I have the following double NAT setup: ISP provided Modem/Router connected to Mikrotik Router on 192.198.3.0/24. LAN on Mikrotik is 192.168.1.0/24. LAN includes a couple of DVRs (.71 & .72) with different set of ports. Modem/Router forwards open ports to eth2 of Mikrotik at 192.168.3.5. Then it is forwarded to the DVRs. I was able to setup port forwarding to work both from the outside (internet) as well from clients on the 192.168.1.0/24 (LAN). Now, Wifi access is provided by the Modem/Router. This means that local wifi users are on 192.198.3.0/24. What I am having trouble with is wifi users to access the DVRs. Have even tried with firewall rules disabled for testing purposes but with no luck. Any help would be greatly appreciated...

If you need the whole picture bellow is my full mikrotik configuration:

mar/31/2021 14:52:45 by RouterOS 6.48.1

software id = V2G1-I8S1

model = 951Ui-2HnD

serial number = 45880238E3C3

/interface ethernet
set [ find default-name=ether1 ] comment=ISP1
set [ find default-name=ether2 ] comment=ISP2
set [ find default-name=ether3 ] comment=LAN
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges=192.168.1.150-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=ether3 lease-time=3h name=
dhcp1
/system logging action
add email-to=xxxxxx@gmail.com name=Email target=email
/ip settings
set tcp-syncookies=yes
/ip address
add address=192.168.1.1/24 interface=ether3 network=192.168.1.0
add address=192.168.2.5/24 interface=ether1 network=192.168.2.0
add address=192.168.3.5/24 interface=ether2 network=192.168.3.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
ntp-server=216.239.35.0,216.239.35.4
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.1.2-192.168.1.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=
not_in_internet
add address=192.168.1.72 list=DVR-Ips
add address=192.168.1.71 list=DVR-Ips
add address=216.239.35.4 list=NTP-Servers
add address=216.239.35.0 list=NTP-Servers
/ip firewall filter
add action=accept chain=forward comment="Established & Related"
connection-state=established,related
add action=accept chain=input comment="LAN Traffic Allowed IP Range"
src-address-list=allowed_to_router
add action=accept chain=input src-address-list=NTP-Servers
add action=accept chain=input comment=Ping protocol=icmp
add action=jump chain=forward comment="SYN Flood protect FORWARD"
connection-state=new jump-target=syn-attack protocol=tcp tcp-flags=syn
add action=jump chain=input comment="SYN Flood protect INPUT"
connection-state=new jump-target=syn-attack protocol=tcp tcp-flags=syn
add action=accept chain=syn-attack connection-state=new limit=400,5:packet
protocol=tcp tcp-flags=syn
add action=drop chain=syn-attack connection-state=new log=yes log-prefix=
"Syn Flood Drop" protocol=tcp tcp-flags=syn
add action=accept chain=forward comment="Allow port forwarding on ISP2"
connection-nat-state=dstnat connection-state=established,related,new
connection-type="" log=yes protocol=tcp
add action=drop chain=forward comment="Drop FIN" log=yes protocol=tcp
tcp-flags=fin
add action=drop chain=forward comment="Drop RST" log=yes protocol=tcp
tcp-flags=rst
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
log=yes log-prefix="invalid DROPPED"
add action=drop chain=input comment=Invalid connection-state=invalid log=yes
log-prefix="Invalid Dropped"
add action=drop chain=forward comment=
"Drop packets from LAN that do not have LAN IP" in-interface=ether3 log=
yes log-prefix=LAN_!LAN src-address=!192.168.1.0/24
add action=add-src-to-address-list address-list=Over-100-Conn
address-list-timeout=1d chain=input comment="Connections over 100 for IP"
connection-limit=100,32 protocol=tcp
add action=tarpit chain=input comment="Drop if over 100 Connections"
connection-limit=3,32 protocol=tcp src-address-list=Over-100-Conn
add action=add-src-to-address-list address-list=Port-Scan
address-list-timeout=1d chain=forward comment="Port Scan Hamad" log=yes
log-prefix="Port Scan Fwd" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=Port-Scan
address-list-timeout=1d chain=input comment="Port Scan Hamad" log=yes
log-prefix="Port Scan Input" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop Port Scan Hamad" src-address-list=
Port-Scan
add action=drop chain=forward comment="Drop Port Scan Hamad"
src-address-list=Port-Scan
add action=drop chain=forward comment=
"ISP1 Drop incoming packets that are not NATted" connection-nat-state=
!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=
"ISP2 Drop incoming packets that are not NATted" connection-nat-state=
!dstnat connection-state=new in-interface=ether2 log=yes log-prefix=!NAT
add action=drop chain=forward comment=
"ISP1 Drop incoming from internet which is not public IP" in-interface=
ether1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=
"ISP2 Drop incoming from internet which is not public IP" in-interface=
ether2 log=yes log-prefix=!public src-address-list=not_in_internet
add action=accept chain=input comment=Gmail src-address=74.125.141.108
