I am in need of some clarification about the syntax to use in a Firewall / NAT rule.
I have this (typical for an Exchange server) rule:
That does not work as intended. Ports 25,465,587 and 2525 are forwarded to 172.16.100.20 but 443 ends up on the local router.
However, if I prepare a specific rule for 443 only it works as expected.
I’m sure I am missing something and would be interested in understanding my mistake
Check IP → Services → www-ssl and disable services or change port
Thanks - my “solution” (a separate rule for 443) works well enough as is.
What I’d like to understand is what is actually happening “behind the scene” so to speak. What I do differently in setting up a single port vs multi-port NAT rule ?
It doesn’t make any sense. One port or multiple ports, it works the same. Check also your other rules, there must be something else influencing this.
And no, ports in IP->Services have nothing to with this, dstnat happens first, so even if some of router’s services listens on same ports, dstnat wins over that.
Well it might not make much sense but it is happening right in front of my eyes… 100% reproducible. I can switch between both states at will.
One thing of interrest is that I use SSTP server on said router (which is also on 443 I understand). I think it is somehow realated.
No. 
I’ll believe it only when I see complete config and won’t find anything wrong in it. And even then I may blame it on witches or something.