I have the following double NAT setup: ISP provided Modem/Router connected to Mikrotik Router on 192.198.3.0/24. LAN on Mikrotik is 192.168.1.0/24. LAN includes a couple of DVRs (.71 & .72) with different set of ports. Modem/Router forwards open ports to eth2 of Mikrotik at 192.168.3.5. Then it is forwarded to the DVRs. I was able to setup port forwarding to work both from the outside (internet) as well from clients on the 192.168.1.0/24 (LAN). Now, Wifi access is provided by the Modem/Router. This means that local wifi users are on 192.198.3.0/24. What I am having trouble with is wifi users to access the DVRs. Have even tried with firewall rules disabled for testing purposes but with no luck. Any help would be greatly appreciated...
If you need the whole picture bellow is my full mikrotik configuration:
# mar/31/2021 14:52:45 by RouterOS 6.48.1
# software id = V2G1-I8S1
#
# model = 951Ui-2HnD
# serial number = 45880238E3C3
/interface ethernet
set [ find default-name=ether1 ] comment=ISP1
set [ find default-name=ether2 ] comment=ISP2
set [ find default-name=ether3 ] comment=LAN
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges=192.168.1.150-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=ether3 lease-time=3h name=\
dhcp1
/system logging action
add email-to=xxxxxx@gmail.com name=Email target=email
/ip settings
set tcp-syncookies=yes
/ip address
add address=192.168.1.1/24 interface=ether3 network=192.168.1.0
add address=192.168.2.5/24 interface=ether1 network=192.168.2.0
add address=192.168.3.5/24 interface=ether2 network=192.168.3.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1 \
ntp-server=216.239.35.0,216.239.35.4
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.1.2-192.168.1.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add address=192.168.1.72 list=DVR-Ips
add address=192.168.1.71 list=DVR-Ips
add address=216.239.35.4 list=NTP-Servers
add address=216.239.35.0 list=NTP-Servers
/ip firewall filter
add action=accept chain=forward comment="Established & Related" \
connection-state=established,related
add action=accept chain=input comment="LAN Traffic Allowed IP Range" \
src-address-list=allowed_to_router
add action=accept chain=input src-address-list=NTP-Servers
add action=accept chain=input comment=Ping protocol=icmp
add action=jump chain=forward comment="SYN Flood protect FORWARD" \
connection-state=new jump-target=syn-attack protocol=tcp tcp-flags=syn
add action=jump chain=input comment="SYN Flood protect INPUT" \
connection-state=new jump-target=syn-attack protocol=tcp tcp-flags=syn
add action=accept chain=syn-attack connection-state=new limit=400,5:packet \
protocol=tcp tcp-flags=syn
add action=drop chain=syn-attack connection-state=new log=yes log-prefix=\
"Syn Flood Drop" protocol=tcp tcp-flags=syn
add action=accept chain=forward comment="Allow port forwarding on ISP2" \
connection-nat-state=dstnat connection-state=established,related,new \
connection-type="" log=yes protocol=tcp
add action=drop chain=forward comment="Drop FIN" log=yes protocol=tcp \
tcp-flags=fin
add action=drop chain=forward comment="Drop RST" log=yes protocol=tcp \
tcp-flags=rst
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix="invalid DROPPED"
add action=drop chain=input comment=Invalid connection-state=invalid log=yes \
log-prefix="Invalid Dropped"
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=ether3 log=\
yes log-prefix=LAN_!LAN src-address=!192.168.1.0/24
add action=add-src-to-address-list address-list=Over-100-Conn \
address-list-timeout=1d chain=input comment="Connections over 100 for IP" \
connection-limit=100,32 protocol=tcp
add action=tarpit chain=input comment="Drop if over 100 Connections" \
connection-limit=3,32 protocol=tcp src-address-list=Over-100-Conn
add action=add-src-to-address-list address-list=Port-Scan \
address-list-timeout=1d chain=forward comment="Port Scan Hamad" log=yes \
log-prefix="Port Scan Fwd" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=Port-Scan \
address-list-timeout=1d chain=input comment="Port Scan Hamad" log=yes \
log-prefix="Port Scan Input" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop Port Scan Hamad" src-address-list=\
Port-Scan
add action=drop chain=forward comment="Drop Port Scan Hamad" \
src-address-list=Port-Scan
add action=drop chain=forward comment=\
"ISP1 Drop incoming packets that are not NATted" connection-nat-state=\
!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
"ISP2 Drop incoming packets that are not NATted" connection-nat-state=\
!dstnat connection-state=new in-interface=ether2 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
