Gents,

I am facing some issue with port forwarding through my mikrotik:

In case of public port is the same as internal (e.g. for rdp connection 3899-3899), it works perfectly.
But while publishing public port as not standard one, like 53899 and leaving internal as 3899 the connection fails. Although when I disable last firewall rule 'drop' all, the connection is fine.
Could you please advise what might be the reason firewall does not accept connection with non-standard port, however firewall rule for this port is in place and above 'all drop' rule.

Any ideas are appreciated

My current firewall export:

dec/07/2015 11:56:04 by RouterOS 6.33

/ip firewall address-list
add address=192.168.1.200 comment="My laptop" list=Internet
add address=192.168.1.3 comment="OpenWRT on MetaROUTER" disabled=yes list=Internet
add address=0.0.0.0/8 list=BOGON
add address=10.0.0.0/8 list=BOGON
add address=100.64.0.0/10 list=BOGON
add address=127.0.0.0/8 list=BOGON
add address=169.254.0.0/16 list=BOGON
add address=172.16.0.0/12 list=BOGON
add address=192.0.0.0/24 list=BOGON
add address=192.0.2.0/24 list=BOGON
add address=192.168.0.0/16 list=BOGON
add address=198.18.0.0/15 list=BOGON
add address=198.51.100.0/24 list=BOGON
add address=203.0.113.0/24 list=BOGON
add address=224.0.0.0/4 list=BOGON
add address=240.0.0.0/4 list=BOGON

/ip firewall filter

add action=drop chain=input comment="drop ssh brute forcers" dst-port=22
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1h chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=20s chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=20s chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=20s chain=input connection-state=new dst-port=22
protocol=tcp
add action=drop chain=input comment=
"Drop packets from Bogon nets on ether1-gateway1" in-interface=
ether1-gateway1 src-address-list=BOGON
add action=drop chain=input comment=
"Drop packets from Bogon nets on ether2-gateway2" in-interface=
ether2-gateway2 src-address-list=BOGON
add chain=forward comment="Allow Ping My Network" protocol=icmp
add chain=input comment="Allow Ping Mikrotik" protocol=icmp
add chain=input comment="Accept established connections Mikrotik"
connection-state=established
add chain=forward comment="Accept established connections My Network"
connection-state=established
add chain=input comment="Accept related connections Mikrotik"
connection-state=related
add chain=forward comment="Accept related connections My Network"
connection-state=related
add action=drop chain=input comment="Drop invalid connections Mikrotik"
connection-state=invalid
add action=drop chain=forward comment="Drop invalid connections My Network"
connection-state=invalid
add chain=input comment="Access to router only from My Network" in-interface=
ether5-lan src-address=192.168.1.0/24
add chain=input comment="winbox, ssh" dst-port=58291,65022 protocol=tcp
add chain=forward comment="Internet access" src-address-list=
Internet
add chain=input comment="RDP" disabled=yes dst-port=3390 protocol=tcp
add chain=forward comment="RDP" dst-port=53389 protocol=tcp
add chain=input comment="VPN" port=1701,500,4500 protocol=udp
add chain=input protocol=ipsec-esp
add chain=forward comment=VPN-LAN-VPN"
disabled=yes dst-address=192.168.1.0/24 src-address=10.10.10.0/24
add chain=forward disabled=yes dst-address=10.10.10.0/24 src-address=
192.168.1.0/24
add action=drop chain=input comment="All other drop" in-interface=!ether5-lan
add action=drop chain=forward comment="All other drop"

/ip firewall mangle

add action=mark-connection chain=prerouting comment=
"Traffic marking for ISP1 and ISP2" connection-mark=no-mark in-interface=
ether1-gateway1 new-connection-mark=ISP1_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether2-gateway2 new-connection-mark=ISP2_conn passthrough=no
add action=mark-routing chain=output connection-mark=ISP2_conn
new-routing-mark=to_ISP2 passthrough=no
add action=mark-routing chain=output connection-mark=ISP1_conn
new-routing-mark=to_ISP1 passthrough=no
add action=mark-packet chain=forward comment=
"Dynamic shaping for internet usage" dst-address-list=Internet
new-packet-mark=Internet-download
add action=mark-packet chain=forward new-packet-mark=Internet-upload
src-address-list=Internet

/ip firewall nat

add action=masquerade chain=srcnat comment=nat1-isp1 out-interface=
ether1-gateway1
add action=masquerade chain=srcnat comment=nat2-isp2 out-interface=
ether2-gateway2
add action=netmap chain=dstnat comment="Port fowarding to Video server"
dst-address=212.xx.xx.xx dst-port=8000 protocol=tcp to-addresses=
192.168.1.5 to-ports=8000
add action=netmap chain=dstnat comment="Port fowarding to CDS (SSH)"
dst-address=212.xx.xx.xx dst-port=65522 protocol=tcp to-addresses=
192.168.1.7 to-ports=65522
add action=netmap chain=dstnat comment="Port fowarding to RDP" dst-port=53389
protocol=tcp to-addresses=192.168.1.200 to-ports=3389

Hello, take a look at this rule and change it like this :

add chain=forward comment=“RDP” dst-port=53389 protocol=tcp

replace with this :
add chain=forward comment=“RDP” dst-port=3389 protocol=tcp


Regards,

Evince, thank you. It does work.
Could you please explain the reason of putting 3389 in firewall rather then 53389, since I initiate connection from outside through port 53389

Thank you again

Why Netmap rather than DST-NAT?

NAT happens before firewall filter.

So the port is changed to 3389 before it is processed by the firewall filter.

Thank you for explanation
That makes sence