My router internal IP is 192.168.1.2, my server internal IP is 192.168.1.25, I have dynamic external IP so I’ve enabled DDNS and the WAN interface is pppoe-out2. I’ve also added a filter rule:
Your dstnat rule as such is fine. If it doesn’t work, it may be because your filter rules don’t allow the forwarded packet through, but it is hard to say without seeing them. Default firewall rules from recent RouterOS releases allow all dstnat connections.
The filter rule you’ve added is not related to the dst-nat one and is very dangerous, as it opens access to all TCP ports on the router itself to the whole internet, so it may well be infected by malware by now - the filth from the network is incredibly quick in squatting on unprotected routers. If the to-addresses in an action=dst-nat rule changes the destination address to one which is not assigned to the router itself, the packets get to forward chain, not the input one.
If you don’t use the default firewall rules, or if you did years ago and since then you were only upgrading the RouterOS version, post your configuration export. See my automatic signature for an anonymisation hint.
That does not seem correct to me??? Edit, ahh hairpin nat! The first masquerade rule is fine but the second one may work but is not the usual…
It seems that you want to use hairpin nat so that if you or your users are in the same subnet of the server, you can access the server by WANIP address.
This was NOT made clear as you simply stated external access (meaning outside users).
Typically in the hairpin nat rule setup it looks like this
The extra masquerade rule add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.1.0/24
and the port forwarding rule as you have done
add action=dst-nat chain=dstnat dst-address=!192.168.1.X**** dst-address-type=
local dst-port=8080 in-interface=pppoe-out2 protocol=tcp to-addresses=192.168.1.25 to-ports=80
Where X is the gateway of the subnet, typically 192.168.1.1 but I noted you had 192.168.1.2 (so thus assuming .2 is your gateway address for the subnet).
(noted the use of port translation)
If the server at 192.168.1.25 had the Mikrotik (192.168.1.2) as its default gateway, you would not need that second action=masquerade rule. Is it intentional that the default gateway of the server is different?
OK, so your network arrangement is somehow more complicated, and the 192.168.1.1 as the default gateway of the router is intentional. No more questions.