Please help me adding a port forwarding rule in my Mikrotik Router. I have tried lots of different configurations but I can’t make it work.

I have a local webserver running behind NAT IP: 192.168.10.16 on port 8123. I would like to access this server from internet. Please help me out how the rules should be to make it work. My internet/WAN port = ether1. If other information needed please let me know so that i can add this to this forum thread.

/ip firewall nat print
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=“”
1 ;;; masq. vpn traffic
chain=srcnat action=masquerade src-address=192.168.89.0/24
2 ;;; OpenVPN Masquerade
chain=srcnat action=masquerade src-address=192.168.20.0/24 log=no log-prefix=“”
/ip firewall filter print
2 chain=forward action=accept connection-nat-state=srcnat,dstnat protocol=igmp in-interface=ether1
in-interface-list=all out-interface-list=all log=no log-prefix=“”
3 ;;; allow IPsec NAT
chain=input action=accept protocol=udp dst-port=4500
4 ;;; allow IKE
chain=input action=accept protocol=udp dst-port=500 log=yes log-prefix=“VPN”
5 ;;; allow l2tp
chain=input action=accept protocol=udp dst-port=1701
6 ;;; allow pptp
chain=input action=accept protocol=tcp dst-port=1723 log=yes log-prefix=“VPN”
7 ;;; allow sstp
chain=input action=accept protocol=tcp dst-port=443
8 chain=input action=accept protocol=ipsec-esp
9 chain=input action=accept protocol=ipsec-ah
10 ;;; Allow Established connections
chain=input action=accept connection-state=established
11 ;;; Allow ICMP
chain=input action=accept protocol=icmp
12 chain=input action=accept src-address=192.168.10.0/24 in-interface=!ether1 log=no log-prefix=“”
13 ;;; Drop Invalid connections
chain=input action=drop connection-state=invalid
14 ;;; Drop everything else
chain=input action=drop
15 chain=forward action=accept in-interface=bridge out-interface=bridge log=no log-prefix=“”

I assume, that you have apublic address from your ISP.

There is no rule pointing to your server.
You need to add:

/ip firewall nat
add action=dst-nat chain=dstnat comment=Webserver dst-port=8123 in-interface-list=ether1 protocol=tcp to-addresses=192.168.10.16 to-ports=8123

More to read here:
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Port_mapping.2Fforwarding

Thanks for your fast reply matiaszon Yes i have an public IP from my ISP.

I have now added the NAT rule to my router that now looks like this (Rule:3)
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=“”
1 ;;; masq. vpn traffic
chain=srcnat action=masquerade src-address=192.168.89.0/24
2 ;;; OpenVPN Masquerade
chain=srcnat action=masquerade src-address=192.168.20.0/24 log=no log-prefix=“”
3 chain=dstnat action=dst-nat to-addresses=192.168.10.16 to-ports=8123 protocol=tcp
in-interface-list=WAN dst-port=8123 log=yes log-prefix=“HomeAssistanWebLogin”
But when i try to access the URL https://(masked).duckdns.org:8123 i get the message from Chrome: ERR_CONNECTION_TIMED_OUT and from Chome on my mobile: Site cant be reached. Server IP address could not be found DNS_PROBE_FINISHED_NXDOMAIN.

Any thoughts or suggestions?

I made a small mistake in the code. It should be:

/ip firewall nat
add action=dst-nat chain=dstnat comment=Webserver dst-port=8123 in-interface=ether1 protocol=tcp to-addresses=192.168.10.16 to-ports=8123

However, I can see, that you changed it to “in-interface-list=WAN”. I believe that you have a list called “WAN” configured, and there is ether1 on that list. I gues this is OK.
There still can be a few reasons. From where are you trying to get to your server - from the same network where the server is located, or outside of this network?

I changed from in-interface-list to in-interface and there it was possible to use ether1 as port. I have tried to access the page both from within my LAN and also externally from my phone with wifi turned off. But still without success. Any more thoughts?

