Hi all
Assume the following network topology:
bridge_lan contains:
Mikrotik on 192.168.0.1
FTP server on 192.168.0.2
Desktop PC on 192.168.0.3
I am trying to intercept a TCP ip:port, for example 196.43.2.109:21, and redirect it to the local server (not the Mikrotik itself) for all clients on the same subnet as the target server
Rule I am using:
/ip firewall nat add chain=dstnat dst-address=196.43.2.109 protocol=tcp dst-port=21 in-interface=bridge_lan action=dst-nat to-addresses=192.168.0.2 to-ports=21
The problem is, if I try to connect to 196.43.2.109:21 from the Desktop PC, the connection just times out, while 192.168.0.2:21 is directly accessible from both the Mikrotik and the Desktop PC, and both the desktop and server have 192.168.0.1 (the mikrotik) as their default route.
Adding the following masquerade rule, does not help:
/ip firewall nat add chain=srcnat dst-address=192.168.0.2 protocol=tcp dst-port=21 action=masquerade
What I find interesting is that the DST-NAT rule will work if I add another public FTP server in the to-address field, such as 196.4.160.12. But it won’t redirect a local client to the local FTP server.
What am I doing wrong?? Surely the Masquerade rule should make this work at least? But no.. 
Thanks & Regards