src-address-list=""
add action=drop chain=input comment="Drop All other ISP1" disabled=yes
in-interface=ether1
add action=drop chain=input comment="Drop All other ISP2" disabled=yes
in-interface=ether2
add action=drop chain=forward comment=
"Drop tries to reach not public addresses from LAN" disabled=yes
dst-address-list=not_in_internet in-interface=ether3 log=yes log-prefix=
!public_from_LAN out-interface=!ether3
add action=drop chain=input comment="drop ftp brute forcers" disabled=yes
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" disabled=yes
dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist
address-list-timeout=3h chain=output content="530 Login incorrect"
disabled=yes protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" disabled=yes
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1w3d chain=input connection-state=new disabled=yes
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=1m chain=input connection-state=new disabled=yes
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=1m chain=input connection-state=new disabled=yes
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m chain=input connection-state=new disabled=yes
dst-port=22 protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" disabled=
yes dst-port=22 protocol=tcp src-address-list=ssh_blacklist
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.2.0/24
add action=accept chain=prerouting dst-address=192.168.3.0/24
add action=mark-connection chain=prerouting connection-mark=no-mark
dst-address-type=!local in-interface=ether3 new-connection-mark=WAN1
passthrough=yes per-connection-classifier=both-addresses:2/0
src-address-list=!DVR-Ips
add action=mark-connection chain=prerouting connection-mark=no-mark
dst-address-type=!local in-interface=ether3 new-connection-mark=WAN2
passthrough=yes per-connection-classifier=both-addresses:2/1
src-address-list=!DVR-Ips
add action=mark-routing chain=prerouting connection-mark=WAN1 in-interface=
ether3 new-routing-mark=ether1-mark passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2 in-interface=
ether3 new-routing-mark=ether2-mark passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1 new-routing-mark=
ether1-mark passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2 new-routing-mark=
ether2-mark passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether2 new-connection-mark=WAN2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
add action=dst-nat chain=dstnat comment=DVR1 dst-address-type=local dst-port=
67-68 log=yes protocol=tcp src-port="" to-addresses=192.168.1.71
add action=dst-nat chain=dstnat comment=DVR2 dst-address-type=local dst-port=
69 log=yes protocol=tcp src-port="" to-addresses=192.168.1.72
add action=dst-nat chain=dstnat comment=DVR2 dst-address-type=local dst-port=
70 log=yes protocol=tcp src-port="" to-addresses=192.168.1.72
add action=dst-nat chain=dstnat comment=PBX1 disabled=yes dst-port=35356
in-interface=ether2 protocol=tcp to-addresses=192.168.1.29 to-ports=5060
add action=dst-nat chain=dstnat comment="DSP2 DSP" disabled=yes dst-port=
16000-16511 in-interface=ether2 protocol=tcp to-addresses=192.168.1.30
to-ports=16000-16511
/ip route
add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=
ether1-mark
add check-gateway=ping distance=1 gateway=192.168.3.1 routing-mark=
ether2-mark
add distance=1 gateway=192.168.3.1
add distance=1 gateway=192.168.2.1
add check-gateway=ping distance=1 dst-address=8.8.4.4/32 gateway=192.168.2.1
add check-gateway=ping distance=1 dst-address=8.8.8.8/32 gateway=192.168.3.1
/ip service
set telnet disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=VI
/system logging
add action=Email prefix="Mikrotik Router VI" topics=critical
/system ntp client
set enabled=yes primary-ntp=216.239.35.0 secondary-ntp=216.239.35.4
/system scheduler
add disabled=yes interval=10m name=schedule-PingCheck on-event=PingCheck
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=jan/01/1970 start-time=00:00:00
/system script
add dont-require-permissions=no name=PingCheck owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=
":if ([/ping 1.1.1.1 count=10] = 0) do={\r
\n /system reboot\r
\n}"
/tool bandwidth-server
set enabled=no
/tool e-mail
set address=74.125.141.108 from=xxxxxx@gmail.com port=587
start-tls=yes user=xxxxxx@gmail.com
/tool netwatch
add down-script="ip route disable [find dst-address=0.0.0.0/0 gateway=192.168.
2.1]\r
\n:log error "ISP1 is down"\r
\n/ip firewall connection remove [find]" host=8.8.4.4 interval=10s
timeout=800ms up-script="ip route enable [find dst-address=0.0.0.0/0 gatew
ay=192.168.2.1]\r
\n:log warning "ISP1 is up""
add down-script="ip route disable [find dst-address=0.0.0.0/0 gateway=192.168.
3.1]\r
\n:log error "ISP2 is down"\r
\n/ip firewall connection remove [find]" host=8.8.8.8 interval=10s
timeout=800ms up-script="ip route enable [find dst-address=0.0.0.0/0 gatew
ay=192.168.3.1]\r
\n:log warning "ISP2 is up""

