Trouble with routing between two networks connecting for the first time.

nashchris · October 17, 2019, 5:33pm

Hi
I have trolled the internet, and the wiki, and YouTube, but have not found any answers so I am hoping the brains here can help.

Config file posted below:

We have just joined an outside site (farm) to the office and they are getting internet fine through the connection.
On the farm there are cameras that we would like to access from the Office.
The farm has an UBNT EdgeSwitch (192.168.216.254) which connects to a SXT and then to the high site (192.168.216.220).
The gateway for the switch is 192.168.216.220.
The High site is a member of the office's OSPF (192.168.215.220) and static routes have been added to the high site for each of the UBNT's VLAN's.
There is a masquerade all rule on the high site.

The problem is as follows:
When trying to access the NAT rules from the office, like (add action=dst-nat chain=dstnat comment="AVTech Cameras" dst-port=8006 log=yes log-prefix=hik- protocol=tcp to-addresses=192.168.216.253 to-ports=90), I can see the packet count go up on the high site by 1 as I send the request though but no further traffic. So I know that my rules work from the office through the various towers to the high site.
If I try from a different VLAN like 2 or 4 on the UBNT switch to the high site (192.168.216.220:8006) the camera's work.
So somewhere there is a masquerade or something on this high site that is no working. The rule for 8007 also does not work. BUT! (add action=dst-nat chain=dstnat comment="link to unifi controller - https" dst-port=8004 protocol=tcp to-addresses=192.168.4.253 to-ports=8443) works fine, as does 8003?!

