Help getting port forward to work

I've been attempting to forward all incoming traffic from the WAN (ether 1) port 502 to 502 server at 192.168.17.60 port 502. I believe I followed the instructions online using WinBox. After it failed, did add the WAN's ip address in the dst. addr of the dst-nat rule.
Questions: DId I get this right? Is there some other rule in the way? Help? Please?

Thanks,
Mark

# nov/06/2025 12:55:11 by RouterOS 6.49.19
# software id = RTMY-4X4C
#
# model = RB951Ui-2nD
# serial number = C8360C25BC0F
/interface bridge
add admin-mac=48:8F:5A:7D:3E:C1 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid="MLB Electronics" station-roaming=enabled wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik \
   
/ip pool
add name=dhcp ranges=192.168.17.100-192.168.17.150
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy=\
    local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.17.252/24 comment=defconf interface=bridge network=192.168.17.0
add address=192.168.0.75/24 interface=ether1 network=192.168.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.17.0/24 comment=defconf gateway=192.168.17.252 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.17.252 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=\
    WAN
add action=dst-nat chain=dstnat dst-address=192.168.0.75 dst-port=502 in-interface-list=WAN protocol=tcp src-port="" \
    to-addresses=192.168.17.60 to-ports=502
/ip route
add distance=1 gateway=192.168.0.1
/system clock
set time-zone-name=America/Chicago
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Lets establish some facts.

1. Do you have a public IP (and the ISP has only a modem), or do you get a private WANIP ( upstream ISP modem/router gets a public IP ), or none of the above/something else??

2. If you do not have access to a public IP then you cannot do any port forwarding.

3. If do have access to a public IP, how many users are accessing your servers externally?

4. Are any internal users also access the same server and if so, how? By IP address or domain name?

5. Can you forward ports on the upstream modem/router to your WANIP aka to 192.168.0.75 ??

6. Also you have already identifed correctly the dst-address of your WANIP in the dstnat rule, REMOVE the in-interface-list=WAN ( not required ).
   PS dont need to port if same as dst-port, ( its implied ).

7. Lastly I would change this default rule

add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

TO:

add action=accept chain=forward comment="internet traffic" in-interface-list=LAN \
out-interface-list=WAN 
add action=accept chain=forward comment="port forwarding"  connection-nat-state=dstnat 
add action=drop comment="Drop all else"

Clear this field of the DSTNAT rule properly. Currently the value is an empty string, which is still a value that will be used to compare (and the comparison will always fail, because this empty string is not equal to any number at all).

In WinBox click the button on the right of the Src. Port field to make the field greyed out. It will also no longer appear in the export.

You can also clear the dst-address=192.168.0.75 that you've added in your debugging attempts.

Also, is there a reason why you disable the SRCNAT masquerade rule above it? If not, re-enable the masquerade rule.