Your dst-address and your to-address are the same.
The dst-address should be your router WAN port address and the to-address should be the “inside” address of the system that is hosting the service.
EITHER you want to host services ON THE ROUTER ( hence you open 80 and 443 on your router to the whole wide world )
OR
You port forward to a server on your LAN handling port 80 and 443.
Which is it?
I suspect servers on the LAN and thus remove the input chain rules for 80, 443
++++++++++++++++++++++++++
Previous poster is bang on.
Think about it!! The local private dst-address ( of the server ) is NEVER on incoming traffic. The only dst address on incoming traffic is the address of the Router itself the WANIP!!
Its the routers job to identify where the traffic should go based on Destination Port.
If there is no valid destination port identified, the traffic is dropped.
If there is a valid destination port ( as identified by the router on the incoming traffic ), then the router knows WHERE locally to send such traffic the TO ADDRESS!!
Note if the dst-port and to-port are identical ( no port translation needed ), the the to-port need not be entered as no entry implies same port.
Case A: /ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=“Allow Related” connection-state=
established,related
add action=accept chain=forward comment=“Allow Related” connection-state=
established,related
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward dst-port=9987 in-interface=ether1WAN protocol=udp
add action=accept chain=forward dst-port=30033 in-interface=ether1WAN protocol=tcp
add action=fasttrack-connection chain=forward connection-state=established,related
hw-offload=yes
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new
in-interface=ether1WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1WAN
add action=dst-nat chain=dstnat dst-port=80
in-interface=ether1WAN protocol=tcp to-addresses=192.168.88.103
add action=dst-nat chain=dstnat dst-port=443
in-interface=ether1WAN protocol=tcp to-addresses=192.168.88.103
add action=dst-nat chain=dstnat dst-port=9987
in-interface=ether1WAN protocol=udp to-addresses=192.168.88.103
add action=dst-nat chain=dstnat dst-port=30033
in-interface=ether1WAN protocol=tcp to-addresses=192.168.88.103
Note: WAN interface not required on firewall rule for dstn, and think about it, if you happen to have LAN users also using the WANIP of the router to access the servers…
A. Post your latest config so I can see what you tried and failed.
Also, confirm that you have a public IP address or an upstream router gets a public IP and you can forward ports from it to the mikrotik.
Its very alarming to me, because it wasnt a matter of trying A or B, it was getting you to think about what your intent was, the actual requirement, and then to apply the correct config based on that.
Trying both means you didnt answer or understand the fundamental question. BLindly trying stuff is not fruitful.
Are you trying to reach the router on port 80 and 443
OR Are you trying to reach a server on the LAN via port 80 and 443???
One more time… and keep chains together, much easier to read and fix.
And remove all old rules!!
Check to make sure firewall on servers or on windows OS, that the servers is on, is not blocking traffic…