dst-nat port forwarding not working

Hello
Im setup my new router configuration, new Vlans and fail-over, but im not able to make it work as before with forwarding ports from ISP to lokal devices as it was before.
I don’t know what else could i check to make it work, or what kind of mistake im doing.
Can someone please check it for me - maybe i misunderstand something

de device im trying to connect is connected do vlan10 - but its connected to the switch on port ether1 - that is untagged, so device im connecting for sure its working, its pingable, inside my network but somehow im not able to make it work on dstnat:

add action=dst-nat chain=dstnat comment="Port 8000 " disabled=yes dst-port=38123 in-interface=ether2-WAN_Darnet protocol=tcp to-addresses=192.168.10.150 to-ports=8000
add action=dst-nat chain=dstnat comment="Port 8001 " disabled=yes dst-port=38124 in-interface=ether2-WAN_Darnet protocol=tcp to-addresses=192.168.10.151 to-ports=8000

When im listening on sniffer the ip addresss 192.168.10.150, and try to connect to this device on port 38123 on my global IP from internet, i can see that thie packages are redirected to
LAN_10_PF then to bridg1 and then to ether1-LAN but there is nothing in logs later - like response from this ip address…

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-LAN
set [ find default-name=ether2 ] mac-address=xxxxxxxxxxxxxx name=ether2-WAN_Darnet
set [ find default-name=ether3 ] name=ether3-LAN_AccessPoint
set [ find default-name=ether4 ] name=ether4-WAN_Rybnet
set [ find default-name=ether5 ] name=ether5-LAN_POE
/interface vlan
add interface=bridge1 name=LAN_10_PF vlan-id=10
add interface=bridge1 name=LAN_20_PF vlan-id=20
add interface=bridge1 name=MGMTVlan88 vlan-id=88
add interface=bridge1 name=WAN_PF_to_GM vlan-id=100
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp_pool_vlan10 ranges=192.168.10.2-192.168.10.100
add name=dhcp_pool_vlan20 ranges=192.168.20.2-192.168.20.100
/ip dhcp-server
add address-pool=dhcp_pool_vlan10 interface=LAN_10_PF lease-time=1d name=dhcp_vlan10
add address-pool=dhcp_pool_vlan20 interface=LAN_20_PF lease-time=1d name=dhcp_vlan20
/port
set 0 name=serial0
/routing table
add disabled=no fib name=to_WAN_Darnet
add disabled=no fib name=to_WAN_Rybnet
/interface bridge port
add bridge=bridge1 interface=ether1-LAN pvid=10
add bridge=bridge1 interface=ether3-LAN_AccessPoint pvid=10
add bridge=bridge1 interface=ether5-LAN_POE pvid=10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether1-LAN,ether3-LAN_AccessPoint,ether5-LAN_POE vlan-ids=10
add bridge=bridge1 tagged=ether1-LAN,ether3-LAN_AccessPoint,ether5-LAN_POE,bridge1 vlan-ids=20
add bridge=bridge1 tagged=ether1-LAN vlan-ids=100
add bridge=bridge1 tagged=bridge1,ether1-LAN vlan-ids=88
/interface list member
add interface=ether2-WAN_Darnet list=WAN
add interface=ether4-WAN_Rybnet list=WAN
add interface=ether1-LAN list=LAN
add interface=ether3-LAN_AccessPoint list=LAN
add interface=ether5-LAN_POE list=LAN
/ip address
add address=10.0.10.1/30 interface=WAN_PF_to_GM network=10.0.10.0
add address=192.168.10.1/24 interface=LAN_10_PF network=192.168.10.0
add address=10.0.5.2/30 interface=ether4-WAN_Rybnet network=10.0.5.0
add address=192.168.88.11/24 interface=MGMTVlan88 network=192.168.88.0
add address=192.168.20.1/25 interface=LAN_20_PF network=192.168.20.0
/ip dhcp-client
add comment=defconf interface=ether2-WAN_Darnet
/ip dhcp-server lease
...
...
...


/ip dhcp-server network
add address=192.168.10.0/24 boot-file-name=pxelinux.0 dns-server=192.168.10.1 gateway=192.168.10.1 next-server=192.168.10.97
add address=192.168.20.0/25 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
/ip firewall address-list
add address=66.254.114.239 list=block_IPS
add address=66.254.114.41 list=block_IPS
add address=185.88.181.3 list=block_IPS


