Wrong rules order.. All present but nothing pass

RouterOS Beginner Basics
1

Hi
So i swap the router with a new RB4011, but as all the research made, i still struggle to get special service running. I do have all rules in place, but might be in wrong order… or the input/ output interface required or not… Basically, i have the port 25 blocked, a softVpn don’t connect(1196 to 1203) and the voip Sip don’t work either (5060 and 5061)
softvpn:192.168.0.146 / voip sip: 192.168.0.30 / email IpCam 192.168.0.128 and email pc .62
Wan modem on ether1 dns 192.168.1.120 / bridge subnet & rb4011 : 192.168.0.1

firewall filter rules:

 0    chain=input action=accept connection-state=established,related 

 1    chain=input action=accept protocol=tcp dst-port=1194 log=no log-prefix="" 

 2    ;;; softVPN
      chain=input action=accept protocol=tcp dst-port=1196-1203 log=no 
      log-prefix="" 

 3    ;;; Allow incoming email
      chain=forward action=accept protocol=tcp dst-port=25 

 4    ;;; voiptest
      chain=forward action=accept protocol=tcp src-port=12700-65500 log=no 
      log-prefix="" 

 5    chain=forward action=accept protocol=tcp dst-port=5060-5061 log=no 
      log-prefix="" 

 6    chain=input action=accept protocol=tcp in-interface=ether1 
      src-port=5060-5061 log=no log-prefix="" 
 7    chain=forward action=accept connection-state=established,related 

 8    ;;; Allow LAN access to move through the router
      chain=forward action=accept connection-state=new in-interface=ether1 

 9    ;;;  ^ that originated from LAN -new connection
      chain=forward action=accept connection-state=established log=no 
      log-prefix="" 

10    ;;; Add a filter exception for port mapped server
      chain=forward action=accept protocol=tcp in-interface-list=WAN 
      dst-port=25 log=no log-prefix="" 

11    ;;; Allow LAN access to the router itself
      chain=input action=accept connection-state=new in-interface=ether1 

12    ;;; email ipCam
      chain=forward action=accept protocol=tcp in-interface=ether1 
      dst-port=25,110 log=no log-prefix="" 

13    ;;;  ^^ that originated from LAN
      chain=input action=accept connection-state=established 
14    ;;; Allow ping ICMP from anywhere
      chain=input action=accept protocol=icmp 

15    ;;; IPcam
      chain=forward action=accept protocol=tcp src-address=192.16
      src-port=8000 log=no log-prefix="" 

16    chain=input action=accept protocol=tcp dst-port=1197,1198 l
      log-prefix="" 

17    ;;; L2TP/IPSEC
      chain=input action=accept protocol=udp dst-port=500 

18    ;;; L2TP/IPSEC
      chain=input action=accept protocol=udp dst-port=4500 

19    ;;; L2TP
      chain=input action=accept protocol=udp dst-port=1701 

20    ;;; defconf: accept forward established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

21    ;;; Plex Ports - TCP
      chain=forward protocol=tcp dst-port=3005,8324,32469 

22    ;;; Plex Ports - TCP
      chain=forward protocol=udp dst-port=1900,5353,32412-32414

-=-=-=-
NAT:

 0    chain=srcnat action=masquerade out-interface-list=WAN 

 1    ;;; masq. vpn traffic
      chain=srcnat action=masquerade src-address=192.168.89.0/24 

 2 X  chain=dstnat action=dst-nat to-addresses=192.168.0.30 protocol=tcp 
      in-interface=ether1 dst-port=5060-5061 log=no log-prefix="" 

 3    chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix="" 

 4    ;;; Voip set
      chain=dstnat action=dst-nat to-addresses=192.168.0.30 to-ports=5060-5061 
      protocol=udp dst-port=5060-5061 log=no log-prefix="" 

 5    chain=dstnat action=dst-nat to-addresses=192.168.0.30 to-ports=5060-5061 
      protocol=udp in-interface=ether1 dst-port=12700-65500 log=no log-prefix="" 

