Hi guys

Looks like I need a little help with the firewall.

Below you can see the exported configuration of my router.

My goal is to access from ethernet1 (WAN) interface to one host 192.168.99.3 (SSH/GUI) which is sitting in VLAN99 from the WAN 192.168.188.222

With current config, GUI was accessible for few minuts, Putty refuses to connect with error: “Remote side unexpectelly closed the connection”

For sure I am missing some rules on FW, could you tell me what?

Here is a full config export:
feb/11/2026 13:00:41 by RouterOS 6.49.19

Model = RouterBOARD 750G r3

/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=BR1 name=CCTV_VLAN vlan-id=10
add interface=BR1 name=MGMT_VLAN vlan-id=99
add interface=BR1 name=PPoE_VLAN vlan-id=88
add interface=BR1 name=WiFi_VLAN vlan-id=100
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=CCTV_POOL ranges=192.168.0.100-192.168.0.254
add name=WiFi_POOL ranges=192.168.100.100-192.168.100.254
add name=PPoE_POOL ranges=192.168.88.100-192.168.88.254
add name=MGMT_POOL ranges=192.168.99.10-192.168.99.254
/ip dhcp-server
add address-pool=CCTV_POOL disabled=no interface=CCTV_VLAN name=CCTV_DHCP
add address-pool=WiFi_POOL disabled=no interface=WiFi_VLAN name=WiFi_DHCP
add address-pool=PPoE_POOL disabled=no interface=PPoE_VLAN name=PPoE_DHCP
add address-pool=MGMT_POOL disabled=no interface=MGMT_VLAN name=MGMT_DHCP
/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes
interface=ether5
add bridge=BR1 interface=ether2 pvid=88
add bridge=BR1 interface=ether3 pvid=99
add bridge=BR1 interface=ether4 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether5 vlan-ids=10
add bridge=BR1 tagged=BR1,ether5 untagged=ether2 vlan-ids=88
add bridge=BR1 tagged=BR1,ether5 untagged=ether3 vlan-ids=99
add bridge=BR1 tagged=BR1,ether5 untagged=ether4 vlan-ids=100
/interface list member
add interface=ether1 list=WAN
add interface=MGMT_VLAN list=VLAN
add interface=CCTV_VLAN list=VLAN
add interface=PPoE_VLAN list=VLAN
add interface=MGMT_VLAN list=BASE
/ip address
add address=192.168.99.1/24 interface=MGMT_VLAN network=192.168.99.0
add address=192.168.188.222/24 interface=ether1 network=192.168.188.0
add address=192.168.0.1/24 interface=CCTV_VLAN network=192.168.0.0
add address=192.168.100.1/24 interface=WiFi_VLAN network=192.168.100.0
add address=192.168.88.1/24 interface=PPoE_VLAN network=192.168.88.0
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8 gateway=192.168.0.1
add address=192.168.88.0/24 dns-server=8.8.8.8 gateway=192.168.88.1
add address=192.168.99.0/24 dns-server=8.8.8.8 gateway=192.168.99.1
add address=192.168.100.0/24 dns-server=8.8.8.8 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related"
connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow MGMT_VLAN Full Access"
in-interface=MGMT_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward connection-state=new dst-address=192.168.99.3
dst-port=443 log=yes protocol=tcp src-address-list=""
add action=accept chain=forward connection-state=new dst-address=192.168.99.3
dst-port=22 log=yes protocol=tcp
add action=accept chain=forward comment="Allow Estab & Related"
connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only"
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
add action=drop chain=forward comment="drop invalid connections"
connection-state=invalid protocol=tcp
add action=drop chain=forward
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=4431 in-interface=ether1 log=yes
protocol=tcp to-addresses=192.168.99.3 to-ports=443
add action=dst-nat chain=dstnat dst-port=221 in-interface=ether1 protocol=tcp
to-addresses=192.168.99.3 to-ports=443
add action=masquerade chain=srcnat comment="Default masquerade"
out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.188.1
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=Router
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

I think that I need to also make some order with WAN or ethernet1 port. I see in my config that sometime there is WAN sometime ethernet1. Could you advice how to resolve this problem too?

Regards

Slawek

The in-interface and in-interface-list (and out-interface and out-interface-list) are the same thing, the former takes a single port, the latter a category (list).

In your configuration you have only one interface (ether1) in list WAN, so using the one or the other has exactly the same effects.

In theory using interface-list is preferrable (because it is "cleaner") and allows you to change which port(s) is/are WAN by only changing the interface list contents, without changing all the places in firewall (or elsewhere) the single, specific interface is used.

also try adding before last forward drop rule

add action=accept chain=forward connection-nat-state=dstnat

Your DSTNAT rule for SSH is wrong, probably due to copy & paste, it has to-ports=443 instead of to-ports=22.

This rule has src-address-list="" which is also wrong and will cause the rule to never match correctly, because it will try to match with a list that has no name (which doesn't exist). You need to properly clear that src-address-list condition, so that it disappears from the export.

Also, move the

rule up, above the two accept rule for DSTNAT in the forward chain for better performance.

Thank you, it is clear now

Thank you gus for so prompt responce.

All corections are done, port redirecton working perfectly now

Regards

Slawek