dstnat only going half way

RB951-2n running 6.15
Trying to simply access a few phones that reside on a VLAN. Same dstnat rules I use on other Mtik devices are in place but unable to get through to the hosts.
Following the connection track, the router is sending syn packets but they are either not being received by the hosts or are not getting back out. I have mucked with the VLAN by placing it in a bridge with LAN but get no established connection love.
Below is an image of the firewall connection and a NAT and IP addy dump.

Thanks for your assistance.

Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=srcnat action=masquerade 

 1   ;;; nat for guest network
     chain=srcnat action=masquerade src-address=172.16.15.0/24 
     out-interface=ether1-gateway 

 2 X ;;; nat for phone network
     chain=srcnat action=masquerade src-address=172.16.17.0/24 

 3   chain=dstnat action=dst-nat to-addresses=172.16.16.5 to-ports=1194 
     protocol=udp dst-port=1194 

 4   ;;; denise
     chain=dstnat action=dst-nat to-addresses=172.16.17.17 to-ports=80 
     protocol=tcp dst-port=8081 

 5   chain=dstnat action=dst-nat to-addresses=172.16.17.17 to-ports=80 
     protocol=tcp dst-port=8082 

 6   chain=dstnat action=dst-nat to-addresses=172.16.17.20 to-ports=80 
     protocol=tcp dst-port=8083 


 5   chain=dstnat action=dst-nat to-addresses=172.16.17.17 to-ports=80 
     protocol=tcp dst-port=8082 

 6   chain=dstnat action=dst-nat to-addresses=172.16.17.20 to-ports=80 
     protocol=tcp dst-port=8083

Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                
 0   ;;; default configuration
     172.16.16.1/24     172.16.16.0     bridge-local                             
 1   172.16.15.1/24     172.16.15.0     guestbridge                              
 2   ;;; phones
     172.16.17.1/24     172.16.17.0     vlan1

In addition to the destination NAT entries you need to make sure that you are allowing the traffic in the forward chain of IP Firewall.

Thanks for replying back CelticComms

I have the standard forwarding rules applied if that is what you are referring to. :

12   ;;; default configuration
     chain=forward action=accept connection-state=related 

13   ;;; default configuration
     chain=forward action=accept connection-state=established 

14   ;;; default configuration
     chain=forward action=drop connection-state=invalid

I have also disabled every rule in the filter besides these to find solution.
When TCP state “syn sent” is as far as it gets, that means that the host is not yet sent back a “syn received”. So, the request is never really getting to the device I presume. I can ping the host device from the router however.

That is the problem. In addition to the DST NAT rule you need to have a rule in the forward chain which permits the traffic to the DST NATed address. e.g. a rule which specifies the in-interface and the destination address/port (after DST NATing). Without that the traffic is blocked as an invalid connection.

Okay
I set the following filter rule:

 chain=forward action=accept protocol=tcp dst-address=172.16.17.17 
     in-interface=ether1-gateway dst-port=8081

Same results. Tried variants on this as well including action=forward, out-interface=vlan1,bridge-local
Question, is this a new requirement for V6? I’ve not had to setup this rule in the past. Just the dst-nat for each host.

It is not a new requirement. Perhaps you were not dropping forward chain traffic before.

Check the rule order and make sure that the permit rule is before the drop invalid connections rule.

you need to enable the masquerade rule for the phone subnet. with the config you have now only this private range can reach the internet (172.16.15.0/24)

which can be done for security but port forwarding won’t work if the device can’t get to the internet.

but you want to put an out-interface on that rule.

Thanks for the reply’s
I’ve not sat down to fiddle with this for awhile. Here is the filter currently employed:

 0   chain=forward action=accept protocol=tcp dst-address=172.16.17.17 
     in-interface=ether1-gateway dst-port=8081 

 1   ;;; default configuration
     chain=input action=accept protocol=icmp 

 2   ;;; default configuration
     chain=input action=accept connection-state=established 

 3   ;;; default configuration
     chain=input action=accept connection-state=related 

 4   chain=input action=accept protocol=tcp dst-port=8291 

 5   chain=input action=accept protocol=tcp dst-port=8080 

 6   ;;; allow l2tp
     chain=input action=accept protocol=udp dst-port=1701 

 7   ;;; allow pptp
     chain=input action=accept protocol=tcp dst-port=1723 

8   ;;; allow sstp
     chain=input action=accept protocol=tcp dst-port=443 

9   ;;; default configuration
     chain=forward action=accept connection-state=established 

10   ;;; default configuration
     chain=forward action=accept connection-state=related 

11   ;;; default configuration
     chain=input action=drop in-interface=ether1-gateway 

12   ;;; default configuration
     chain=forward action=drop connection-state=invalid

I have moved a forward rule for one phone all the way to the top. To answer your post specifically itmethod, I updated a masquerade rule for that phone subnet as follows:

 chain=srcnat action=masquerade src-address=172.16.17.0/24 
     out-interface=ether1-gateway

Still no go however interesting info on what the connection tracker shows is when I attempt to remote into the phone, my PC opens up over 1000 connections to the router on many different ports briefly then stops when no reply is received.

The forward rule needs to include the IP/port after DST NAT. I think you have it with the correct IP but the pre-conversion port. Try changing the port to 80.