If you’re using pppoe, then your dstnat rule should specify in-interface=pppoe-out1, not ether1-gateway.
And the same goes for your other rules, because currently your router’s WAN interface (pppoe-out1) is completely unprotected.
You also don’t need filter rule #1 at all, because forwarded ports don’t go to input chain, they go to forward. So they get accepted by rule #8, but they would pass even without that, because you have no default drop rule at the end, so everything is allowed by default.
Your config still has some flaws, but forwarded port should work, so lets focus on that first. Some ideas:
Do you have public address on your router?
Do you test it from same LAN where 192.168.88.2 is, or from somewhere else on internet?
Do you use WinBox of WebFig? If not, try them (I suggest WinBox), they have very useful live counters for each firewall rule, so you can immediately see if they catch some packet when you test it (you’re interested in your dstnat rule).
Does firewall on 192.168.88.2 allow incoming connections to tcp/999 from anywhere?
- Your current port forwarding rule will not work from same LAN, you have to test from outside (it’s possible to make it work from LAN too if you want, but better make it work from outside first).
- WebFig is fine too, it also has packet counters for each rule and almost everything that WinBox has.
- Speaking about counters, did you check if your dstnat rule catches something?
- You can also use Tools->Torch, set filter to tcp/999 and watch if you see your test connections reaching your WAN interface. If they do, change interface to LAN and check if they pass through router.
I don’t think RouterOS config is complicated. Maybe a little if someone comes from simple home router’s world where they did not need to know much about anything. But if you’re thinking about OpenWRT, then RouterOS can’t be too hard for you. It’s still Linux with iptables, only in much more admin-friendly package. For me, when I first discovered RouterOS + WinBox, it was dream come true.