oct/16/2019 09:19:30 by RouterOS 6.40.4

software id = xxxx-xxxx

model = 433

serial number = 3D7802A6xxxx

/interface bridge
add disabled=yes fast-forward=no mtu=1500 name=bridge1 protocol-mode=stp
/interface wireless
set [ find default-name=wlan1 ] ampdu-priorities=0,1 band=5ghz-a/n country=
"south africa" disabled=no frequency=5320 ht-basic-mcs=mcs-0,mcs-1,mcs-7
ht-supported-mcs=
mcs-0,mcs-1,mcs-7,mcs-16,mcs-17,mcs-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-23
hw-retries=15 mode=ap-bridge name=wlan2 radio-name=Berg433 rate-set=
configured rx-chains=0,1 ssid=Berg433 supported-rates-a/g=
6Mbps,9Mbps,12Mbps,18Mbps,24Mbps tx-chains=0,1 wireless-protocol=nstreme
/interface ethernet
set [ find default-name=ether2 ] name="ether2krans low"
set [ find default-name=ether3 ] name="ether3krans h to house"
/interface wireless nstreme
set wlan2 enable-nstreme=yes framer-limit=3000 framer-policy=exact-size
/ip neighbor discovery
set wlan2 discover=no
/interface wireless
add disabled=no hide-ssid=yes mac-address=02:15:6D:6A:DD:B6 master-interface=
wlan2 name="Kransplaas Sector" ssid=Berg433Krans wds-cost-range=0
wds-default-cost=0 wmm-support=enabled
/ip neighbor discovery
set "Kransplaas Sector" discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk,wpa2-eap eap-methods=
"" supplicant-identity="" wpa2-pre-shared-key=002bc298w356
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/queue simple
add disabled=yes max-limit=1M/2M name=Rosanne target=192.168.6.241/32
add disabled=yes max-limit=1M/2M name=Stanley target=192.168.6.240/32
add disabled=yes max-limit=1M/2M name=Reception target=192.168.6.243/32
add disabled=yes max-limit=1M/2M name=Lodge target=192.168.6.239/32
/routing ospf instance
set [ find default=yes ] redistribute-connected=as-type-1
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge1 interface="Kransplaas Sector"
/ip settings
set accept-redirects=yes allow-fast-path=no
/interface wireless access-list
add interface="Kransplaas Sector" mac-address=D4:CA:6D:6D:5F:95
add interface="Kransplaas Sector" mac-address=E4:8D:8C:B1:41:2C
add interface="Kransplaas Sector" mac-address=D4:CA:6D:D2:04:51
add interface="Kransplaas Sector" mac-address=64:D1:54:29:01:D9 vlan-mode=
no-tag
add interface="Kransplaas Sector" mac-address=D4:CA:6D:6D:5F:95 vlan-mode=
no-tag
add interface="Kransplaas Sector" mac-address=00:0C:42:CD:2F:A1 vlan-mode=
no-tag
add interface="Kransplaas Sector" mac-address=CC:2D:E0:2A:1B:26 vlan-mode=
no-tag
add interface="Kransplaas Sector" mac-address=64:D1:54:26:9A:77 vlan-mode=
no-tag
add interface="Kransplaas Sector" mac-address=CC:2D:E0:11:26:AD vlan-mode=
no-tag
add interface="Kransplaas Sector" mac-address=CC:2D:E0:53:4B:79 vlan-mode=
no-tag
add interface="Kransplaas Sector" mac-address=64:D1:54:AE:A5:E3 vlan-mode=
no-tag
add interface="Kransplaas Sector" mac-address=64:D1:54:AE:A5:E3 vlan-mode=
no-tag
add interface="Kransplaas Sector" mac-address=64:D1:54:AE:44:F2 vlan-mode=
no-tag
add interface="Kransplaas Sector" mac-address=64:D1:54:AE:44:F3 vlan-mode=
no-tag
add interface="Kransplaas Sector" mac-address=00:0C:42:C8:D6:1A vlan-mode=
no-tag
add interface="Kransplaas Sector" mac-address=CC:2D:E0:40:E6:61 vlan-mode=
no-tag
/interface wireless connect-list
add interface="Kransplaas Sector" mac-address=64:D1:54:26:9A:77
security-profile=default
/ip address
add address=192.168.6.251/24 interface="Kransplaas Sector" network=
192.168.6.0
add address=192.168.215.223/24 interface="ether2krans low" network=
192.168.215.0
add address=192.168.216.220/24 interface="ether3krans h to house" network=
192.168.216.0
/ip dns
set allow-remote-requests=yes servers=192.168.6.254
/ip firewall nat
add action=dst-nat chain=dstnat comment="AVTech Cameras" dst-port=8006 log=
yes log-prefix=hik- protocol=tcp to-addresses=192.168.216.253 to-ports=90
add action=dst-nat chain=dstnat comment="Hikvision Cameras App" dst-port=8007
log=yes log-prefix=hik- protocol=tcp to-addresses=192.168.3.252 to-ports=
8000
add action=dst-nat chain=dstnat comment="link to switch - https" dst-port=
8003 protocol=tcp to-addresses=192.168.216.254 to-ports=443
add action=dst-nat chain=dstnat comment="link to unifi controller - https"
dst-port=8004 protocol=tcp to-addresses=192.168.4.253 to-ports=8443
add action=masquerade chain=srcnat
/ip route
add disabled=yes distance=1 gateway=192.168.6.254
add comment="Needed to give Internet access to VLAN 2" distance=1
dst-address=192.168.0.0/24 gateway=192.168.216.254
add comment="Needed to give Internet access to VLAN 3" distance=1
dst-address=192.168.3.0/24 gateway=192.168.216.254
add comment="Needed to give Internet access to VLAN 4" distance=1
dst-address=192.168.4.0/24 gateway=192.168.216.254
add comment="Needed to give Internet access to VLAN 5" distance=1
dst-address=192.168.5.0/24 gateway=192.168.216.254
add comment="Needed to give Internet access to VLAN 6" distance=1
dst-address=192.168.6.0/24 gateway=192.168.216.254
add comment="Needed to give Internet access to VLAN 7" disabled=yes distance=
1 dst-address=192.168.7.0/24 gateway=192.168.216.254
/ip service
set api disabled=yes
/routing ospf network
add area=backbone network=192.168.215.0/24
add area=backbone network=192.168.216.0/24
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=Berg433
/system logging
add prefix=fw- topics=firewall