Remove your full IP address everywhere, leave 91.xx.xx.xx in the photo and in the config text. Otherwise you can get regular bot attacks.
What service are you trying to run on this port?
Checking the openness of a specific port through the sites does not always give the right result. Try changing UDP to TCP to check and some widespread service.
From the local network access to the external IP is the same no, if necessary then you need to configure the Hairpin nat.
If incoming port is the same as outgoing then you do not need to specify it in the output.
Disable the rule, it is unnecessary. add action=masquerade chain=srcnat comment=forum out-interface=bridge
What I find confusing is the WAN situation. I thought PPPOE provide a dymamic WANIP.
Please confirm as that very much drives correct config formats for rules…
If its a fixed static WANIP, quite correct never show it in full.
If not, then dont show any WANIP address as its not relevant.
add action=dst-nat chain=dstnat comment=“Open port 7777 for CT101”
dst-address=91.XX dst-port=7777 in-interface-list=WAN protocol=
udp to-addresses=192.168.88.101 to-port=7777
One should have either (NOT BOTH):
a. dst-address for a static/fixed WANIP
b. in-interface-list=WAN for a dynamic WANIP
c. dst-address-list=MYIPCLOUD for dynamic WANIP with a hairpin NAT scenario.
Then try some online port tester, even for different ports that you don’t forward anywhere, and see if anything gets logged (= connection attempts from internet reached your router).
Thank you for your response. Please explain again. What should I do?
Let’s imagine from scratch that I have an ip to access the internet: 123.123.1.10.
The router routeros have the factory settings.
I want to open the virtual machine port: 192.168.88.101.
What would you do?
Two things… okay three things…
if users are in same subnet and need to reach the server via wanip domain name, then you need hairpinat rule.
Also need to change forward chain rule…
From add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
TO add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward comment=drop all else
FROM /ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN add action=masquerade chain=srcnat comment=forum out-interface=bridge
add action=dst-nat chain=dstnat comment=“Open port 7777 for CT101”
dst-address=91.92.2.111 dst-port=7777 in-interface-list=WAN protocol=
udp to-addresses=192.168.88.101 to-ports=7777 #192.168.88.101 correct for Virtual Machine
TO
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN add chain=srcnat action=masquerade dst-address=192.168.88.0/24 src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment=“Open port 7777 for CT101”
dst-address=fixedWANIP dst-port=7777 protocol=udp to-addresses=192.168.88.101[/b]