Need help here! i have a hex gr3 and i can access my modem/router web inter face through 192.168.1.1 but i cannot access my ip cam that is connected to modem/router via wifi through local network.

Modem/router: 122.x.x.x (public ip)
192.168.1.1 (LAN ip)

IP Cam : 192.168.1.15
8080 (port of cam)

Mikrotik : 192.168.0.1 (LAN ip)

/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether-WAN comment="Default masq"
add chain=dstnat action=dst-nat in-interface=ether-WAN protocol=tcp dst-address=192.168.0.1 to-addresses=192.168.1.15 dst-port=8080 to-ports=8080

I used this port forwarding but still i cannot access my ip cam localy behind mikrotik.

For starters omit router's internal IP address from dst-nat rule. It's almost impossible to have packet targeted for 192.168.0.1 enter router through WAN interface.

Secondly check your address scheme. Unless you have 23-bit net addresses in use then 192.168.0.1 is not in same subnet as 192.168.1.15. I sense some confusion here, you're mentioning two different RB LAN addresses in your post. The confusion might be on my side if you have more than one LAN subnet.

So lets say for the example the following are true:

• Public IP: 122.x.x.x

• Camera IP: 192.168.1.15

• Modem/Router LAN: 192.168.1.0/24

• Your RB750Gr3 LAN: 192.168.0.0/24

• The Modem/Router and your RB750Gr3 both have their own DHCP servers handling their LAN subnets

• Your RB750Gr3 is getting a DHCP address from the Modem/Router as it's gateway

The only NAT rule you would need is the following:


Once that is done, a client on the RB750Gr3 LAN (for example 192.168.0.10) can type your camera ip address in the browser http(s)://192.168.1.15:8080, since the RB750Gr3 has an IP address in the same subnet as the camera via DHCP, the router will send the request out the gateway to the Modem/Router LAN where the camera is located. The camera will think the request is coming from your router because of the Masquerade and will send the reply back to your router, the router will then check the connection tracking table and forward the communication back to the client that made the request.

I would be remiss in not stating......Very happy to have an active {MANGLE RULE} contributor, just wanted to say that as I was getting tired of being corrected by Sob and Sindy and CZFAN etc.............. Good to have fresh blood!!

Concur, there seems to be a mismatch in the LAN configuration.
Furthermore, the dstnat rule is very confusing...........

Lets assume Mangle has the setup right and one cannot dispute his assumptions based on the given information.
Thus the Mikrotik is double natted which is never a good idea IMHO but in any case a client on the mikrotik should be able to access a client on the modem router (but not the reverse).
For me the first thing I would do is change the ISPs unit to modem only (bridge mode) and have the mikrotik do all the routing. However that is not the question.

Concur with MangleR that the masquerade rule on the mikrotik (which is no different from what the OP had already written?) seems fine and is the only item required.
Can you spot any differences? Where I see the issue is the DSTnat rule.
One still needs port forwarding in a double nat scenario where if someone from the internet wishes to access a server on the mikrotik LAN, one has to dstnat from the modem/router to the mikrotik wanip (lanip on ISP router/modem network) and then dstnat to the server on the mikrotik.
All well and good but useless for this question as we are simply looking for client to client access. There is no requirement to port forward to the IP CAM on the mikrotik router because it is NOT ON THE MIKROTIK LAN!! So the only port forwarding that needs to be done is on the ISP modem/router if the OP wishes internet (remote access to ipcam).

Thus I find the dstnat rule confusing, not useful and should be removed. Okay, that aside, the issue is most likely on the ISP modem/router side in terms of a funky setup?
Any query by a client on the mikrotik network should go out the mikrotik wan (and with the srcnat masquerade rule in-place and thus appear to be coming from 192.168.1.XX) and be allowed to, on layer 2, to access 192.168.1.15. (note: xx is the LANIP given to the mikrotik router by the DHCP of the ISP modem router (or the OP if statically assigned)

A browser query from any client behind the mikrotik should simply work - http://192.168.1.15:8080
You never did post any routing or firewall filter rules which may be blocking????

Perhaps Mangle can fix you up with a way to log the traffic request to see where it stops.........

... as I was getting tired of being corrected by Sob and Sindy and CZFAN etc..............

I'll probably keep doing that. Maybe we could make a dedicated subforum for you. We'd keep it running for a while, then we'd get it published and we'd be all rich. I always liked an idea of early retirement.

Well yes, if the book is entitled Dummies Guide to Mikrotik!! For some strange reason I have not been given any invites to present at a MUM event.
I should add that I am free to attend the MUM event in Australia, or New Zealand or Costa Rica but I need a sponsor (or someone who can crowd fund trips LOL).
If nothing else I can be a sober driver.

Here you go:

Just Ask the local IT guy on the corner.... He is a network specialist....... and can tell you about ip/netmask and routing/nat eg..................................................................................... no im just kidding. the stuff that was boring, ip/netmask mac address eg, is important in this setup. there is manny ways of doing what you want - but the easiest make more subnet to your gateway.. if its full l2 network. eg tell mikrotik gateway that it have 192.168.0.1/24 192.168.0.2/24 etc etc.. or whatever network that is behind. It will then route between the subnet - as long as its your default gw....

Here you go:
book.png

LMFAO, but do I get royalties?

By the way, thats the old first edition,
The more recent second edition has all my favourite questions again.......

EVERYTHING

you ever wanted to ask
about networking...

...anav already asked twice!

Here you go:
book.png

LMFAO, but do I get royalties?

By the way, thats the old first edition,
The more recent second edition has all my favourite questions again.......

EVERYTHING

you ever wanted to ask
about networking...

...anav already asked twice!

With the above rule, it is stating that if any traffic comes in from the interface ether-WAN destined to the host 192.168.0.1 on port 8080, destination NAT to the host 192.168.1.15 on port 8080, with the OP setup, that rule will probably never even happen since the traffic would have to be a host device in the modem router LAN trying to go to 192.168.0.1:8080.

If the OP changed the rule to in-interface=(whatever the lan interface/bridge is) then someone in the MikroTik LAN could get to the camera by typing in the MikroTik's ip 192.168.0.1:8080 assuming there is no http service running on the MikroTik already and there are no firewall options blocking the connection.


I total agree with the suggestion to change the modem router to a bridge if possible, I just made configuration suggestions with what was already in place. Honestly, I have a huge hatred for modem router devices. Half of the time, you barely have access to controls in the router since the user interface is barely manageable. Also troubleshooting is impossible because those mass produced pieces of junk do not usually have any logging capabilities lol. I would highly recommend purchasing your own modem and contacting your ISP to get your unit added to provisioning and just setup all LAN routing on the MikroTik and call it a day lol.