Hi everyone !!!
I have issue with DNAT
i created rule
add action=dst-nat chain=dstnat dst-address=ххх.ххх.ххх.ххх dst-port=64000 in-interface=ether1 protocol=tcp to-addresses=10.60.7.20 to-ports=22
it works in one direction, when traffic comes from outside
i see incoming traffic on 10.60.7.20 and responses to outside then i see returned traffic on router but DNAT does not translated back srcip and srcport to public ip
on all route some routers uses PBR but i think it does not affected traffic
# jan/23/2019 14:57:09 by RouterOS 6.43.8
# software id =
#
#
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface gre
add allow-fast-path=no ipsec-secret=xxxxx !keepalive local-address=xxx.xxx.xxx.xxx mtu=1400 name=xxxxxx remote-address=xxx.xxx.xxx.xxx
add allow-fast-path=no ipsec-secret=xxxxx !keepalive local-address=xxx.xxx.xxx.xxx mtu=1400 name=xxxxxx remote-address=xxx.xxx.xxx.xxx
add allow-fast-path=no ipsec-secret=xxxxx !keepalive local-address=xxx.xxx.xxx.xxx mtu=1400 name=xxxxxx remote-address=xxx.xxx.xxx.xxx
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer profile
add dh-group=modp2048 enc-algorithm=aes-128 hash-algorithm=sha256 name=some_name nat-traversal=no
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-128-cbc name=some_name pfs-group=modp2048
/snmp community
/ip address
add address=xxx.xxx.xxx.xxx/20 interface=ether1 network=xxx.xxx.xxx.xxx
add address=10.140.64.2/30 interface=To_MKRHUB network=10.140.64.0
add address=10.140.64.5/30 interface=To_FAC network=10.140.64.4
add address=10.140.80.5/30 interface=To_FAC network=10.140.80.4
/ip dhcp-client
add disabled=no interface=ether1
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=input dst-port=161 in-interface-list=all protocol=udp
add action=accept chain=input src-address=95.182.74.14
add action=accept chain=input src-address=5.43.226.94
add action=accept chain=input src-address=10.140.64.0/24
add action=accept chain=forward src-address=192.168.10.0/24
add action=accept chain=forward
add action=accept chain=input
/ip firewall nat
add action=src-nat chain=srcnat comment="xxxxxxxxxxx" out-interface=ether1 src-address=10.60.7.0/24 to-addresses=xxx.xxx.xxx.xxx
add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.xxx dst-port=64000 in-interface=ether1 protocol=tcp to-addresses=10.60.7.20 to-ports=22
/ip ipsec policy
set 0 disabled=yes
/ip route
add distance=1 gateway=xxxxxxxxxxx
add distance=1 dst-address=10.33.0.0/18 gateway=10.140.64.1
add distance=1 dst-address=10.60.2.0/24 gateway=10.140.64.1
add distance=1 dst-address=10.60.7.0/24 gateway=10.140.64.1
add distance=1 dst-address=10.140.80.0/23 gateway=xxxxxxxxxxx
add distance=1 dst-address=192.168.10.0/24 gateway=10.140.64.6
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/snmp
set enabled=yes trap-generators="" trap-version=2
/system clock
set time-zone-name=Asia/Krasnoyarsk
/system identity
set name=xxxxxxxxxxx