Hello my friends ,,
I have 4 Hikvision NVRs ,
I use Mikrotik RB4011igs+RM router ,
after using this fantastic router , every thing is fine ,
but the problem is :
after I used this router , all NVRs became offline for HikConnect App ,, So I can't access the nvrs using mobile app ,,
I use the ports 8001 - 8002 - 8003 - 8004 for the NVRs as server ports ... and I can't see the ports open when checked through canyouseeme - and it is working good without mikrotik ..
I tried to make nat rules but no use till now ..
same problem I can't access the nvrs from wan ..
but from lan is working good --
Please I need a working solution to make the ports opened to internet through mikrotik router to use it in mobile app hikconnect
-------------------------------------------------------------------------
Note : also I can ping only the adsl modem but I can't access it as a webpage .. any solution ?
also my mikrotik LAN PCs can't acess the adsl modem LAN PCs .. any solution ?
------------------------------------------------------------------------
my config script file is attaced ...
------------------------------------------------------------------------
notes :
I have no public static IP configured ... it is just a normal dynamic public ip ..
ADSL modem ( router mode _ portt 1 ) 192.168.1.1/24
Mikrotik Router ( router mode - automatic - Eth1 - Gateway - WAN ) 192.168.1.29/24
Bridge ( LAN ) 192.168.100.100/16
MIKROTIK is the main DHCP 192.168.10.0/16 for all devices

My Mikrotik Config script :
---------------------------------------------
# mar/18/2021 19:30:14 by RouterOS 6.49beta22
# software id = V5GG-H1TA
#
# model = RB4011iGS+
# serial number = D44A0D2B3024
/interface bridge
add admin-mac=08:55:31:A4:75:A3 auto-mac=no comment=defconf name=bridge
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.10.1-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.100.100/16 comment=defconf interface=bridge network=\
192.168.0.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.0.0/16 comment=defconf gateway=192.168.100.100 netmask=16
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.100.100 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip ipsec policy
set 0 disabled=yes
/system clock
set time-zone-name=Asia/Riyadh
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Did you even port-forward your NVR ports? I don't see any dstnat rules in your config.

normal dynamic public ip

You are using "/ip cloud" instead of WAN IP, right?

The reason you can't connect to your adsl is because of the /16 (192.168.0.0-192.168.254.254) IP scope you have set. It's IP belong in this range and is being routed out on the bridge instead of your WAN. Looking at your config, I do not see a reason not to use /24 and have a single subnet (192.168.10.0/24 or 192.168.100.0/24).

You did not post what NAT rules you tried, but since you have set up double NAT (NAT from adsl to Mikrotik and Mikrotik to NVR), you will net to set up NAT rules on both devices. On the adsl, the ports would need to be forwarded to the IP of the Mikrotik. And the Mikrotik would need the ports forwarded to the NVR. If you try to connect to the NVR from LAN of Mikrotik using the external IP, you will also need Hairpin NAT.

Did you even port-forward your NVR ports? I don't see any dstnat rules in your config.

I tried NAT
Port Forwarding in Mikrotic Router:
IP>Firewall>NAT
Chain: dstnat
Dst. Address:
Protocol: tcp
Dst. Port: 8001
---
Action: dst-nat
To Addresses: 192.168.1.111 (My NVR IP)
To Ports: 8001
---
Still can't access outside.

normal dynamic public ip

You are using "/ip cloud" instead of WAN IP, right?

Yes .. normal free auto changing IP address

The reason you can't connect to your adsl is because of the /16 (192.168.0.0-192.168.254.254) IP scope you have set. It's IP belong in this range and is being routed out on the bridge instead of your WAN. Looking at your config, I do not see a reason not to use /24 and have a single subnet (192.168.10.0/24 or 192.168.100.0/24).
even I used a limited subnet .. still I can't access my nvr from outside or access the modem nnetwork resources ..

You did not post what NAT rules you tried, but since you have set up double NAT (NAT from adsl to Mikrotik and Mikrotik to NVR), you will net to set up NAT rules on both devices. On the adsl, the ports would need to be forwarded to the IP of the Mikrotik. And the Mikrotik would need the ports forwarded to the NVR. If you try to connect to the NVR from LAN of Mikrotik using the external IP, you will also need Hairpin NAT.

Port Forwarding in Mikrotic Router:
IP>Firewall>NAT
Chain: dstnat
Dst. Address:
Protocol: tcp
Dst. Port: 8001
---
Action: dst-nat
To Addresses: 192.168.1.111 (My NVR IP)
To Ports: 8001
---
Still can't access outside.

Please I need help to solve this problem ..
also I can give you my anydesk number to help me directly if possible ..
thanks a lot ..

You dont have a public IP.
The ADSL unit is giving you a private IP and thus NAT is not possible.
If you have access to the ADSL router then can you forward ALL the ports to the LANIP on the ADSL router that corresponds to the connection to your router, which is also the fixed WANIP on your MT RB4011

192.168.1.1/24 This is a private IP address structure not public.!!!

