So I have a server in my LAN behind mikrotik router. If the peers connected to the router are from LAN (I have two LAN ranges 10.10.10.0/24 and 192.168.83.0/24 configured), then on this server I can see their real IPs. If the connection comes from the Internet (WAN) side, I can see only the IP of the router (10.10.10.1) at each connection. What may be wrong?
Nothing is wrong. You probably have SNAT/Masquerade enabled on the LAN interface.
Well, I have masquarade on ether1, which is used as WAN port. But I can’t say what I have changed that I cannot see real IPs any more…
Could you post your firewall configuration?
Here it is…
/ip firewall filter
add action=accept chain=forward comment="LAN Traffic" connection-state="" \
dst-address=192.168.83.0/24 src-address=10.10.10.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=\
10.10.10.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=ether1
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
add action=drop chain=input comment="DNS drop" dst-port=53 in-interface=\
ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="Maskarada WAN"
add action=dst-nat chain=dstnat comment="futro" dst-port=2502 fragment=\
no in-interface=ether1 protocol=tcp to-addresses=10.10.10.5 to-ports=2502
The port forwarded to the server is 2502.
OK, so I know what I did.
Look at the last post of THIS TOPIC.
I have deleted ether1 as out interface in masqueade. When I added it again, IPs started to appear correctly…
I know I am writing to myself, but after I added out interface ether1 some of the peers can’t connect getting “connection time out” info. Once I delete ether1 - all are connecting immediately. What the…?!
All outgoing traffic, including the one passing dnat will obey the srcnat chain.
So the issue is this rule:
/ip firewall nat
add action=masquerade chain=srcnat comment="Maskarada WAN"
This will do srcnat on ALL interfaces. You need to do this only on WAN:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 comment="Maskarada WAN"
On the other hand,
add action=drop chain=input comment="DNS drop" dst-port=53 in-interface=\
ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
are useless since you already drop all input on eth1 by
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=ether1
Remember, firewall rules are evaluated in order.
BTW, Oscam supports IPv6 
As you may noticed, I am a greenhorn regarding MikroTik. Thanks for posting. I started to do some cleaning. 
That DNS rule was made before… I will delete it.
As it comes to IPv6 I believe, that ISP has to provide that too? Anyway, I don’t know anything about IPv6 
I added out interace for masquerade, but then some peers couldn’t connect at all… I couldn’t figure out what the problem was, so after 3 hrs I rebooted MikroTik and debian and it started to work… 
Thanks
That has a simple explanation. There are lingering connection tracking connections which are not deleted when you change your firewall rules, especially when changing dst-nat stuff.
Rebooting clears those connections…