 6    chain=dstnat action=dst-nat to-addresses=192.168.0.30 to-ports=5060-5061 
      protocol=udp in-interface=bridge1 dst-port=5060-5061 log=no log-prefix="" 

 7    ;;; tstrange
      chain=dstnat action=dst-nat to-addresses=192.168.0.30 protocol=tcp 
      in-interface=ether1 dst-port=1200-65500 log=no log-prefix="" 

 8    ;;; email ipCam
      chain=dstnat action=dst-nat to-addresses=192.168.0.128 to-ports=25 
      protocol=tcp in-interface=ether1 dst-port=53,80,25,110 log=no 
      log-prefix="" 

 9    ;;; Create an incoming port map rule
      chain=dstnat action=dst-nat to-addresses=192.168.0.62 to-ports=25 
      protocol=tcp dst-port=25 log=no log-prefix="" 

10    ;;; Pc Softvpn
      chain=srcnat action=masquerade dst-address=192.168.0.146 log=no 
      log-prefix="" 

11  D ;;; upnp 192.168.0.128: IPC_Control
      chain=dstnat action=dst-nat to-addresses=192.168.0.128 to-ports=8000 
      protocol=tcp dst-address=192.168.1.120 in-interface=ether1 dst-port=8000 

12  D ;;; upnp 192.168.0.128: IPC_HTTP
      chain=dstnat action=dst-nat to-addresses=192.168.0.128 to-ports=80 
      protocol=tcp dst-address=192.168.1.120 in-interface=ether1 dst-port=81 

13  D ;;; upnp 192.168.0.128: IPC_RTSP
      chain=dstnat action=dst-nat to-addresses=192.168.0.128 to-ports=554 
      protocol=tcp dst-address=192.168.1.120 in-interface=ether1 dst-port=

14  D ;;; upnp 192.168.0.128: IPC_CIVIL_CMD
      chain=dstnat action=dst-nat to-addresses=192.168.0.128 to-ports=9010
      protocol=tcp dst-address=192.168.1.120 in-interface=ether1 dst-port=

15  D ;;; upnp 192.168.0.128: IPC_CIVIL_STREAM
      chain=dstnat action=dst-nat to-addresses=192.168.0.128 to-ports=9020
      protocol=tcp dst-address=192.168.1.120 in-interface=ether1 dst-port=

16  D ;;; upnp 192.168.0.128: IPC_RTSPTCP
      chain=dstnat action=dst-nat to-addresses=192.168.0.128 to-ports=8200
      protocol=tcp dst-address=192.168.1.120 in-interface=ether1 dst-port=

17    ;;; WebServ
      chain=dstnat action=netmap to-addresses=192.168.0.25 to-ports=80 
      protocol=tcp in-interface=ether1 dst-port=80 

18    ;;; mailipCam
      chain=dstnat action=netmap to-addresses=192.168.0.128 to-ports=25 
      protocol=tcp in-interface=ether1 dst-port=25

-=-=-

  • the nat : 11 to 16 appear by themself from the ipcam
    ** In firewall service port, i disable the Ftp and the Sip / and into ip service list : api / api-ssl / ssh / ftp / telnet : are disable.
    I can ping all device fine. NC - netstat on any pc confirm port 25 not passing.
    Thanks in advance for helping me to review that.
2

So i’ve check further and put on a quite basic rule.. i guess .. But i do don’t get why i can’t have access to a softvpn. Softvnp.. any software you put on a pc.. And the weird thing is with this, at one point the voip phone start to work.. I clic l disable the filter rule to confirm it was the good filter rules. I put it back on and the voip cannot connect back.
I did a reboot. And now : i cannot login anymore via winbox !!!
quite bad.. Any help ?