Your config is whack.
/ip address
add address=192.168.100.100/16 comment=defconf interface=bridge network=\
192.168.0.0

/ip dhcp-server network
add address=192.168.0.0/16 comment=defconf gateway=192.168.100.100 netmask=16

Should be
/ip address
add address=192.168.10.1/24 comment=defconf interface=bridge network=\
192.168.10.0
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.1 netmask=24 dns-server=192.168.10.1

I can't access the nvrs from wan ..
...
I have no public static IP configured ... it is just a normal dynamic public ip ..
ADSL modem ( router mode _ portt 1 ) 192.168.1.1/24
Mikrotik Router ( router mode - automatic - Eth1 - Gateway - WAN ) 192.168.1.29/24
Bridge ( LAN ) 192.168.100.100/16
MIKROTIK is the main DHCP 192.168.10.0/16 for all devices

@mrpip, first of all, what you mean by "access from WAN" - does that mean via the mobile app that connects to cloud or you could access those NVRs by connecting to the public IP of your ADSL router before inserting the 4011 between the ADSL modem+router combo and the NVRs?

If you could, do you use some dynamic DNS service to track the ever-changing but public IP on the ADSL combo's WAN?

When you mention ports 8001-8004, are these the ports at which the NVRs listen for incoming connections or ports on the Hikvision's cloud server?

In the mobile app, do you have to configure anything else than your user account to get access to the cameras (i.e. any IP addresses, domain names or port numbers)?

You dont have a public IP.
The ADSL unit is giving you a private IP and thus NAT is not possible.
If you have access to the ADSL router then can you forward ALL the ports to the LANIP on the ADSL router that corresponds to the connection to your router, which is also the fixed WANIP on your MT RB4011

192.168.1.1/24 This is a private IP address structure not public.!!!

Your config is whack.
/ip address
add address=192.168.100.100/16 comment=defconf interface=bridge network=\
192.168.0.0

/ip dhcp-server network
add address=192.168.0.0/16 comment=defconf gateway=192.168.100.100 netmask=16

Should be
/ip address
add address=192.168.10.1/24 comment=defconf interface=bridge network=\
192.168.10.0
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.1 netmask=24 dns-server=192.168.10.1

I have forwarded all ports to wanip of mikrotik .. no use ..
also I configured the NVR to take ips from DHCP it is working now ...
Thank you ...
because the NVRS take IPs now in range 192.168.10.0 ...
without adding any rules ... Thank you ...
I can now access my nvrs from outside using the app ...
SOLVED ...

I can't access the nvrs from wan ..
...
I have no public static IP configured ... it is just a normal dynamic public ip ..
ADSL modem ( router mode _ portt 1 ) 192.168.1.1/24
Mikrotik Router ( router mode - automatic - Eth1 - Gateway - WAN ) 192.168.1.29/24
Bridge ( LAN ) 192.168.100.100/16
MIKROTIK is the main DHCP 192.168.10.0/16 for all devices

@mrpip, first of all, what you mean by "access from WAN" - does that mean via the mobile app that connects to cloud or you could access those NVRs by connecting to the public IP of your ADSL router before inserting the 4011 between the ADSL modem+router combo and the NVRs?
Yes , I mean that I can't access my nvrs from outside using the app ...
Yes , I can access all nvrs without using mikrotik ...

If you could, do you use some dynamic DNS service to track the ever-changing but public IP on the ADSL combo's WAN?
No ...

When you mention ports 8001-8004, are these the ports at which the NVRs listen for incoming connections or ports on the Hikvision's cloud server?
Yes they are the ports I configured and they were working very good before mikrotik ..

In the mobile app, do you have to configure anything else than your user account to get access to the cameras (i.e. any IP addresses, domain names or port numbers)?

the account and settings are working very well without mikrotik ..
----------------------------------
tHANKS FOR YOUR TRY TO HELP ..
SOLVED NOW

what is the solution I can do in mikrotik configuration to access nvrs from outside using the app .. like before ..

That's the reason why I asked those questions.

Some NVRs work the cloud way, where they actively build connections to cloud servers, and the mobile application or browser connects to the manufacturer's servers in the cloud and access their cameras and NVRs that way. Others allow only direct connection, and in that case, a public address and port forwarding, or a VPN, is necessary to access them from outside your home LAN.

Depending on how your ones behave, a different configuration change on the Mikrotik is necessary. The information you gave in your OP is confusing and insufficient.

For the cloud way, nothing special should be required, just a proper configuration of the router. But some devices have special needs.

what is the solution I can do in mikrotik configuration to access nvrs from outside using the app .. like before ..

That's the reason why I asked those questions.

Some NVRs work the cloud way, where they actively build connections to cloud servers, and the mobile application or browser connects to the manufacturer's servers in the cloud and access their cameras and NVRs that way. Others allow only direct connection, and in that case, a public address and port forwarding, or a VPN, is necessary to access them from outside your home LAN.

Depending on how your ones behave, a different configuration change on the Mikrotik is necessary. The information you gave in your OP is confusing and insufficient.

For the cloud way, nothing special should be required, just a proper configuration of the router. But some devices have special needs.

Thank you very much ..