"ISP1 Drop incoming from internet which is not public IP" in-interface=\
ether1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
"ISP2 Drop incoming from internet which is not public IP" in-interface=\
ether2 log=yes log-prefix=!public src-address-list=not_in_internet
add action=accept chain=input comment=Gmail src-address=74.125.141.108 \
src-address-list=""
add action=drop chain=input comment="Drop All other ISP1" disabled=yes \
in-interface=ether1
add action=drop chain=input comment="Drop All other ISP2" disabled=yes \
in-interface=ether2
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" disabled=yes \
dst-address-list=not_in_internet in-interface=ether3 log=yes log-prefix=\
!public_from_LAN out-interface=!ether3
add action=drop chain=input comment="drop ftp brute forcers" disabled=yes \
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" disabled=yes \
dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
disabled=yes protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" disabled=\
yes dst-port=22 protocol=tcp src-address-list=ssh_blacklist
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.2.0/24
add action=accept chain=prerouting dst-address=192.168.3.0/24
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=ether3 new-connection-mark=WAN1 \
passthrough=yes per-connection-classifier=both-addresses:2/0 \
src-address-list=!DVR-Ips
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=ether3 new-connection-mark=WAN2 \
passthrough=yes per-connection-classifier=both-addresses:2/1 \
src-address-list=!DVR-Ips
add action=mark-routing chain=prerouting connection-mark=WAN1 in-interface=\
ether3 new-routing-mark=ether1-mark passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2 in-interface=\
ether3 new-routing-mark=ether2-mark passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1 new-routing-mark=\
ether1-mark passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2 new-routing-mark=\
ether2-mark passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ether1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ether2 new-connection-mark=WAN2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
add action=dst-nat chain=dstnat comment=DVR1 dst-address-type=local dst-port=\
67-68 log=yes protocol=tcp src-port="" to-addresses=192.168.1.71
add action=dst-nat chain=dstnat comment=DVR2 dst-address-type=local dst-port=\
69 log=yes protocol=tcp src-port="" to-addresses=192.168.1.72
add action=dst-nat chain=dstnat comment=DVR2 dst-address-type=local dst-port=\
70 log=yes protocol=tcp src-port="" to-addresses=192.168.1.72
add action=dst-nat chain=dstnat comment=PBX1 disabled=yes dst-port=35356 \
in-interface=ether2 protocol=tcp to-addresses=192.168.1.29 to-ports=5060
add action=dst-nat chain=dstnat comment="DSP2 DSP" disabled=yes dst-port=\
16000-16511 in-interface=ether2 protocol=tcp to-addresses=192.168.1.30 \
to-ports=16000-16511
/ip route
add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=\
ether1-mark
add check-gateway=ping distance=1 gateway=192.168.3.1 routing-mark=\
ether2-mark
add distance=1 gateway=192.168.3.1
add distance=1 gateway=192.168.2.1
add check-gateway=ping distance=1 dst-address=8.8.4.4/32 gateway=192.168.2.1
add check-gateway=ping distance=1 dst-address=8.8.8.8/32 gateway=192.168.3.1
/ip service
set telnet disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=VI
/system logging
add action=Email prefix="Mikrotik Router VI" topics=critical
/system ntp client
set enabled=yes primary-ntp=216.239.35.0 secondary-ntp=216.239.35.4
/system scheduler
add disabled=yes interval=10m name=schedule-PingCheck on-event=PingCheck \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/01/1970 start-time=00:00:00
/system script
add dont-require-permissions=no name=PingCheck owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
":if ([/ping 1.1.1.1 count=10] = 0) do={\r\
\n /system reboot\r\
\n}"
/tool bandwidth-server
set enabled=no
/tool e-mail
set address=74.125.141.108 from=xxxxxx@gmail.com port=587 \
start-tls=yes user=xxxxxx@gmail.com
/tool netwatch
add down-script="ip route disable [find dst-address=0.0.0.0/0 gateway=192.168.\
2.1]\r\
\n:log error \"ISP1 is down\"\r\
\n/ip firewall connection remove [find]" host=8.8.4.4 interval=10s \
timeout=800ms up-script="ip route enable [find dst-address=0.0.0.0/0 gatew\
ay=192.168.2.1]\r\
\n:log warning \"ISP1 is up\""
add down-script="ip route disable [find dst-address=0.0.0.0/0 gateway=192.168.\
3.1]\r\
\n:log error \"ISP2 is down\"\r\
\n/ip firewall connection remove [find]" host=8.8.8.8 interval=10s \
timeout=800ms up-script="ip route enable [find dst-address=0.0.0.0/0 gatew\
ay=192.168.3.1]\r\
\n:log warning \"ISP2 is up\""