Mikrotik - NAT over 2 ports - cant get it to work

Question

I have a problem with setting up NAT over two ports in separate LANs (there is no internet involved in this).

Situation description:

Problem is that our PBX. It has some crazy network setup with loops and when directly connected to our internal network it makes switches and network protection go crazy. So, PBX has now its own little network with separate switch directly connected to our ISPs router (and it works). But we still need access to settings of the PBX without connecting any part of its small network to the main part. So, I am trying to utilize router with NAT to get to the PBX from main network. Unfortunately, I tried dstnat, srcnat, masquerading, multiple tutorials and videos, but I have no idea what could be wrong. Everything seems like it should work.

Simply:

Let’s say that the PBX has IP 192.168.1.1 and I would like to be able to reach it through the router at 10.1.1.88 (to write http://10.1.1.88 and get web config at 192.168.1.1).

Ports setup:

Port1: 192.168.88.1/24 - Mikrotik management
Port5: 10.1.1.88/24 - Connected to Main network
Port6: 192.168.1.55/24 - Connection to the PBX network

Network Configuration Illustration (Picture) HERE

Current config:

jan/02/1970 01:14:42 by RouterOS 6.47.4 software id = TL1F-PV49 model = 2011UiAS

/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik

/ip neighbor discovery-settings set discover-interface-list=!dynamic

/ip address add address=192.168.88.1/24 interface=ether1 network=192.168.88.0 add address=10.1.1.88/24 interface=ether5 network=10.1.1.0
add address=192.168.1.55/24 interface=ether6 network=192.168.1.0

/ip firewall filter
add action=accept chain=input
add action=accept chain=forward dst-address=192.168.1.1 dst-port=80 \
in-interface=ether5 protocol=tcp
add action=accept chain=forward dst-address=192.168.1.1 dst-port=443 \
in-interface=ether5 protocol=tcp

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=10.1.1.88 dst-port=80
in-interface=ether5 protocol=tcp to-addresses=192.168.1.1 to-ports=80 add action=dst-nat chain=dstnat dst-address=10.1.1.88 dst-port=443
in-interface=ether5 protocol=tcp to-addresses=192.168.1.1 to-ports=443

I am able to ping 192.168.1.1 from mikrotik.
When I try to go from main network to http://10.1.1.88 or https://10.1.1.88 it will just timeout.

Any ideas why the web cannot be accessed?

Answer 1

Check forwarding to and from, check udp check webfig errors... or Make src-nat rule for all outgoing trafic on eth6 (just as for internet. ip=192.168.1.55), allow trafic forwarding To and From 192.168.1.0-10.1.1.0, check http://192.168.1.1 from pc.