How can I access remotely MT behind a modem?

I am trying to set up port forwarding on a MT to be able to access it remotely and have failed to do so .

I have set up a firewall rule and a dst-nat rule from port 8899 to port 8291 but like mentioned the port is not open.

I have also configured the modem to port forward 8899 => 8899 to 192.168.1.152 (MT’s local address)

Can someone please offer advice ?

P.S. ISP modem is on Dynamic address

/ip firewall filter
add action=accept chain=input dst-port=8899 in-interface=ether1 protocol=tcp
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1 \
    protocol=udp src-address=0.0.0.0/0
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-port=8899 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.1.152 to-ports=8291

I would prefer through VPN over making a service available publically.
Is your MT behind NAT, or does it have a publically available IP address?
Who removed all filter rules that are part of the default?

input ≠ forward

Indeed a vpn is preferable but for know I am looking to explore this option as well. Yes it is behind NAT and does not have a public IP address. This is an old MT so I wouldn't know...after I try the changes I will restore default rules.

Changed it to forward but still the port remains closed...

Did you do port forwarding on the NAT device as well?

Yes !

Screenshot port forward.jpg1001×187 13.3 KB

Can you change this rule, where the to port is the default Winbox port?

And change this rule in the firewall as well:

/ip firewall filter
add action=accept chain=input dst-port=8291 in-interface=ether1 protocol=tcp

changed it but the port still remains closed ! crazyyyyyy

Ok I changed both to 8291 and both ports remain closed as before but now I see packets coming on that filter rule .

Ok so I was able to open port 42225 (could have been any other) and redirect it to 8291 and I want your thoughts if this is something I wasn’t understanding towards my modem (see attached screen shot).

I was under the impression that I had to specify the source port as well, in this example 42225 and the destination port (also 42225) . No matter what combinations 42225 => 42225 / 42225 => 8291 etc. the port remained closed . Then I said what the heck and decided to leave the source port as any and define only the destination port and …voila port is open now ! So what is I am not understanding about my modem’s settings ?

also evaluate back to home.
https://help.mikrotik.com/docs/display/ROS/Back+To+Home

The source port is picked by the remote client initiating the connection, typically anything greater than 1023 but not fixed.

Hmmm didn’t know about that ! Very interesting! Thank you !

Ok thank you ! The way I was understanding it was (in the event no MT router is involved) if you have a camera for example and you want to use a known port to access it from WAN, to enter as source port one of your preference and then as destination port the “known” one (something like dst-nat MT does).