So let me get this straight.
Your ROUTER/MODEM has assigned a static LANIP (192.168.3.5) to your MT device also acting as a router and the WANIP is of course also 192.168.3.5
Your MT ROUTER has ONE lan subnet subnets for various purposes 192.168.1.0/24
I will ignore your ether1 as its confusing and conflicts with your own wording.

If the wifi is being provided on the modem router it makes sense that you cannot reach the servers from the internet.
You probably have a hairpin nat situation. https://wiki.mikrotik.com/wiki/Hairpin_NAT

As an aside, I think your config is overly complex with little gain. You would be best served by resetting to defaults,
adding in the server rules and configuring hairpin nat. Once up and running then adding in rules that have value.

Looks to me your firewall is doing as it should and your answers should be in your logs.

Hint: prefix=!public

Servers are reachable from both the internet as well as from 192.168.1.0/24 without any problems. It is devices from 192.168.3.0/24 that cannot reach the servers… I have tried hairpin mat for this network without success.

The counter shows 0

Have you tried using 192.168.3.5:67-69 directly? To other devices on this subnet, the it would seem no different if the NVRs were directly attached (if your firewall is not dropping the traffic).

Maybe a misconfiguration on the Modem/Router. Or it needs a hairpin nat.

I have totally disabled firewall rules. Directly to 3.5:67-69 does not work even though it did before when I had a tplink router in the place of the Mikrotik. The only thing I have not tried is hairpin on the modem router. The problem with this is that the modem router seems to accept only wan address as the source.

Regarding : It is devices from 192.168.3.0/24 that cannot reach the servers…

But you do get packet hits on the MT ? Do you get any logging hit indicating a station on 192.168.3.x can reach the MT at all ??

So the wireless clients on the ISP-modem/Wifi receive a 192.168.3.x IP and seem “bridged” on the LAN of that ISP device, the same LAN on which the MT is cabled and also has a 192.168.3.x
you would expect that they can hit your DNAT entries representing the NVR’s without issues … certainly if you disabled all FW-rules.
Are you sure these wireless-clients have no sort of “isolation” mode-setting active, so they cannot reach their neighbors (basically dropping all RFC1918 IP space) and only allowing “Internet”

I believe you might be right. During testing I pinged successfully from my phone (3.15) to the Dvr (2.71) so I believed that forwarding should work as well. I should probably go back and torch eth2 (192.168.3.5) to see what is going through. I did not look into this before because as I stated before it was working with a tplink router in the place of the MT

In a earlier post you said the NVR’s are on the LAN-side 192.168.1.x right (*.71 & *.72) ??
In the post above you write something like DVR (2.71) so I guess you mean 192.168.2.71 ??

My mistake. It is on 192.168.1.71

Ok so if you can ping them right through the Mikrotik (with all FW policies off) that is already a good thing.
In order to do this you added a static-route on this ISP Modem/Wifi thing??
Because without one you would never be able to reach 192.168.1.x
By default it probably routes you out to Internet and the only “direct connected” network it knows is 192.168.3.x/24

Ok , so that means for sure no client-isolation or other security feature on the ISP-modem/Wifi box else you would not be able to ping the DVR.

Hmm…

No. What I was doing before adding the MT was port forward from 192.168.3.5 to 192.168.1.71. So if I went directly to 192.168.3.5 it would still activate the port forward. Now, with MT, I get an error connection not established…

Perhaps you should try to take a packet capture behind the MT to see if ANY packet arrives there !
Or on the MT itself on the “exiting” interfaces towards your internet LAN.

Did that already?

Have tried to figure out what is going on by looking through the connections, on the firewall, but also using torch on both the in and out interfaces. Nothing. It seems that it is being dropped before exiting the in interface. I even tried with all firewall rules disabled. What made me concentrate on the MT is that it worked before with another router in its place. Anyway, as I got tired trying different things I was able to solve my problem by adding static rules to the ISP provided router. Thank you all for your precious time.

Good to hear, I suspected it has nothing to do with the MT but more so configuring the ISP modem router.