=mark-connection chain=prerouting dst-address-list=!LANs \
    in-interface-list=Internal new-connection-mark=TM-Unifi passthrough=yes \
    per-connection-classifier=src-address:2/0
add action=mark-connection chain=prerouting dst-address-list=!LANs \
    in-interface-list=Internal new-connection-mark=TIME passthrough=yes \
    per-connection-classifier=src-address:2/1
add action=mark-routing chain=prerouting connection-mark=TM-Unifi \
    in-interface-list=Internal new-routing-mark=TM-Unifi passthrough=yes
add action=mark-routing chain=prerouting connection-mark=TIME \
    in-interface-list=Internal new-routing-mark=TIME passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade internet" \
    out-interface-list=WAN src-address-list=LANs
add action=dst-nat chain=dstnat comment=Gateway dst-address-list=WANs \
    dst-port=80 protocol=tcp to-addresses=10.10.3.105 to-ports=80
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.0.1 routing-table=TM-Unifi scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.100.1 routing-table=TIME scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
/ip ssh
set forwarding-enabled=remote
/ipv6 dhcp-client
add add-default-route=yes disabled=yes interface=ether16 pool-name=TIME6 \
    request=address
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool graphing interface
add

CGGXANNX · December 18, 2024, 6:59am

Watch this video from MikroTik.Starting from 6:47 - Match outgoing traffic to incoming:

https://www.youtube.com/watch?v=nlb7XAv57tw&t=407s