Port Forward failing, no visible public access

blackhand · February 3, 2019, 4:34pm

This seems weird to me as I have all my listed ports in the filters with nat forwarding however my network seems to be more locked down than before. Can you guys take a look at this and if anything is possibly missing? Some of these rules I pulled from the wiki to lock down my network.
FILTERS
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked

2 ;;; Plex port forwarding
chain=forward action=accept protocol=tcp in-interface=ether1 dst-port=32400 log=no log-prefix=“”

3 ;;; Plex port forwarding
chain=forward action=accept protocol=udp in-interface=ether1 dst-port=32400 log=no log-prefix=“”

4 ;;; MINEOS
chain=forward action=accept protocol=tcp in-interface=ether1 dst-port=8443 log=no log-prefix=“”

5 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid

6 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

7 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN

8 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec

9 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec

10 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related

11 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked

12 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

13 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

NAT
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none

1 chain=dstnat action=dst-nat to-addresses=192.168.2.211 to-ports=32400 protocol=tcp in-interface=ether1 dst-port=32400 log=no log-prefix=“”

2 chain=dstnat action=dst-nat to-addresses=192.168.2.111 to-ports=8443 protocol=tcp in-interface=ether1 dst-port=8443 log=no log-prefix=“”

anav · February 4, 2019, 5:13pm

For best feedback post your config
/export hide-sensitive file=myconfig

Off the top you dont need firewall filter rules for the dstnat rules you already have in place.
You only need one forward filter rule to allow dstnat packets in general to pass…