I have a little problem on accesing my plex server from outside my network no matter what methods i’ve tried. Searched a lot but no solution found, so i’m posting my FW configuration with the hope that someone helps me out! Server has a static IP (192.168.10.101) and plex shows the message “Not available outside your network”.
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=input comment=“allow IPsec NAT” dst-port=4500
protocol=udp
add action=accept chain=input comment=“allow IKE” dst-port=500 protocol=udp
add action=accept chain=input comment=“allow l2tp” dst-port=1701 protocol=udp
add action=accept chain=input comment=“allow pptp” dst-port=1723 protocol=tcp
add action=accept chain=input comment=“allow sstp” dst-port=443 protocol=tcp
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!def_LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-nat-state=“”
connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=32400 in-interface=1wan protocol=tcp
to-addresses=192.168.10.101 to-ports=32400
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set pptp disabled=yes
set sctp disabled=yes
At first sight it look like default config with one added simple dstnat rule, nothing clearly wrong. Does your router have public address? Not 192.168.x.x, 10.x.x.x, 172.16-31.x.x, 100.64-127.x.x, and with incoming connections not blocked by ISP?
Yes it has a dynamic public IP. Truth is i had it working 2 months before in another setup which unfortunately can´t access right now. I don´t remember the rules i had back there though. I remember clearly that i had the already active rule (the one you referred to also) but can´t remember anything else.
With the rules i have now is it normal that it doesn´t work? Or it should have worked in the first place?
If your WAN interface (connection to internet) is named “1wan”, then it should work. Does the rule have any hits (look at its packet counter)?
Already checked it but nope, nothing. That’s why i know for sure that it’s not a server problem (windows FW etc.)
It means that no packet from internet (to this port) reached your router.
That public address, is it directly on your router or somewhere else, e.g. some modem from which you’re forwarding ports to router? If the latter, is that configured correctly?
Is “1wan” really your WAN interface? Can’t there be a mixup between between e.g. ethernet and PPPoE? What if you replace in-interface=1wan with in-interface-list=WAN, does that help?
You can also check if any new connections come from internet with:
/ip firewall nat
add chain=dstnat in-interface=1wan action=dst-nat
Then try any online port scanner with any port and see if it logs anything.
Note the following SOB is talking about the rest of the config.
Why are people so arrogant that they think they know what we need to see to solve the problem??
Please post the entire config
/export hide-sensitive file=anynameyouwish
My guess is that if you are using pppoe which basically has two wan type rules, than you need to ensure both ether1 and ppoe are part of the WAN interface, but alas without seeing the config its only a guess. I do note that your interface on the outgoing is the the WAN interface LIST, but 1wan on the incoming side of the NAT rules…
As always, the forum solved my problem. You are both right, the rule should concern both 1wan and pppoe-out interfaces since i have a modem connected to ether1 of my router. So if i set the in-interface-list to WAN in my already existing rule or keep the rule as is and create another with in-interface the pppoe-out then it works perfectly. Thank you both, i didn’t posted my entire config 'cause i had already enclosed the problem to the firewall rules!
The problem was your lack of understanding of Interfaces and how to use them. Which is outside the firewall rules, but keep deluding yourself… 
oh i see, thanks again, next time you need an advice i hope there’s someone kinder to answer you!
Take anav’s “flaming ass” avatar as hint/warning. 
No ssantos, you came here looking for help but were so arrogant to think you know which information is required for us to assist with your problem.
Dont worry you are not the first, nor the last to suffer from this affliction.