/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=input protocol=icmp
add action=drop chain=input comment="Drop Invalid Input" connection-state=invalid,new in-interface-list=WAN
add action=accept chain=input src-address=192.168.0.0/16
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="Drop All other"
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="Drop Invalid Forward" connection-state=invalid
add action=drop chain=forward dst-address-list=block_IPS dst-port=1-60000 log=yes log-prefix="bloked ip attempt" protocol=tcp src-address=192.168.10.0/24
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=forward comment="Stage 1: Track SSH Attempts" connection-state=new dst-port=55523 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1d chain=forward comment="Stage 2: Add to Blacklist after second attempt" connection-state=new dst-port=55523 protocol=tcp src-address-list=ssh_stage2
add action=drop chain=input comment="Drop SSH Blacklist" src-address-list=ssh_blacklist
add action=drop chain=input in-interface=ether2-WAN_Darnet
add action=drop chain=input in-interface=ether4-WAN_Rybnet
add action=reject chain=forward connection-mark=other out-interface=ether2-WAN_Darnet reject-with=icmp-network-unreachable
add action=reject chain=forward connection-mark=first out-interface=ether4-WAN_Rybnet reject-with=icmp-network-unreachable
add action=drop chain=forward dst-port=111 protocol=tcp
add action=drop chain=forward dst-port=135 protocol=tcp
add action=drop chain=forward dst-port=137-139 protocol=tcp
add action=drop chain=forward dst-port=445 protocol=tcp
add action=drop chain=forward dst-port=2049 protocol=tcp
add action=drop chain=forward dst-port=12345-12346 protocol=tcp
add action=drop chain=forward dst-port=20034 protocol=tcp
add action=drop chain=forward dst-port=31337 protocol=tcp
add action=accept chain=forward comment=ICMP icmp-options=0:0 protocol=icmp
add action=accept chain=forward icmp-options=3:0 protocol=icmp
add action=accept chain=forward icmp-options=3:1 protocol=icmp
add action=accept chain=forward icmp-options=4:0 protocol=icmp
add action=accept chain=forward icmp-options=8:0 protocol=icmp
add action=accept chain=forward icmp-options=11:0 protocol=icmp
add action=accept chain=forward icmp-options=12:0 protocol=icmp
/ip firewall mangle
add action=mark-connection chain=output connection-mark=no-mark connection-state=new new-connection-mark=WAN1_con_mark out-interface=ether2-WAN_Darnet
add action=mark-routing chain=output connection-mark=WAN1_con_mark new-routing-mark=to_WAN_Darnet out-interface=ether2-WAN_Darnet
add action=mark-connection chain=output connection-mark=no-mark connection-state=new new-connection-mark=WAN2_con_mark out-interface=ether4-WAN_Rybnet
add action=mark-routing chain=output connection-mark=WAN2_con_mark new-routing-mark=to_WAN_Rybnet out-interface=ether4-WAN_Rybnet
add action=mark-connection chain=forward connection-mark=no-mark new-connection-mark=first out-interface=ether2-WAN_Darnet passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark new-connection-mark=other out-interface=ether4-WAN_Rybnet passthrough=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment=touter disabled=yes dst-port=80 in-interface=ether2-WAN_Darnet log=yes protocol=tcp to-addresses=192.168.10.3 to-ports=80
add action=masquerade chain=srcnat out-interface=ether2-WAN_Darnet src-address=192.168.10.0/24
add action=masquerade chain=srcnat out-interface=ether2-WAN_Darnet src-address=192.168.20.0/24
add action=masquerade chain=srcnat out-interface=ether2-WAN_Darnet src-address=10.0.5.0/30
add action=masquerade chain=srcnat out-interface=ether4-WAN_Rybnet src-address=192.168.10.0/24
add action=masquerade chain=srcnat out-interface=ether4-WAN_Rybnet src-address=192.168.20.0/24

add action=dst-nat chain=dstnat comment="Port 8000 " disabled=yes dst-port=38123 in-interface=ether2-WAN_Darnet protocol=tcp to-addresses=192.168.10.150 to-ports=8000
add action=dst-nat chain=dstnat comment="Port 8001 " disabled=yes dst-port=38124 in-interface=ether2-WAN_Darnet protocol=tcp to-addresses=192.168.10.151 to-ports=8000

/ip firewall service-port
set ftp disabled=yes
/ip route
add dst-address=8.8.8.8 gateway=myGlobalIP_GW scope=10
add dst-address=8.8.4.4 gateway=10.0.5.1 scope=10
add check-gateway=ping distance=1 gateway=8.8.8.8 routing-table=to_WAN_Darnet target-scope=11
add check-gateway=ping distance=2 gateway=8.8.4.4 routing-table=to_WAN_Darnet target-scope=11
add check-gateway=ping distance=1 gateway=8.8.4.4 routing-table=to_WAN_Rybnet target-scope=11
add check-gateway=ping distance=2 gateway=8.8.8.8 routing-table=to_WAN_Rybnet target-scope=11
add check-gateway=ping distance=1 gateway=myGlobalIP_GW
add distance=2 gateway=10.0.5.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

How are you having users connect to the device on vlan10?
Direct LANIP address or some sort of DYNDNS name/url?
Are users coming in Primary WAN1 or Secondary WAN2 ??

