Mikrotik

How to forward behind NAT and behind VPN port on Mikrotik?

There is a server on hetznzer , with microtic (virtual 5.x RouterOS for VMWare), on WAN 148.0. this network sees 9.0
In the remote network there is a DVR 192.168.1.108 Dahua 3104 that broadcasts on port 37777
Unfortunately, on the wan network 192.168.1.0/24, a dynamic IP is issued from the network 10.0.0.0/24, which makes it impossible to access from the outside.
Question: how to make NAT in such a way that you can connect to IP 148.0.*.* on port 37777 to watch DVR
If you do a destination on 192.168.1.108:37777, packets go there from the 192.168.9.0 network, but do not come back from 192.168.1.0/24 to 9.0. Watch if through torch, then three synchronization packets pass from the 9th network to the 1st. Packets go back immediately to the requester's external IP, bypassing the 9.0 network
. Most likely that's why it doesn't work.
Posniffing traffic is a problem. In the 1.0 subnet, only Mikrotik and DVR, there is no physical access to the network.
There is nothing sensible in the 9.0 subnet. Connection synchronization packets leave, silence in response.
Infernal plans are drawn in my head with mangles and traffic marking or some kind of udpproxy and haproxy, which, how to fence on Mikrotik - it’s not at all clear

that the external IP in the picture is inscribed from the bullshit and does not belong to me :)