if you can, post the netmap rules and remove public ips from them, not sure if hide-sensitive will do that. Maybe you missed something or misunderstood how something works and someone else can spot it, can't troubleshoot with limited information.
*netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks
netmap is a direct 1:1 mapping public to private there is no port choosing here that is in dst-nat.
You're not getting any traffic on the dst-nat rule for samba so the problem is in mangle since that is the packet flow.
Flow.png
If they count packets when you attempt the SMB connection, the issue is in your firewall; if they don't, your ISP is blocking the port whose rule does not count.
i wouldn't discard this, it's very possible if you are just been handed /24 bit address blocks and ISP knows you're corporate and might be unpatched.