The NAT rule now looks like this:
3 chain=dstnat action=dst-nat to-addresses=192.168.10.16 to-ports=8123 protocol=tcp in-interface=ether1
dst-port=8123 log=yes log-prefix=“HomeAssistanWebLogin”

Export your settings here hiding sensitive

export hide-sensitive

Wysłane z iPhone za pomocą Tapatalk

jan/11/2018 07:50:28 by RouterOS 6.42rc6

software id = I415-ZLXP

model = CRS125-24G-1S-2HnD

serial number = xxxxxxxxxxxxxx

/interface bridge
add fast-forward=no name=EXT
add admin-mac=6C:1B:1B:7D:18:51 auto-mac=no fast-forward=no name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce comment="WIFI XXXXXX_2G" disabled=no
distance=indoors frequency=auto mode=ap-bridge ssid=XXXXXX1_2GHz wireless-protocol=802.11 wps-mode=
disabled
/interface ethernet
set [ find default-name=ether1 ] comment="BBB WAN"
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether11 ] comment="External IP to TV-Box"
/interface wireless manual-tx-power-table
set wlan1 comment="WIFI XXXXXX_2G"
/interface wireless nstreme
set wlan1 comment="WIFI XXXXXX_2G"
/interface list
add name=mactel
add name=mac-winbox
add exclude=dynamic name=discover
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=
MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=profile supplicant-identity=MikroTik
/interface wireless
add comment="GUEST WIFI" disabled=no mac-address=6E:3B:6B:7D:08:19 master-interface=wlan1 name=wlan2
security-profile=profile ssid=XXXXXX_GUEST1 wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan2 comment="GUEST WIFI"
/interface wireless nstreme
set wlan2 comment="GUEST WIFI"
/ip pool
add name=dhcp ranges=192.168.10.10-192.168.10.199
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=OpenVPN ranges=192.168.20.2-192.168.20.255
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE bridge=bridge local-address=192.168.89.1 remote-address=vpn
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/caps-man manager
set ca-certificate=auto certificate=auto
/interface bridge filter
add action=accept chain=forward disabled=yes in-bridge=bridge in-interface=ether1 out-bridge=bridge
out-interface=ether11
add action=drop chain=forward in-interface=wlan2
add action=drop chain=forward out-interface=wlan2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf hw=no interface=wlan1
add bridge=bridge hw=no interface=wlan2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=ether11
add bridge=bridge interface=ether12
add bridge=bridge interface=ether13
add bridge=bridge interface=ether14
add bridge=bridge interface=ether15
add bridge=bridge interface=ether16
add bridge=bridge interface=ether17
add bridge=bridge interface=ether18
add bridge=bridge interface=ether19
add bridge=bridge interface=ether20
add bridge=bridge interface=ether21
add bridge=bridge interface=ether22
add bridge=bridge interface=ether23
add bridge=bridge interface=ether24
add bridge=bridge interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=discover
/ip settings
set rp-filter=strict
/interface ethernet switch multicast-fdb
add ports=ether11
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=ether2-master list=mactel
add interface=wlan1 list=mactel
add interface=ether2-master list=mac-winbox
add interface=wlan2 list=mactel
add interface=wlan1 list=mac-winbox
add interface=wlan2 list=mac-winbox
add interface=wlan1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6 list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=ether11 list=discover
add interface=ether12 list=discover
add interface=ether13 list=discover
add interface=ether14 list=discover
add interface=ether15 list=discover
add interface=ether16 list=discover
add interface=ether17 list=discover
add interface=ether18 list=discover
add interface=ether19 list=discover
add interface=ether20 list=discover
add interface=ether21 list=discover
add interface=ether22 list=discover
add interface=ether23 list=discover
add interface=ether24 list=discover
add interface=sfp1 list=discover
add interface=bridge list=discover
add interface=wlan2 list=discover
add interface=EXT list=discover
add interface=bridge list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireless access-list
add comment="xxx Mobil" mac-address=4C:66:41:48:A1:12
add comment="xxxxxxx Mobil" mac-address=E8:50:8B:04:F3:1F
add comment="xxxxxxx Laptop" mac-address=7C:D1:C3:E9:E2:47
add comment="Chromebook 1" mac-address=AC:89:95:DB:5A:C5
add comment="xxxxx Mobil" mac-address=AC:5F:3E:26:C9:97
add comment=CC-Music mac-address=54:60:09:EA:D4:4A
add comment="xxxxxxxx Mobil" mac-address=D4:61:2E:93:63:69
add comment="xxxxxxxxxxxxxx" mac-address=6C:AD:F8:A4:33:19
add mac-address=B8:EE:65:F0:FD:CB
add mac-address=48:51:B7:61:1D:6D
add mac-address=1C:AF:05:77:D6:95
add mac-address=F4:F5:D8:DC:C5:92
add mac-address=44:85:00:CB:17:DB
add mac-address=28:56:5A:A0:0B:06
add mac-address=50:C7:BF:59:F5:A6
add mac-address=B8:27:EB:E6:97:32
add mac-address=6C:AD:F8:D0:0F:69
add mac-address=54:60:09:5C:AE:30
add mac-address=E4:58:B8:5E:81:DF