1 add action=accept chain=input comment="S1: accept input established,related,untracked"   connection-state=established,related,untracked

2 add action=drop chain=input comment="S1: drop invalid" connection-state=invalid
3 add action=fasttrack-connection chain=forward comment="S1: fasttrack" connection-  state=established,related

4 add action=accept chain=input comment="S1: OpenVPN" protocol=tcp dst-port=1194

add action=accept chain=input comment="ss: softVPN" protocol=tcp dst-port=1197

5 add action=accept chain=input comment="Voip" protocol=tcp dst-port=5060-5061

6 add action=accept chain=input comment="ipCam mail" protocol=tcp dst-port=25

7 add action=accept chain=input comment="S1: L2TP/IPSEC" dst-port=500 protocol=udp

8 add action=accept chain=input comment="S1: L2TP/IPSEC" protocol=ipsec-esp

9 add action=accept chain=input comment="S1: L2TP/IPSEC" dst-port=4500 protocol=udp

10 add action=accept chain=input comment="S1: L2TP" dst-port=1701 protocol=udp

11 add action=accept chain=forward comment="S1: accept forward established,related, untracked"    connection-state=established,related,untracked

12 add action=drop chain=forward comment="S1: drop invalid" connection-state=invalid

13 add action=drop chain=input comment="S1: drop all du WAN not DSTNATed" connection-nat-state=!   dstnat connection-state=new in-interface-list=WAN

NAT:

0    chain=srcnat action=masquerade out-interface-list=WAN 
 6    chain=dstnat action=dst-nat to-addresses=192.168.0.30 to-ports=5060-5061 
      protocol=udp in-interface=bridge1 dst-port=5060-5061 log=no log-prefix=""
3

I was able to load an old config and winbox came back up. Pretty sure fastrack do something bad.. Here the rules present now that i cannot figure out :

Firewall filter flags: X - disabled, I - invalid, D - dynamic 
 0    chain=input action=accept connection-state=established,related 

 1 X  ;;; S1: accept input established,related,untracked
      chain=input action=accept connection-state=established,related,untracked log=no 
      log-prefix="" 

 2    chain=input action=accept protocol=tcp dst-port=1194 log=no log-prefix="" 

 3    chain=input action=accept protocol=tcp dst-port=1196 log=no log-prefix="" 

 4    chain=input action=accept protocol=tcp in-interface=bridge1 src-port=5060-5061 
      log=no log-prefix="" 

 5 X  chain=forward action=accept connection-state=established,related log=no 
      log-prefix="" 

 6 X  ;;; Allow LAN access to move through the router
      chain=forward action=accept connection-state=new in-interface=ether1 log=no 
      log-prefix="" 

 7    ;;; S1: drop invalid
      chain=input action=drop connection-state=invalid 

 8    ;;; Allow LAN access to the router itself
      chain=input action=accept connection-state=new in-interface=ether1 

 9    ;;;  ^^ that originated from LAN
      chain=input action=accept connection-state=established 

10    ;;; Allow ping ICMP from anywhere
      chain=input action=accept protocol=icmp 

11 X  ;;; IPcam
      chain=forward action=accept protocol=tcp src-address=192.168.0.128 
      src-port=8000 log=no log-prefix="" 

12    ;;; ss: softVPN
      chain=input action=accept protocol=tcp dst-port=1197-1202 log=no log-prefix="" 

13    ;;; ipCam mail
      chain=input action=accept protocol=tcp dst-port=25 

14    ;;; Voip
      chain=input action=accept protocol=tcp dst-port=5060-5061 

15 X  ;;; Plex Ports - TCP
      chain=forward action=accept protocol=tcp dst-port=3005,8324,32469 log=no 
      log-prefix="" 

16 X  ;;; Plex Ports - TCP
      chain=forward action=accept protocol=udp dst-port=1900,5353,32412-32414 log=no 
      log-prefix="" 

17    ;;; L2TP/IPSEC
      chain=input action=accept protocol=udp dst-port=500 

18    ;;; L2TP/IPSEC
      chain=input action=accept protocol=ipsec-esp 

19    ;;; L2TP/IPSEC
      chain=input action=accept protocol=udp dst-port=4500 

20    ;;; L2TP
      chain=input action=accept protocol=udp dst-port=1701 

21    ;;; S1: accept forward established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

