I'm not dumb, really I'm not. I've worked with SonicWall for years and have used Fortinet and PIC as well. But this MikroTik is driving me nuts.

All I want to do is have a LAN with a bunch of DHCP clients: wired PCs, wifi devices like phones and apliances that NAT out as IP address A,
AND a couple of servers that that each have their own IP 1:1 NATed IPs (call them B and C) with certain ports, like 80, 443, 25, etc, opened for incoming trafic.

I just can't figure out how to do this. I think i need a combination of a masquerade for the client only machines and a Destination NAT for the servers.
Then some firewall filters to open the ports. It seems easy in my head, but I just can't make it work.

I'm on a RouterBOARD hAP ac.

First I used the Quick Set to create the DHCP and configure ether1 as my WAN and ether2 as my LAN, that seems to have set up the masq properly. DHCP works I can connect out with my wired and wireless clients just fine, no problems there.
[admin@MikroTik] > /ip address print
# ADDRESS NETWORK INTERFACE
0 ;;; defconf
192.168.88.1/24 192.168.88.0 ether2
1 xxx.xxx.xxx.A/24 147.160.149.0 ether1

Next I connected my Server with a wire to port 3 set it up to get an IP via DHCP, and then make its IP to assignment Static in the MT's DHCP Leases page, call it 192.168.88.B
Then I followed the instructions in the MT manual about setting up a Destination NAT
Create an external address and bind it to the WAN
/ip address add address=xxx.xxx.xxx.B/32 interface=ether1
Set up the IN/OUT NAT rules Outside B goes to Inside B, and vice-verce
/ip firewall nat add chain=dstnat dst-address=xxx.xxx.xxx.B action=dst-nat to-addresses=192.168.88.B
/ip firewall nat add chain=srcnat src-address=192.168.88.B action=src-nat to-addresses=xxx.xxx.xxx.B

Now if I go back and look at the Quick Set, it's all messed up. The IPs for eth1 and eth2 have changed and I can't fix them, but still seems to work.
I can ping the external A address.
But I can't ping my new external B address. The internal B pings fine.
I haven't even gotten to the FW Filters yet, one step at a time.

I just want to make a simple ping work.

I need an Obi Wan.

First rule of ROS engagement: after you do any change outside QuickSet, never go back to QuickSet ... it's not designed to cope with any changes made outside of it. Use the full-featured GUI (either WebFig if you connect via http or usual WinBox interface).

Second: depends how external IP addresses are handed over to your router, but if they are in the ethernet manner, the address on WAN interface should be x.x.x.B/24 (or whatever the correct netmask on WAN interface) ... if netmask is set to 32, then you need to play plenty of tricks to make connectivity towards upstream gateway working.

OK, fixed that. /24 makes sense.
Still no ping to the B address. Now if I unplumb the B NAT rules, I get a ping response, but I think that is the MT responding.
In the packet monitor for the dstnat rule I do see packets coming in. But nothing on the srcnat side.

AND I can ping 192.168.88.1 (the MT) from server B, so that connection is working. But I cannot ping the A or B external addresses from server B.

Without a crystal ball even mkx cannot guess correctly 100% of the time. ;-P

please post your config
/export hide-sensitive file=anynameyouwish

One more thing I forgot to mention, Server B has 2 NICs. The first one (eth1) goes to a different ISP and is the default, If I ping -I eth2 I can get to the MT LAN, no problems. But if I try to ping 8.8.8.8, nada. Is that because that NIC has no default route? Maybe I should fire up another server that only has one NIC and see if that works. But surely I should be able to have 2 internet accessible NICs on different subnets in one server, right?

OMG I am so dumb.
Yes, this seems to be the problem. 2 NICs. The 2nd, being the new ISP doesn't seem to know how to route to the internet, which kind of makes sense since the default route is on eth1.
I set up an other server with just 1 NIC and it works exactly as I would expect.

And the problem with having 2 NICs in one machine both connected to the internet is fixed by Linux's route2 tables
See: https://www.thomas-krenn.com/en/wiki/Tw ... One_System