/ip address
add address=192.168.10.1/24 comment=defconf interface=ether2-master network=192.168.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.10.253 always-broadcast=yes client-id=1:4c:66:41:48:a1:12 mac-address=4C:66:41:48:A1:12
server=defconf
add address=192.168.10.125 client-id=1:48:51:b7:61:1d:6d mac-address=48:51:B7:61:1D:6D server=defconf
add address=192.168.10.117 client-id=1:f0:1f:af:3:2b:51 mac-address=F0:1F:AF:03:2B:51 server=defconf
add address=192.168.10.136 client-id=1:b8:ac:6f:b0:5:3f mac-address=B8:AC:6F:B0:05:3F server=defconf
add address=192.168.10.113 mac-address=54:60:09:EA:D4:4A server=defconf
add address=192.168.10.104 always-broadcast=yes client-id=1:ac:5f:3e:26:c9:97 mac-address=AC:5F:3E:26:C9:97
server=defconf
add address=192.168.10.106 mac-address=6C:AD:F8:A4:33:19 server=defconf
add address=192.168.10.11 always-broadcast=yes mac-address=D4:61:2E:93:63:69 server=defconf
add address=192.168.10.14 always-broadcast=yes comment="IOT-IKEA Gateway" mac-address=B0:72:BF:27:86:D5 server=
defconf
add address=192.168.10.13 mac-address=F4:F5:D8:DC:C5:92 server=defconf
add address=192.168.10.15 mac-address=A4:77:33:6D:38:B2 server=defconf
add address=192.168.10.227 client-id=1:70:8b:cd:ab:ec:fd mac-address=70:8B:CD:AB:EC:FD server=defconf
add address=192.168.10.17 mac-address=00:17:88:2B:01:71 server=defconf
add address=192.168.10.18 client-id=1:44:85:0:cb:17:db mac-address=44:85:00:CB:17:DB server=defconf
add address=192.168.10.19 mac-address=B4:A5:EF:E7:51:8D server=defconf
add address=192.168.10.16 mac-address=B8:27:EB:9C:9C:25 server=defconf
add address=192.168.10.10 client-id=1:30:7:4d:8d:2c:9a mac-address=30:07:4D:8D:2C:9A server=defconf
add address=192.168.10.22 mac-address=28:56:5A:A0:0B:06 server=defconf
add address=192.168.10.20 client-id=1:b8:27:eb:e6:97:32 mac-address=B8:27:EB:E6:97:32 server=defconf
add address=192.168.10.12 always-broadcast=yes mac-address=6C:AD:F8:D0:0F:69 server=defconf
add address=192.168.10.26 client-id=1:f0:9f:c2:1d:b:5 mac-address=F0:9F:C2:1D:0B:05 server=defconf
add address=192.168.10.27 always-broadcast=yes mac-address=E4:F0:42:48:CF:B2 server=defconf
add address=192.168.10.28 mac-address=48:D6:D5:E1:21:29 server=defconf
add address=192.168.10.24 always-broadcast=yes mac-address=54:60:09:5C:AE:30 server=defconf
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,195.54.122.200,8.8.4.4,195.54.122.204
/ip dns static
add address=192.168.10.1 name=router
add address=8.8.8.8 name="Google DNS 1"
add address=8.8.4.4 name="Google DNS 2"
/ip firewall address-list
add address=192.168.10.0/24 list=PrivateIPs
add address=192.168.10.0/24 list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need this subnet before enable it"
list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment=
"Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment=
"Private[RFC 1918] - CLASS C # Check if you need this subnet before enable it" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related disabled=
yes
add action=accept chain=forward connection-nat-state=srcnat,dstnat in-interface=ether1 in-interface-list=all
out-interface-list=all protocol=igmp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 log=yes log-prefix=VPN protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 log=yes log-prefix=VPN protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input comment="Allow Established connections" connection-state=established
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input in-interface=!ether1 src-address=192.168.10.0/24
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add action=drop chain=input comment="Drop everything else"
add action=accept chain=forward in-interface=bridge out-interface=bridge
add action=accept chain=input disabled=yes dst-address=192.168.10.16 dst-port=8123 in-interface=ether1
protocol=tcp src-port=443
add action=accept chain=input disabled=yes dst-address=192.168.10.16 dst-port=8123 in-interface=ether1
protocol=tcp src-port=8123
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-port=8123 in-interface=ether1 log=yes log-prefix=
HomeAssistantWebLogin protocol=tcp to-addresses=192.168.10.16 to-ports=8123
add action=dst-nat chain=dstnat disabled=yes dst-port=8123 in-interface=ether1 protocol=tcp src-port=443
to-addresses=192.168.10.16 to-ports=8123
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
add action=masquerade chain=srcnat comment="OpenVPN Masquerade" src-address=192.168.20.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.10.0/24 disabled=yes
set ssh disabled=yes
set winbox address=192.168.10.0/24
set api-ssl disabled=yes
/ip smb
set allow-guests=no comment=Router domain=WORKGROUP
/ip ssh
set strong-crypto=yes
/ip upnp
set show-dummy-rule=no
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=vpn
/routing igmp-proxy interface
add alternative-subnets=1.2.3.0/24,2.3.4.0/24 interface=ether1 upstream=yes
add interface=ether11
/routing igmp-proxy mfc
