Port forwarding to support Netatmo

Hi All,
I’m having some issues getting my port forwarding working for a Netatamo presence. A quick google search turned up some requirement for udp on ports 500 and 4500. I have obtained the IP and applied a static IP. I added 2 entries to the NAT table however this wasn’t sufficient. So searching through the various post here I determined that my rules might be the issue. however I suspect I have added some that maybe that maybe contradictory and I’ve become somewhat lost in the process. The router had been work fine with the rule I’ve had in place for a couple of years. I’ve never really required port forwarding and it was always about applying restrictive DNS entries for my kids. Anyway I have grabbed an export and I was hoping someone here might spot the issues. I really appreciate any advice.

[superuser@MikroTik] /ip firewall> export
# nov/27/2019 18:46:21 by RouterOS 6.45.6
# software id = TVH9-PQU5
#
# model = 2011UiAS
# serial number = 75B80616B2A1
/ip firewall filter
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add chain=forward comment="Allow connections from the LAN" connection-state=new in-interface=\
    bridge1_LAN
add action=accept chain=forward connection-nat-state=dstnat
add chain=forward comment="Allow established connections" connection-state=established
add chain=forward comment="Allow related connections" connection-state=related
add action=jump chain=forward disabled=yes jump-target=tcp protocol=tcp
add action=jump chain=forward disabled=yes jump-target=udp protocol=udp
add action=jump chain=forward disabled=yes jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=tcp
add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=udp
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 \
    protocol=icmp
add action=accept chain=icmp comment="allow source quench" icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=reject chain=forward comment="drop facebook" content=facebook.com disabled=yes dst-port=\
    80,443 protocol=tcp reject-with=icmp-admin-prohibited src-address=192.168.10.5
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=WAN
add action=accept chain=forward connection-nat-state=dstnat dst-address=139.168.10.30 dst-port=500,4500 \
    protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address=192.168.10.100-192.168.10.254 \
    to-addresses=192.168.10.50 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=192.168.10.100-192.168.10.254 \
    to-addresses=192.168.10.50 to-ports=53
add action=dst-nat chain=dstnat disabled=yes dst-port=10578 in-interface=bridge1_LAN protocol=udp \
    to-addresses=192.168.10.162 to-ports=10578
add action=dst-nat chain=dstnat dst-port=4500 in-interface=bridge1_LAN protocol=udp to-addresses=\
    192.168.10.30 to-ports=4500
add action=dst-nat chain=dstnat dst-port=500 in-interface=bridge1_LAN protocol=udp to-addresses=\
    192.168.10.30 to-ports=500

Few things:

1. Somehow this sounds suspicious to me:

I’m not sure what you did, but you do have public static IP address for yourself from your ISP, it’s not just you doing something creative, right?

2. Did your quick Google search find an official documentation? Because udp ports 500 and 4500 are standard for IPSec, and I’d say quite unusual as something to forward to device. It could be correct, but it would be good to know for sure.

3. If you want to forward ports inside, in-interface=bridge1_LAN would be wrong, it should be in-interface= or dst-address= if you really have it.

4. Your firewall is not very good. You first drop some bad subnets, then allow new connections from LAN, forwarded ports, established and related connection. The order could be improved, but ok. Then you have useless rule for ports 500 and 4500, because those were already allowed by previous rule allowing all forwarded ports. And then everything else in implicitly allowed, because default action is accept.

Hi thanks for taking the time to reply.

In response to your points:

1. This was just my befuddled brain not working because I have a cold. I mean’t I have obtained the MAC address of the device and assigned a static IP. Sorry for the confusion
2. The official support site for Netatmo site has very limited information regards to the presence product. It primarily focuses around DNS entries and wifi settings and there is nothing in the documentation supplied around port requirements. I’m relying on a post in reddit where someone was having similar issues getting this device to work. But you are right I will email Netatmo support to get the exact details but I guess there was perhaps a false expectation that port forwarding wasn’t working because the device cant connect to the Netatmo servers.
3. Ok thanks I’ll modify that.
4. Yes some help here would be appreciated. Some of the rules you mention were only added yesterday as I was trying different things. However I did not intend to leave those changes there and was looking for advice as to what was needed. Case in point: " Then you have useless rule for ports 500 and 4500, because those were already allowed by previous rule allowing all forwarded port well yes I had not cleaned up my previous attempts. In hindsight I probably should have presented my previously unedited version.