Hello I am new in MikorTik, I have this little network and I cannot access from Internet with winbox, please help me to figure it out what I am missing, in the TP-Link modem is there a dynamic public IP with a no-ip client so I can know my public IP, and the necessaries ports forwarding to the 192.168.1.2 for my DVR 8080, 8880 and for the 8291 (winbox port) the ports forwarding are OK because I can see the cameras. Something similar is in the ISP-2 cable modem even there is a double NAT, for me it is not that necessary winbox with ISP-2, if only ISP-1 let me in is OK.
Anticipates Thanks, Regards.
#############################################################################################################
/ip address
add address=192.168.1.2/29 comment=wan1 interface=ether6 network=192.168.1.0
add address=192.168.2.2/29 comment=wan2 interface=ether7 network=192.168.2.0
add address=192.168.25.1/26 comment=“adm lan” interface=bridge-local network=192.168.25.0
add address=192.168.5.1/26 comment=“guests lan” interface=bridge-guests network=192.168.5.0
#############################################################################################################
/queue simple
add max-limit=384k/2M name=guestqos target=bridge-guests
#############################################################################################################
/ip pool
add name=SUPERV ranges=192.168.25.30-192.168.25.45
add name=GUESTS ranges=192.168.5.5-192.168.5.55
#############################################################################################################
/ip firewall nat
add action=masquerade chain=srcnat comment=“nat wan 1” out-interface=ether6
add action=masquerade chain=srcnat comment=“nat wan 2” out-interface=ether7
#############################################################################################################
/ip dhcp-server
add address-pool=SUPERV disabled=no interface=bridge-local lease-time=12h name=admdhcp
add address-pool=GUESTS disabled=no interface=bridge-guests lease-time=12h name=guestsdhcp
/ip dhcp-server network
add address=192.168.5.0/26 gateway=192.168.5.1
add address=192.168.25.0/26 gateway=192.168.25.1
#############################################################################################################
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-port=8080 in-interface=ether6
protocol=tcp to-addresses=192.168.25.58 to-ports=80 comment=“DVR-1 http wan-1 TCP”
add action=dst-nat chain=dstnat disabled=no dst-port=8880 in-interface=ether6
protocol=tcp to-addresses=192.168.25.58 to-ports=8880 comment=“DVR-1 client wan-1 TCP”
#############################################################################################################
/ip firewall mangle
add chain=input in-interface=ether6 action=mark-connection new-connection-mark=WAN1_mark
add chain=input in-interface=ether7 action=mark-connection new-connection-mark=WAN2_mark

add chain=output connection-mark=WAN1_mark action=mark-routing new-routing-mark=to_ISP1
add chain=output connection-mark=WAN2_mark action=mark-routing new-routing-mark=to_ISP2

add chain=prerouting dst-address=192.168.1.0/29 action=accept in-interface=bridge-local
add chain=prerouting dst-address=192.168.2.0/29 action=accept in-interface=bridge-local

add chain=prerouting dst-address-type=!local in-interface=bridge-local
per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_mark
passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=bridge-local
per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_mark
passthrough=yes

add chain=prerouting connection-mark=WAN1_mark in-interface=bridge-local action=mark-routing new-routing-mark=to_ISP1
add chain=prerouting connection-mark=WAN2_mark in-interface=bridge-local action=mark-routing new-routing-mark=to_ISP2

#############################################################################################################

add chain=prerouting dst-address=192.168.1.0/29 action=accept in-interface=bridge-guests
add chain=prerouting dst-address=192.168.2.0/29 action=accept in-interface=bridge-guests

add chain=prerouting dst-address-type=!local in-interface=bridge-guests
per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_mark
passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=bridge-guests
per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_mark
passthrough=yes

add chain=prerouting connection-mark=WAN1_mark in-interface=bridge-guests action=mark-routing new-routing-mark=to_ISP1
add chain=prerouting connection-mark=WAN2_mark in-interface=bridge-guests action=mark-routing new-routing-mark=to_ISP2
#############################################################################################################
/ip route
add dst-address=200.44.32.12 gateway=192.168.1.1 scope=10
add dst-address=200.44.32.13 gateway=192.168.1.1 scope=10

add dst-address=8.8.8.8 gateway=192.168.2.1 scope=10
add dst-address=8.8.4.4 gateway=192.168.2.1 scope=10

add dst-address=10.1.1.1 gateway=8.8.8.8 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.1.1.1 gateway=200.44.32.13 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.2.2.2 gateway=200.44.32.12 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.2.2.2 gateway=8.8.4.4 scope=10 target-scope=10 check-gateway=ping

add distance=1 gateway=10.1.1.1 routing-mark=to_ISP1
add distance=2 gateway=10.2.2.2 routing-mark=to_ISP1

add distance=1 gateway=10.2.2.2 routing-mark=to_ISP2
add distance=2 gateway=10.1.1.1 routing-mark=to_ISP2
#############################################################################################################
/ip service
set winbox port=8291 address=0.0.0.0/0 disabled=no
#############################################################################################################

I have not seen firewall filter settings. You should accept port 8291 before general drop on input chain. And it would be better to switch modems into transparent bridge. Too much natting doesn’t make sense.

Hello jarda thanks for reply, I set the modems like router because I don’t know yet how to do load balancing with dynamic IP in the ISP-1 and in the ISP-2 because is what they can give me, also I do not like excessive unnecessary NATting… and yes there is a rule to accept in 8291 port…

Regards

Here are the firewall rules I am using

/ip firewall filter
add action=accept chain=input disabled=no dst-port=8291 protocol=tcp place-before=0

add action=drop chain=forward comment=“no p2p guest” in-interface=bridge-guests out-interface=ether6 p2p=all-p2p
src-address=192.168.5.2-192.168.5.62
add action=drop chain=forward comment=“no p2p” in-interface=bridge-local out-interface=ether6 p2p=all-p2p
src-address=192.168.25.20-192.168.25.55

add action=drop chain=forward comment=“no p2p guest” in-interface=bridge-guests out-interface=ether7 p2p=all-p2p
src-address=192.168.5.2-192.168.5.62
add action=drop chain=forward comment=“no p2p” in-interface=bridge-local out-interface=ether7 p2p=all-p2p
src-address=192.168.25.20-192.168.25.55

Hello I tried the following from a blog in the top of my mangle rules but did not worked

In certain cases, the first traffic can come from the Internet, such as the use of remote

Winbox or telnet from the internet and so, therefore we also need to mark the

mark-connection traffic so that traffic can pass through it also the interface where

the incoming traffic.

/ip firewall mangle

add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether6
new-connection-mark=con-from-isp1 passthrough=yes comment=”traffic from isp1”

add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether7
new-connection-mark=con-from-isp2 passthrough=yes comment=”traffic from isp2”

Accept also established and related in input and in forward chain.

Thanks you jarda should I do that in “/ip firewall mangle” or in “/ip firewall filter” ???

In filter.