add downstream-interfaces=ether11 group=224.10.10.11 source=192.168.10.1 upstream-interface=wlan1
/routing pim bsr-candidates
add disabled=yes interface=ether11
/routing pim interface
add disabled=yes interface=ether11
/routing pim rp-candidates
add interface=ether11
/snmp
set enabled=yes location=HOME trap-version=3
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name=Router
/system leds
set 0 disabled=yes
set 1 disabled=yes
/system logging
set 0 disabled=yes
set 3 action=disk
add action=disk topics=ipsec
add action=disk topics=account
/system note
set note="XXXXXX Network Architecture - Authorized administrators only. Access to this device is monitored."
/system ntp client
set enabled=yes primary-ntp=79.138.40.123 secondary-ntp=62.209.166.40 server-dns-names=
0.se.pool.ntp.org,1.se.pool.ntp.org,2.se.pool.ntp.org,3.se.pool.ntp.org
/system package update
set channel=release-candidate
/system scheduler
add interval=13m name=Update_DDNS on-event=Update_DDNS policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
add interval=12h name=Update_RouterOS on-event=Auto_Update_RouterOS policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=mar/23/2017 start-time=03:00:00
add interval=1w name=Send_ConfigFile_email on-event=Send_ConfigFile_email policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=mar/26/2017 start-time=02:00:00
add interval=10m name=RUN_UPDATE_DUCK_DNS on-event=UPDATE_DUCK_DNS policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jan/09/2018 start-time=15:00:00
/system script
add name=Update_DDNS owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
source="# This script will update a ChangeIP.com dynamic dns hostname\r
\n:local ddnsuser "xxx.kretz@gmail.com"\r
\n:local ddnspass "AlfaLaval!1991!"\r
\n:local ddnshost "kretzarna.ddns.info"\r
\n:local ddnsinterface "ether1"\r
\n\r
\n:global ddnslastip\r
\n:global ddnsip [ /ip address get [find interface=$ddnsinterface disabled=no] address ]\r
\n:if ([ :typeof $ddnslastip ] = nil ) do={ :global ddnslastip 0.0.0.0/0 }\r
\n\r
\n:if ([ :typeof $ddnsip ] = nil ) do={\r
\n:log info ("DDNS: No ip address present on " . $ddnsinterface . ", please check.") } else={\r
\n:if ($ddnsip != $ddnslastip) do={\r
\n:log info "DDNS: Sending UPDATE!"\r
\n:log info [ /tool dns-update name=$ddnshost address=[:pick $ddnsip 0 [:find $ddnsip "/"] ] key-name=
$ddnsuser key=$ddnspass ]\r
\n:global ddnslastip $ddnsip } else={\r
\n:log info "DDNS: No change" }\r
\n}"
add name=Send_ConfigFile_email owner=admin policy=read,write,test source="/system backup save name=email_backup
\r
\n/tool e-mail send file=email_backup.backup to="kretzarna@gmail.com" body="See attached backup file" su
bject="$[/system identity get name] $[/system clock get time] $[/system clock get date] RouterOS Backup
")\r
\n"
add name=Auto_Update_RouterOS owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/system package update\r
\ncheck-for-updates once\r
\n:delay 1s;\r
\n:if ( [get status] = "New version is available") do={ install }"
add name=UPDATE_DUCK_DNS owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
source=":global actualIP value=[/ip address get [find where interface=ether1] value-name=address];\r
\n:global actualIP value=[:pick $actualIP -1 [:find $actualIP "/" -1] ];\r
\n:if ([:len [/file find where name=ipstore.txt]] < 1 ) do={\r
\n /file print file=ipstore.txt where name=ipstore.txt;\r
\n /delay delay-time=2;\r
\n /file set ipstore.txt contents="0.0.0.0";\r
\n};\r
\n:global previousIP value=[/file get [find where name=ipstore.txt ] value-name=contents];\r
\n:if ($previousIP != $actualIP) do={\r
\n :log info message=("Try to Update DuckDNS with actual IP ".$actualIP." - Previous IP are ".$previo
usIP);\r
\n /tool fetch mode=https keep-result=yes dst-path=duckdns-result.txt address=[:resolve www.duckdns.org] por
t=443 host=www.duckdns.org src-path=("/update?domains=kretzarna&token=17300a3e-5686-4bc0-a82a-eab0f73825f4
&ip=".$actualIP);\r
\n /delay delay-time=5;\r
\n :global lastChange value=[/file get [find where name=duckdns-result.txt ] value-name=contents];\r
\n :global previousIP value=$actualIP;\r
\n /file set ipstore.txt contents=$actualIP;\r
\n :if ($lastChange = "OK") do={:log warning message=("DuckDNS update successfull with IP ".$actualIP)
;};\r
\n :if ($lastChange = "KO") do={:log error message=("Fail to update DuckDNS with new IP ".$actualIP);}
;\r
\n};"
/system watchdog
set auto-send-supout=yes send-email-to=kretzarna@gmail.com watch-address=8.8.8.8
/tool e-mail
set address=74.125.127.109 from=RouterOS@kretzarna.ddns.info port=587 start-tls=yes user=xxx.kretz@gmail.com
/tool graphing interface
add interface=bridge
add interface=wlan1
add interface=sfp1
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool sniffer
set file-limit=10000KiB file-name=NetScan.pcap filter-interface=ether1
/tool traffic-monitor
add interface=ether1 name=MON_Received threshold=0 traffic=received
add interface=ether1 name=MON_TRANSMITTED threshold=0

