MikroTik

Hello the I'm new to mikrotik I'm trying to set up port forwarding on my cctv here my script if that helps

/export
/interface bridge
add admin-mac=E4:8D:8C:59:B6:B2 auto-mac=no name=bridge
/interface ethernet
set [ find default-name=ether1 ] name="BT Modem"
set [ find default-name=ether3 ] name="Bedrooms AP"
set [ find default-name=ether23 ] name=Cctv
set [ find default-name=ether2 ] name="Lounge AP"
/interface pppoe-client
add add-default-route=yes disabled=no interface="BT Modem" name=pppoe-out1 use-peer-dns=yes user=\
bthomehub@btbroadband.com
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp ranges=10.3.0.3-10.3.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp1
/interface l2tp-server server
set enabled=yes ipsec-secret= use-ipsec=yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=10.3.0.1/24 comment=defconf interface=bridge network=10.3.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=10.3.0.10 client-id=1:4c:bd:8f:fe:39:1a mac-address=4C:BD:8F:FE:39:1A server=dhcp1
/ip dhcp-server network
add address=10.3.0.0/24 gateway=10.3.0.1 netmask=24
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need this subnet before enable it" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it" list=\
Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet before enable it" list=Bogons
/ip firewall filter
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input port=69 protocol=udp
add action=accept chain=forward port=69 protocol=udp
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface="BT Modem"
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=Bogons
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface="BT Modem"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=3999 in-interface=bridge protocol=tcp to-addresses=10.3.0.10 to-ports=80

In your dst-nat rule, you need to change in-interface to pppoe-out1 ... current setting to "bridge" is wrong, packets targeted at public address don't pass bridge until dst-nat is already done.

Hello thank you for your help. I have changed the interface to pppo-out1 and try it again I can access the router be the IP address then try IP address:3999 nothing ?

Normal dst-nat rule as set now works if you try from outside (e.g. from public internet host). If you want to have it working from inside (e.g. your LAN) as well, you have to implement so called hair-pin NAT. Search around this forum, it has been discussed several times.

Hello there I'm working out on the public ip not in the lan

You also need to change all in-interface= from “BT Modem” to ppoe-out1 in your ip/firewall/filter. And then either add ppoe-out1 to the interface-list=WAN or change your ip/firewall/nat masquerade to out-interface=ppoe-out1 instead of using the list.

Hello there is there any way to private message you ? I have tri that still not working think of send you my ip and login info see if you can see what up with it