Are you just throwing your problem over the "Mikrotik Forum wall" hoping someone will catch and resolve for you?

What about giving additional info, how the device is configured firewall wise, etc.

What have you investigated and results thereof?

more info is needed but possibly
1. you don't have L2 connectivity to the router. this could be a mismatch of subnet mask for example.
2. access to router is blocked by it's firewall

As other posters above have said, more details of what really happened will hasten the help you will receive.
Questions like; is there ip address configured on the interface you're connected to? and is there a firewall rule blocking ip access to the router?....

Sent from my LG-H810 using Tapatalk

Sorry for the missing information. I did not know how to post the info. So this is what I have:

DHCPClient DHCPServer BridgeOffice Firewall NAT as mentioned before. The problem is that I cannot Access to the cameras or any other portforwarded devices in my LAN I can access only out of my LAN. I tried to do the hairpin what is suggested in the wiki but that did not work. Maybe I am doing something wrong.. I appreciate your help. @routik @Solar77

It is a bit confusing to see the topic subject to mention login to the router and the description to deal with login to cameras on LAN from other devices on the same LAN.

So
1) what is the actual issue you currently fight? Access to router's IP address from a PC on LAN, or access to a camera on LAN from a PC on LAN via the router's public IP?
2) can you click the Terminal button and post the output of /export hide-sensitive command issued in the window which opens, after systematically replacing each ocurrence of any public address you don't want to publish by a distinctive meaningful string like my.public.ip.1?

Sindy, the problem I am facing is that first I had done a hairpin, but that did not allow me to access to the router, but only through the MAC Address, now that I delete that configuration I cannot access with my public Ip address to the cameras or others devices in my LAN.
So this is the problem that I have I cannot access to the NVR with the public IP on LAN. I tried to do what in the wiki teaches about hairpin, but that did not work. I appreciate your help and sorry for the confusion.

OK, so please re-add the rule which breaks access to the router and fixes access to the cameras but with disabled=yes, then follow point 2) above (export hide-sensitive etc.). The screenshots do not show all parameters of the firewall rules.

Code: Select all

# may/22/2018 05:12:53 by RouterOS 6.39.2
# software id = SZXF-N2Q7
#
...
/system note
set note="The security flaw for Hajime is closed by the firewall. Please update \
RotherOS. Gratitude is accepted on WebMoney Z399578297824 or BTC 14qiYkk3nUg\
sdqQawiMLC1bUGDZWHowix1"


I have a feeling your router has been compromised...

1. your firewall filter rules indicate that you have some gaps in understanding how Mikrotik's firewall works. Please look here for a supercharged introduction and modify your firewall rules so that they provide better protection. Then, I would strongly recommend to export the configuration to a file, download it outside the 'Tik, and upgrade to at least 6.40.8 (latest bugfix release) and later maybe even to 6.42.2 (latest current release).

2. you haven't added any firewall rule with disabled=yes so it is hard to guess which one causes the conflict. But from the history, I suppose that it is this one:
The problem is that I cannot understand why this rule should have any effect at all. It cannot help access cameras' port 8086 from LAN via the public IP of the 'Tik because in your configuration, out-interface=ether1 is never true simultaneously with dst-address=128.10.5.50 src-address=128.10.5.0/24.

To make the hairpin NAT work, you need to make the cameras think that Mikrotik is the client, so that they would send their responses to Mikrotik rather than directly to the real client. If the real client sends the SYN packet to the WAN address of the Mikrotik but receives the SYN,ACK response from the LAN address of the camera, it doesn't recognize it as a response to the SYN. So just removing the out-interface=ether1 from the rule should be enough to make the access to cameras work. You could replace it by out-interface=BridgeOffice but it is not necessary as the combination of dst-address and src-address has the same effect.

It would also be cleaner to replace action=masquerade by action=src-nat to-addresses=128.10.5.254 in the rule, but it is not the essence of the trouble.

Thank you Sindy, but that did not work. So I have updated the firewall rules, and also followed your instruction, but still not able to access to the NVR (recorder) with the public IP within my lan. It seems to be a problem with the port forwarding because I can access to my router with my public ip, but when i try to acccess with the public IP and the port I have no access...

How do the /ip firewall filter and /ip firewall nat rules look right now, and what is the address of the PC in the LAN you use to access the NWR?

You have several LAN subnets there, and the src-nat rule I've suggested you to modify only works for one of them.

Yes I have tree subnets. The first one is for the Devices in the office, the second is for the guest, the third is to share internet with other office.
The 128.10.5.0/24 is the network where the NVR (128.10.5.50) is connected and my laptop so. I now that the rule you provided only applies to the network which is part of the Bridge office interface.
This is how the rules look like right now

I could figure it out....and It got like this
[admin@***] > ip firewall nat print detail
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""

1 chain=srcnat action=masquerade protocol=tcp src-address=128.10.5.0/24 dst-address=128.10.5.50
out-interface=BridgeOffice log=no log-prefix=""

2 chain=dstnat action=dst-nat to-addresses=128.10.5.50 to-ports=8086 protocol=tcp dst-port=8086 log=no
log-prefix=""
3 chain=dstnat action=dst-nat to-addresses=128.10.5.50 to-ports=8001 protocol=tcp dst-port=8001 log=no
log-prefix=""

4 chain=dstnat action=dst-nat to-addresses=128.10.5.50 to-ports=554 protocol=tcp dst-port=554 log=no
log-prefix=""
[admin@****] >

Thank you so much Sindy for your help!!

I had same issue - I was able to connect Winbox to my MikroTik router
only via MAC address, but not with it internal IP address within LAN network,
my problem was in IP limitation under section IP -> Services

Had the same issue. Consul's tip fixed for me.
I had forgotten my IP to 172.16.0.0/16 in IP -> Services, in SSH and WINBOX entries.
After adjusting to my current network IP address, it all worked out in app's end.
Thanks!