Here is my config
[root@MikroTik] > /export hide-sensitive
# feb/20/2017 08:22:31 by RouterOS 6.38.1
# software id = IW7X-FBCR
#
/interface bridge
add name=br-lan
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether5 ] poe-out=off
/ip neighbor discovery
set ether1-wan discover=no
/interface ethernet
set [ find default-name=ether2 ] master-port=ether5 name=ether2-pc
set [ find default-name=ether3 ] master-port=ether5 name=ether3-tv
/interface ethernet switch
set 0 name=switch
/interface wireless security-profiles
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=wpa2 supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode band=2ghz-g/n channel-width=20/40mhz-Ce country=ukraine disabled=no distance=indoors frequency=auto \
frequency-mode=regulatory-domain hw-protection-mode=rts-cts mode=ap-bridge multicast-helper=full name=wlan2 security-profile=wpa2 ssid=MikroTik-hap wireless-protocol=\
802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee country=ukraine disabled=no distance=indoors \
frequency=auto frequency-mode=regulatory-domain hw-protection-mode=rts-cts mode=ap-bridge multicast-helper=full name=wlan5 security-profile=wpa2 ssid=MikroTik-hap \
wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
/interface wireless nstreme
set wlan2 enable-polling=no
set wlan5 enable-polling=no
/ip ipsec policy group
set
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-256-ctr,aes-192-cbc,aes-192-ctr,aes-128-cbc,aes-128-ctr,3des pfs-group=none
/ip pool
add name=pool-1 ranges=172.16.69.2-172.16.69.14
add name=pool-vpn ranges=172.16.69.34-172.16.69.44
/ip dhcp-server
add address-pool=pool-1 disabled=no interface=br-lan lease-time=1w name=dhcp-1
/ppp profile
add change-tcp-mss=yes dns-server=172.16.69.1,8.8.8.8 local-address=172.16.69.33 name=vpn remote-address=pool-vpn
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=pool-vpn name=l2tp remote-address=pool-vpn
/system logging action
set 3 remote=172.16.69.2
/interface bridge port
add bridge=br-lan interface=wlan5
add bridge=br-lan interface=wlan2
add bridge=br-lan interface=ether5
/interface bridge settings
set use-ip-firewall=yes
/ip firewall connection tracking
set enabled=yes
/interface l2tp-server server
set allow-fast-path=yes default-profile=l2tp use-ipsec=yes
/interface ovpn-server server
set certificate=vpn-srv-cert cipher=blowfish128,aes128,aes192,aes256 default-profile=vpn enabled=yes keepalive-timeout=30 port=65535 require-client-certificate=yes
/interface sstp-server server
set certificate=vpn-srv-cert default-profile=vpn enabled=yes
/ip address
add address=xx.xx.xx.xx/27 interface=ether1-wan network=xx.xx.xx.xx
add address=172.16.69.1/27 interface=br-lan network=172.16.69.0
/ip arp
add address=172.16.69.30 interface=br-lan mac-address=FF:FF:FF:FF:FF:FF
/ip dhcp-server lease
add address=172.16.69.2 client-id=1:xx:xx:xx:xx:xx:xx mac-address=xx:xx:xx:xx:xx:xx server=dhcp-1
add address=172.16.69.4 client-id=1:xx:xx:xx:xx:xx:xx mac-address=xx:xx:xx:xx:xx:xx server=dhcp-1
/ip dhcp-server network
add address=172.16.69.0/27 dns-server=172.16.69.1,8.8.8.8 domain=lan gateway=172.16.69.1 netmask=27
/ip dns
set allow-remote-requests=yes servers=172.16.69.1,8.8.8.8
/ip dns static
add address=172.16.69.1 name=mikrotik.lan
add address=172.16.69.2 name=vmunix.lan
add address=172.16.69.3 name=ps3.lan
add address=172.16.69.4 name=tv.lan
/ip firewall filter
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=input comment="allow established connections" connection-state=established
add action=accept chain=input comment="allow new connections" connection-state=new
add action=accept chain=input comment="allow related connections" connection-state=related
