[SOLVED] Having a tough time getting a rule sorted out.

RouterOS Beginner Basics
1

OK, I have a number of services hosted on my home lan that are all working fine. My son asked for a Miencraft server, and I rolled one up for him. But for the life of me I cannot figure out what is broken here. And TBH, I am lost as to what is wrong.

I have no issues (manually checked each NAT forward) with other services.
On the LAN, all services are fine, meaning to me that the docker host is fine, and its not a firewall issue there.

As for my rules. The long story short, I rigged up a /16 for my home lan for easy segmenting. 98.100.180.154 is my WAN IP. And 192.168.64.2 is the docker host (CentOS7).

/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add action=dst-nat chain=dstnat comment="ssh : shadow" dst-address=98.100.180.154 dst-port=22002 protocol=tcp to-addresses=192.168.64.2 to-ports=22
add action=dst-nat chain=dstnat comment="Plex Media Server : shadow" dst-address=98.100.180.154 dst-port=32400 protocol=tcp to-addresses=192.168.64.2 to-ports=32400
add action=dst-nat chain=dstnat comment="emby : shadow" dst-address=98.100.180.154 dst-port=8096 protocol=tcp to-addresses=192.168.64.2
add action=dst-nat chain=dstnat comment="docker - csgo tcp" dst-address=98.100.180.154 dst-port=27014-27050 log=yes log-prefix="[csgo]" protocol=tcp to-addresses=\
    192.168.64.2
add action=dst-nat chain=dstnat comment="docker - csgo udp" dst-address=98.100.180.154 dst-port=2700-27050,4380,3478,4379,1500,3005,3101,28960 log=yes log-prefix="[csgo]" \
    protocol=udp to-addresses=192.168.64.2
add action=dst-nat chain=dstnat comment="cockpit : shadow" dst-address=98.100.180.154 dst-port=9090 protocol=tcp to-addresses=192.168.64.2
add action=dst-nat chain=dstnat comment="ssh : oberth" dst-address=98.100.180.154 dst-port=22793 protocol=tcp to-addresses=192.168.79.3 to-ports=22
add action=dst-nat chain=dstnat comment="docker - factorio " dst-address=98.100.180.154 dst-port=34197 protocol=udp to-addresses=192.168.64.2
add action=dst-nat chain=dstnat comment="docker - minecraft" dst-address=98.100.180.154 dst-port=25565 protocol=tcp to-addresses=192.168.64.2

Any tips would be greatly appreciated.
Thanks,
Andrew.

2

https://wiki.mikrotik.com/wiki/Hairpin_NAT

3

Thanks for the reply, but that is not addressing my actual issue. The service in question (Minecraft) is inaccesible to anyone ouside the lan. The other services all work perfect.

4

My nmap says it’s open:

Host is up (0.16s latency).
PORT      STATE SERVICE
25565/tcp open  minecraft
5

You know, you made me feel nice and stupid. Out of all my years of dealing with oddball stuff – I forgot to do a simple port scan on the WAN side of things. But that did get me thinking that something was clogged up somewhere.

Just rebuilt the docker container. Seems to be working. So unless I must up my tithing to the Red Hat gods, we are good. I did look at my iptables, and firewalld conf and they were good before. But something with regards to whatever docker does to destroy and recreate the network stuff seems to have done the trick.

Thanks immensely for saving me a big hassle of whatever I may have done trying in vain to make this work.