Hi, I'm sure this is something completely basic that I'm missing, but I cannot understand why dst-nat is not working.

I had my internet provider with a PPPoE connection, and everything was working fine. Recently, I changed providers, and the new provider is using a DHCP client connection.

I've removed PPPoE, added dhcp-client on ether1, and adjusted my WAN interface list to include ether1. All devices in the local network can connect to the Internet, and everything is working fine, except the reverse NAT. None of the previously created dst-nat rules are working.

srcnat works just fine, hairpin (or the trick to connect to the public address from inside the network) is working fine, but there is no connection from outside.

/ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 10.0.0.1/24 10.0.0.0 ether2
1 10.10.10.1/24 10.10.10.0 Bridge-Guest
2 10.20.0.1/16 10.20.0.0 ether5
3 10.30.0.1/16 10.30.0.0 ether5
4 D 100.68.248.197/10 100.64.0.0 ether1

/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 100.127.0.145 1
1 ADC 10.0.0.0/24 10.0.0.1 bridge-private 0
2 ADC 10.10.10.0/24 10.10.10.1 Bridge-Guest 0
3 ADC 10.20.0.0/16 10.20.0.1 bridge-k8s 0
4 ADC 10.30.0.0/16 10.30.0.1 bridge-k8s 0
5 ADC 100.64.0.0/10 100.68.248.197 ether1

/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade src-address=10.0.0.0/24 dst-address=10.0.0.0/24 log=no log-prefix=""
1 chain=srcnat action=masquerade src-address=10.20.0.0/16 dst-address=10.20.0.0/16 log=no log-prefix=""
2 chain=srcnat action=masquerade to-ports=12300-12399 protocol=udp src-port=123 log=no log-prefix=""
3 chain=srcnat action=masquerade src-address=10.0.0.0/24 out-interface-list=WAN log=no log-prefix=""
4 chain=srcnat action=masquerade src-address=10.10.10.0/24 out-interface-list=WAN log=no log-prefix=""
5 chain=srcnat action=masquerade src-address=10.20.0.0/16 out-interface-list=WAN log=no log-prefix=""
6 X chain=dstnat action=dst-nat to-addresses=10.30.0.10 to-ports=80 protocol=tcp dst-address=!10.0.0.1 dst-address-type=local dst-port=80 log=no log-prefix=""
7 X chain=dstnat action=dst-nat to-addresses=10.30.0.10 to-ports=443 protocol=tcp dst-address=!10.0.0.1 dst-address-type=local dst-port=443 log=no log-prefix=""
8 chain=dstnat action=dst-nat to-addresses=10.0.0.122 to-ports=25565 protocol=tcp dst-address=!10.0.0.122 dst-address-type=local in-interface-list=WAN dst-port=25565 log=no
log-prefix=""
9 chain=dstnat action=dst-nat to-addresses=10.0.0.122 to-ports=30814 protocol=tcp dst-address=!10.0.0.122 dst-address-type=local dst-port=30814 log=no log-prefix=""
10 chain=dstnat action=dst-nat to-addresses=10.0.0.122 to-ports=27015 protocol=tcp dst-address=!10.0.0.122 dst-address-type=local dst-port=27015 log=no log-prefix=""
11 chain=dstnat action=dst-nat to-addresses=10.0.0.122 to-ports=27015 protocol=udp dst-address=!10.0.0.122 dst-port=27015 log=no log-prefix=""

/ip firewall nat print stats
Flags: X - disabled, I - invalid, D - dynamic

CHAIN ACTION BYTES PACKETS

0 srcnat masquerade 30 079 146
1 srcnat masquerade 0 0
2 srcnat masquerade 10 412 137
3 srcnat masquerade 39 702 712 301 255
4 srcnat masquerade 1 612 598 2 649
5 srcnat masquerade 16 168 226
6 X dstnat dst-nat 0 0
7 X dstnat dst-nat 0 0
8 dstnat dst-nat 0 0
9 dstnat dst-nat 0 0
10 dstnat dst-nat 0 0
11 dstnat dst-nat 0 0

Your new ISP probably puts you behind CGNAT https://en.wikipedia.org/wiki/Carrier-grade_NAT, which means you no longer have a public IP address. To confirm this, compare the IP address listed under IP → Addresses for ether1 with what sites like https://ifconfig.me/ display to you. If they don’t match, you are behind CGNAT. In that case, ask your ISP to provide you with a publicly reachable IP address instead.

Thank you, you’re right, it is CGNAT. I just haven’t realized the addresses are different.