add action=accept chain=input comment="allow ICMP ping" protocol=icmp
add action=accept chain=input comment=vpn dst-port=443,65535 in-interface=ether1-wan protocol=tcp
add action=accept chain=input comment=webfig-ssl dst-port=8444 in-interface=ether1-wan protocol=tcp
add action=accept chain=input comment=rossh dst-port=8443 in-interface=ether1-wan protocol=tcp
add action=drop chain=input comment="drop invalid connections" connection-state=invalid
add action=drop chain=input comment="drop everything else" in-interface=ether1-wan
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-wan src-address=172.16.69.0/26
add action=masquerade chain=srcnat disabled=yes dst-address=!172.16.69.1 dst-port=4443,9999 out-interface=br-lan protocol=tcp src-address=172.16.69.0/26
add action=netmap chain=dstnat comment=rossh dst-address=172.16.69.1 dst-port=22 in-interface=br-lan protocol=tcp to-addresses=172.16.69.1 to-ports=8443
add action=netmap chain=dstnat comment=wol dst-address=xx.xx.xx.xx dst-port=9 protocol=udp to-addresses=172.16.69.30 to-ports=9
add action=netmap chain=dstnat dst-address=xx.xx.xx.xx dst-port=6881,6890-6999 protocol=udp to-addresses=172.16.69.2
add action=netmap chain=dstnat dst-address=xx.xx.xx.xx dst-address-type="" dst-port=4443,6890-6999,9999 protocol=tcp to-addresses=172.16.69.2
/ip ipsec peer
add address=0.0.0.0/0 compatibility-options=skip-peer-id-validation enc-algorithm=aes-256,aes-128,3des exchange-mode=main-l2tp generate-policy=port-override passive=yes
/ip proxy
set max-client-connections=1000 max-server-connections=1000 port=3128
/ip route
add distance=1 gateway=xx.xx.xx.xx
/ip service
set telnet address=172.16.69.0/26
set ftp address=172.16.69.0/26
set www address=172.16.69.0/26
set ssh port=8443
set www-ssl certificate=webfig port=8444
set api address=172.16.69.0/26
set winbox address=172.16.69.0/26
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1-wan type=external
add interface=ether2-pc type=internal
add interface=ether3-tv type=internal
add interface=ether4 type=internal
add interface=ether5 type=internal
add interface=br-lan type=internal
/ppp secret
add name=solnote profile=vpn
add name=iphone profile=vpn service=ovpn
/snmp
set trap-version=2
/system clock
set time-zone-name=Europe/Kiev
/system leds
add interface=br-lan leds=user-led type=interface-activity
/system logging
add action=remote topics=dns
/system ntp client
set enabled=yes server-dns-names=0.ua.pool.ntp.org,1.ua.pool.ntp.org,2.ua.pool.ntp.org,3.ua.pool.ntp.org
/system routerboard settings
set init-delay=0s silent-boot=yes
/system watchdog
set automatic-supout=no
/tool e-mail
set address=smtp.gmail.com from=mikrotik@home port=587 start-tls=yes user=sergey.bobrov83@gmail.com
/tool graphing interface
add allow-address=172.16.69.0/27 store-on-disk=no
add allow-address=172.17.0.0/24 store-on-disk=no
/tool graphing resource
add allow-address=172.16.69.0/27 store-on-disk=no
add allow-address=172.17.0.0/24 store-on-disk=no
This is really strange because
add action=masquerade chain=srcnat disabled=yes dst-address=!172.16.69.1 dst-port=4443,9999 out-interface=br-lan protocol=tcp src-address=172.16.69.0/26
is in disabled state and i can reach NAT-ed port outside
from work network to home -
[root@SolCGW1 ~]# telnet XX.XX.XX.XX 9999
Trying XX.XX.XX.XX...
Connected to XX.XX.XX.XX.
Escape character is '^]'.
from laptop connected to mikrtotik via VPN
solnote-c6gk-2 ~ $ telnet XX.XX.XX.XX 9999
Trying XX.XX.XX.XX...
Connected to XX.XX.XX.XX.
Escape character is '^]'.
^]
telnet> Connection closed.
as I mentioned before I can reach this port from wireless device
BUT, I cant from wired connected PC
vmunix ~ $ telnet XX.XX.XX.XX 9999
Trying XX.XX.XX.XX...
^C
What a hell???