I would put masquarades on top of the list (however don’t think it has so much affect on port forwarding, but you can try after changing), and delete:

add action=dst-nat chain=dstnat disabled=yes dst-port=8123 in-interface=ether1 protocol=tcp src-port=443 \
to-addresses=192.168.10.16 to-ports=8123

So your firewall nat looks like:

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
add action=masquerade chain=srcnat comment="OpenVPN Masquerade" src-address=192.168.20.0/24
add action=dst-nat chain=dstnat disabled=yes dst-port=8123 in-interface=ether1 log=yes log-prefix=\
HomeAssistantWebLogin protocol=tcp to-addresses=192.168.10.16 to-ports=8123

Did you you try to temporarly turn off all “drop” rules in your firewall filter table?

Just add accept rule for port tcp 8123 in filter section:
/ip fi fi add action=accept chain=input comment=“allow WEB” dst-port=8123 protocol=tcp place-before=3

If that would be the problem, you would have to add “accept” rules in the filter table for each forwarded port. I have like 10 ports forwarded and not a single accept rule in filter table. IMO the problem is in dropping/allowing rules that he already had defined.

he just has to place up the rules and the last input rule must be - /add action=drop chain=input comment=“Drop everything else”

I have tried all your suggestion JohnTRIVOLTA and matiaszon. I added the filter, inactivated the drop filter and removed the 443 nat-rule, but non of them makes it work
In Chrome i get ERR_CONNECTION_REFUSED when i’m trying to access the server from: https://xxxxxxxx.duckdns.org:8123

Any other suggestions that could be setup wrong in my configuration?

If you want to access it/web server/ from the local network , you must set Hairpin NAT , or if the board have DNS role you must add a static entry on DNS section !

I’m a bit noob. How do I do that?

https://wiki.mikrotik.com/wiki/Hairpin_NAT
or
/ip dns static add name=www.xxxxxxxx.duckdns.org address=192.168.10.16

JohnTRIVOLTA that did the trick!!! Now it works. Just added /ip dns static add name=www.xxxxxxxx.duckdns.org address=192.168.10.16

Thanks a million for your guys commitment.

Just to remember: this will make problems, when you will have another server in LAN working on another port.

Thanks for letting me know. Shall I apply hairpin NAT if I have future needs to setup another server in my LAN?

You can apply HairPIN NAT for sa many as servers as you need. The only problem is to set up ports correctly. Let’s say you have two different servers both working on port tcp 80. If you set up an external port for the firat one you have to choose another port number for the second server. For example:
1st server: external port tcp 80, internal tcp 80
2nd server: external port tcp 81, internal port tcp 80