22 X  ;;;  ^ that originated from LAN -new connection
      chain=forward action=accept connection-state=established log=no log-prefix="" 

23    ;;; Add a filter exception for port mapped server
      chain=forward action=accept protocol=tcp dst-address=192.168.0.128 dst-port=25 
      log=no log-prefix="" 

24 X  ;;; voiptest
      chain=forward action=accept protocol=tcp src-port=12700-65500 log=no 
      log-prefix="" 

25    chain=forward action=accept protocol=tcp dst-port=5060-5061 log=no log-prefix="" 

26    ;;; S1: drop invalid
      chain=forward action=drop connection-state=invalid

-=-=-
NAT:

 0    chain=srcnat action=masquerade out-interface-list=WAN 

 1    ;;; masq. vpn traffic
      chain=srcnat action=masquerade src-address=192.168.89.0/24 

 2 X  chain=dstnat action=dst-nat to-addresses=192.168.0.30 protocol=tcp 
      in-interface=bridge1 dst-port=5060-5061 log=no log-prefix="" 

 3 X  chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix="" 

 4    ;;; tstrange
      chain=dstnat action=dst-nat to-addresses=192.168.0.30 protocol=tcp 
      in-interface=ether1 dst-port=1200-65500 log=no log-prefix="" 

 5 X  ;;; Voip set
      chain=dstnat action=dst-nat to-addresses=192.168.0.30 to-ports=5060-5061 
      protocol=udp dst-port=5060-5061 log=no log-prefix="" 

 6    chain=dstnat action=dst-nat to-addresses=192.168.0.30 to-ports=5060-5061 
      protocol=udp in-interface=bridge1 dst-port=12700-65500 log=no log-prefix="" 

 7 X  chain=dstnat action=dst-nat to-addresses=192.168.0.30 protocol=udp 
      in-interface=bridge1 dst-port=5060 log=no log-prefix="" 

 8    ;;; Create an incoming port map rule-syntaxok
      chain=dstnat action=dst-nat to-addresses=192.168.0.128 to-ports=25 protocol=tcp 
      dst-port=25 log=no log-prefix="" 

 9 X  ;;; Pc Softvpn
      chain=srcnat action=masquerade src-address=192.168.0.146 log=no log-prefix="" 

10  D ;;; upnp 192.168.0.128: IPC_Control
      chain=dstnat action=dst-nat to-addresses=192.168.0.128 to-ports=8000 
      protocol=tcp dst-address=192.168.1.120 in-interface=ether1 dst-port=8000 

11  D ;;; upnp 192.168.0.128: IPC_HTTP
      chain=dstnat action=dst-nat to-addresses=192.168.0.128 to-ports=80 protocol=tcp 
      dst-address=192.168.1.120 in-interface=ether1 dst-port=32692 

12  D ;;; upnp 192.168.0.128: IPC_RTSP
      chain=dstnat action=dst-nat to-addresses=192.168.0.128 to-ports=554 
      protocol=tcp dst-address=192.168.1.120 in-interface=ether1 dst-port=554 


13  D ;;; upnp 192.168.0.128: IPC_CIVIL_CMD
      chain=dstnat action=dst-nat to-addresses=192.168.0.128 to-ports=9010 
      protocol=tcp dst-address=192.168.1.120 in-interface=ether1 dst-port=9010 

14  D ;;; upnp 192.168.0.128: IPC_CIVIL_STREAM
      chain=dstnat action=dst-nat to-addresses=192.168.0.128 to-ports=9020 
      protocol=tcp dst-address=192.168.1.120 in-interface=ether1 dst-port=9020 

15  D ;;; upnp 192.168.0.128: IPC_RTSPTCP
      chain=dstnat action=dst-nat to-addresses=192.168.0.128 to-ports=8200 
      protocol=tcp dst-address=192.168.1.120 in-interface=ether1 dst-port=8200

Also, not just the voip (5060-5061), mail box for port 25 and softvpn 1197 don’t work.. the upnp camera don’t work either on local lan…