MANY MAJOR ISSUES:

1. Only two of the vlans have full networks, not sure what your expectations are for vlans 88 and 100 (where are they coming from and going to)

2. Did you mean to make ether1 a hybrid port?
   IM assuming the switch is a managed switch and thus all traffic should go over a trunk port TAGGED!!
   Its as the switch port leading to the device that you untag vlan10.

3. Did you mean to make etherport 3 and 5 hybrid ports, again you have vlan untagged to that port but other vlans tagged, what is at the end of your ports…

4. Interface list members for LAN LIST are wrong, should be the vlans listed.

5. FIrewall rules are a complete mess. You would be better off putting this in place and adding any other ALLOW traffic rules needed. Order within a chain is critical.
   As you can see most like to organize their chains together for easy reading and thus much easier to spot errors.

/ip firewall filter
{Input Chain}
(default rules to keep)
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
(user rules)
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment=“drop all else” { Put this rule in last }
{forward chain}
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

6. Errors in Recursive routing and also dont use the same IPs in recursive that you use IP DNS settings…

7. What is this route for?? → add distance=2 gateway=10.0.5.1 ??

8. SourceNAT rules can be simplified.

Generally,
I do have it on RB750gr3.
Ports 2 and 4 are for WAN, ports 1 3 5 for a LAN.

88 is for management (but i see i didnt understood correctly the youtube movie) and vlan 100 im sending it to my neighbor cause:
The root case is that im sending to him my WAN - after my masquarade and he is sending me his WAN as a secondary WAN for failover. tjhat is comming on port 4

1 3 5 are hybrid ports. vlan 10 goes out on them untagged - so normal switch is connected and is automatically in vlan10 network. but some vlans 20 88 are trunked for other usage - for example i have AP that runs on hybrid ports, and i have 2 SIDs from 2 networks.

Im using marking connection as it was explained on mikrotik side to make a failower for a other WAN, this other WAN.

I dont understand why " 4. Interface list members for LAN LIST are wrong, should be the vlans listed." ?

And why FW rules are mess?

So i guess i dont understand a lot from this, so I will be very grateful If You can give me some advice and examples how can i change it to make it work as should.

I used this example for failover https://help.mikrotik.com/docs/pages/viewpage.action?pageId=26476608

Okay, so this is all good information to know prior to looking at the config. The config is a story and the story is starting to make sense.
Will have a relook at the config with a more informed context.

To be clear,
a. do you get two public IPs from your ISP provider and sending one to Other location via VLAN
b. or are you simply sending a subnet only for the other user to their location via a vlan - so they get a private IP ( as a second WAN input on their router )

c. What is coming in on port 4 from the other end router

• is it a public IP
  -is it a private IP on an isolated vlan subnet from the other router

WHen you say NORMAL switch that says nothing to me, Its either un-managed(dumb) or managed(smart).

b. Im sending to him vlan100 that so he can use 10.0.10.1 as his backup WAN, He is sending to me vlan50 (its not on RB750) and vlan 50 is untagged on some other switch and go physically as untagged on my rb750 port 4. We both have ISP from different provider. he gives me 10.0.5.1 address as my gateway.

c. a private IP on an isolated vlan subnet from the other router
So i know it will be double masquaraded - but its for failover - so we can work from home in case of trouble with ISP.

A normal switch - yes my mistake. The second switch i have is crs310 - but basically CRS310 is not a problem here. Im untagging vlan50 from my neighbor on it, on one port, and tag it on other that is trunk between us. Also vlan 100 that goes trough crs310 goes trunked to him .
But crs310 is not an issue here. This is why im untaging vlan10 on rb750 - and using hybrid ports - to make it simple and always working in case i will put just a (normal) switch that do not understand vlans. I know i will loose connection to neighbor but will still able to use my ISP if it will work.

I checked also sniffer.
I setup it to listen on internal IP im trying to hit from Internet.
So it looks that it goes as it should, hit a WAN, then its going to vlan/bridge/port and hit the Internal device IP with correct (translated port) from
port 38123 in-interface=ether2-WAN_Darnet to to-addresses=192.168.10.150 to-ports=8000 - but It is not answering at all.
I see IP is receiving packages but do not sent them back - or at least sniffer not showing me anything that is sent back from this ips 192.168.10.150.
So it loosing gateway ? and do not know where to answer? Anyone have any idea?

Is the source also on 192.168.10.0/24? By the look of your config, it seems so.

Without a detailed diagram including the switch I am lost…

Hello,
Thank you for your time, I fixed it but it was not a mikrotik setup issue.
I setup the vm on linux and redirect ssh - it started to work.
So i checked all devices i was trying to connect to, and all devices had wrong gateway setup

So after you suggestion i will manage FW rules in different way also to make it more secure and easier.