I believe this to be correct and I see some packets flowing, but the site is offline. I am just trying to narrow down the problem - so if anybody can confirm these are setup correctly I would appreciate it.
"action=accept connection-state=established,related"´is used to accept packets belonging or related to already known connections, so in usual cases there should be no additional conditions in this rule. Rules following it are used to enable establishment of new connections. So you should use a separate rule with just “action=accept connection-nat-state=dstnat” to permit any incoming connection previously dst-nated by /ip firewall nat rules. As you’ve combined the conditions which “new” packets must meet in order to be accepted with a condition saying they must not be “new” in a single rule, no “new” packet will ever go through, so no connection will ever be initiated.
Plus whatever you do with the firewall must be done in the context of already existing firewall rules. So post the complete export, not just the part you think may be related. See the mini-howto in my automatic signature.
You are a scholar and a gentlemen. That was the nudge I was looking for. I have that established,related rule above these. As usual, you were spot on.
I unchecked connection state established & related and left the connection-nat=dstnat. The moment I did that it packets matched and it started working.
I have learned a great deal from you on this forum. Your willingness to consistently share your expertise and teach all of us is remarkable. You are an asset to this community and I appreciate your efforts very very much. Good karma to you sir.