I briefly had success when I added a rule for connection-nat-state=dstnat in front of my drop invalid packets rule but can't seem to recreate it.
I changed the standard "Accept established connection packets" rule from input->forward which I also think was part of the solution but everything got really slow (I assume forward is much more CPU intensive than input) and had to change it back.
I can see a packet in the NAT rule which I tell Plex to attempt RETRY and a few packets hit my connection-nat-state=dstnat rule but it doesn't succeed.
I'm going cross-eyed looking at all the forum messages and wiki entries with variations of a theme...
> /ip firewall filter print Flags: X - disabled, I - invalid, D - dynamic 0 ;;; Drop new connections from internet which are not dst-natted chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether24-wan log=no log-prefix="" 1 ;;; Accept packets for dst-nat connections chain=forward action=accept connection-state="" connection-nat-state=dstnat protocol=tcp in-interface=ether24-wan log=no log-prefix="" 2 ;;; Drop invalid connection packets chain=input action=drop connection-state=invalid log=no log-prefix="" 3 ;;; Drop external DHCP requests chain=input action=drop protocol=udp dst-port=68 log=no log-prefix="" 4 ;;; Detect and drop port scan attempts chain=input action=drop protocol=tcp psd=21,3s,3,1 log=no log-prefix="" 5 ;;; Detect DoS attack chain=input action=add-src-to-address-list connection-limit=10,32 protocol=tcp address-list=black_list address-list-timeout=23h59m log=no log-prefix="" 6 ;;; Supress DoS attacks chain=input action=tarpit connection-limit=3,32 protocol=tcp src-address-list=black_list log=no log-prefix="" 7 ;;; Block incoming DNS requests (udp) chain=input action=drop protocol=udp in-interface=ether24-wan dst-port=53 log=no log-prefix="" 8 ;;; Block incoming DNS requests (tcp) chain=input action=drop protocol=tcp in-interface=ether24-wan dst-port=53 log=no log-prefix="" 9 ;;; Accept established connection packets chain=input action=accept connection-state=established log=no log-prefix="" 10 ;;; Accept related connection packets chain=forward action=accept connection-state=related log=no log-prefix="" 11 ;;; Allow connections that originated from LAN chain=forward action=accept connection-state=related 12 ;;; Whitelist addresses that should have full access chain=input action=accept src-address-list=admin-access log=no log-prefix="" 13 ;;; Log everything else chain=input action=log log-prefix="DROP INPUT" 14 ;;; Drop everything else chain=input action=drop