Why doesn't the port open?

delete this:
add action=masquerade chain=srcnat comment=forum out-interface=bridge

and test if all work outside your network.

you must use another internet connection for test if it is working, or you go to the hell of hairpin nat & co.

(and also you must be sure that the ports on vmachine are correct)

And you also be sure than your ISP do not block the port…

Remove your full IP address everywhere, leave 91.xx.xx.xx in the photo and in the config text. Otherwise you can get regular bot attacks.
What service are you trying to run on this port?
Checking the openness of a specific port through the sites does not always give the right result. Try changing UDP to TCP to check and some widespread service.
From the local network access to the external IP is the same no, if necessary then you need to configure the Hairpin nat.
If incoming port is the same as outgoing then you do not need to specify it in the output.

Disable the rule, it is unnecessary. add action=masquerade chain=srcnat comment=forum out-interface=bridge

What I find confusing is the WAN situation. I thought PPPOE provide a dymamic WANIP.
Please confirm as that very much drives correct config formats for rules…
If its a fixed static WANIP, quite correct never show it in full.
If not, then dont show any WANIP address as its not relevant.


add action=dst-nat chain=dstnat comment=“Open port 7777 for CT101”
dst-address=91.XX dst-port=7777 in-interface-list=WAN protocol=
udp to-addresses=192.168.88.101 to-port=7777

One should have either (NOT BOTH):
a. dst-address for a static/fixed WANIP
b. in-interface-list=WAN for a dynamic WANIP
c. dst-address-list=MYIPCLOUD for dynamic WANIP with a hairpin NAT scenario.

Note: to-port not required if same as dst-port.

It seems mostly fine. In addition to previous (^^^), you can try to add temporary logging rule, either for specific port:

/ip firewall mangle
add chain=prerouting in-interface=pppoe-out1 protocol=udp dst-port=7777 connection-state=new action=log log-prefix=new-incoming

Or a broad one for all:

/ip firewall mangle
add chain=prerouting in-interface=pppoe-out1 connection-state=new action=log log-prefix=new-incoming

Then try some online port tester, even for different ports that you don’t forward anywhere, and see if anything gets logged (= connection attempts from internet reached your router).

Thank you for your response. Please explain again. What should I do?
Let’s imagine from scratch that I have an ip to access the internet: 123.123.1.10.
The router routeros have the factory settings.
I want to open the virtual machine port: 192.168.88.101.
What would you do?

/ip firewall nat
add action=dst-nat chain=dstnat comment=“virtual machine” dst-port=7777 in-interface-list=WAN protocol=udp to-addresses=192.168.88.101


PS Provided the client only connects from an external network

Two things… okay three things…
if users are in same subnet and need to reach the server via wanip domain name, then you need hairpinat rule.

Also need to change forward chain rule…
From
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

TO
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward comment=drop all else

FROM
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=forum out-interface=bridge
add action=dst-nat chain=dstnat comment=“Open port 7777 for CT101”
dst-address=91.92.2.111 dst-port=7777 in-interface-list=WAN protocol=
udp to-addresses=192.168.88.101 to-ports=7777 #192.168.88.101 correct for Virtual Machine

TO
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN

add chain=srcnat action=masquerade dst-address=192.168.88.0/24 src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment=“Open port 7777 for CT101”
dst-address=fixedWANIP dst-port=7777 protocol=udp to-addresses=192.168.88.101[/b]