My Andriod media player cannot be rooted so I cannot get Samba working on the default port 139 and 445 so I want to forward traffic on the local LAN from ports 139 to 1139 and 445 to 4455 but it's been unsuccessful.
All my LAN devices connect using wireless through a "RouterBOARD cAP Gi-5acD2nD" on the IP subnet 192.168.10.0/24. The Android media player uses IP 192.168.10.50 (fixed in DHCP).
I have following firewall and NAT rules, yet cannot connect to it from Windows / Linux:
Samba works as expected on the Android Media Player, as I can connect to the Shared folders from another Android device using Port 4455. Windows doesn't allow SMB to work on another port.
Firewall rules
NAT Rules[admin@MikroTik] /ip firewall nat> /ip firewall export
# mar/17/2019 11:06:49 by RouterOS 6.43.8
# software id = MKII-15HB
#
# model = RouterBOARD cAP Gi-5acD2nD
# serial number = xxx
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=forward dst-address=192.168.10.50 dst-port=4455 in-interface=bridge log=yes protocol=tcp src-port=445
add action=accept chain=forward dst-address=192.168.10.50 dst-port=1139 in-interface=bridge log=yes protocol=tcp src-port=139
add action=drop chain=input in-interface-list=!LAN
/ip firewall mangle
add action=accept chain=prerouting disabled=yes dst-address=192.168.10.50 dst-port=4455 protocol=tcp src-address=192.168.10.0 src-port=139
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1-LTE
add action=masquerade chain=srcnat disabled=yes out-interface=ether2-PoeOut to-addresses=0.0.0.0
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.10.0/24
add action=masquerade chain=srcnat dst-address=192.168.3.0/24 src-address=192.168.10.0/24
add action=masquerade chain=srcnat dst-address=192.41.100.0/24 src-address=192.168.10.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.10.50 dst-port=4455 log=yes protocol=tcp src-address=192.168.10.0/24 src-port=445
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.10.50 dst-port=1139 log=yes protocol=tcp src-address=192.168.10.0/24 src-port=139
add action=dst-nat chain=dstnat dst-address-type=local dst-port=4455 in-interface=bridge log=yes protocol=tcp src-port=445 to-addresses=192.168.10.50 to-ports=4455
add action=masquerade chain=srcnat dst-address=192.168.10.50 dst-port=4455 log=yes protocol=tcp src-address=192.168.10.0/24 src-port=445
add action=dst-nat chain=dstnat dst-address-type=local dst-port=1139 in-interface=bridge log=yes protocol=tcp src-port=1139 to-addresses=192.168.10.50 to-ports=1139
add action=masquerade chain=srcnat dst-address=192.168.10.50 dst-port=1139 log=yes protocol=tcp src-address=192.168.10.0/24 src-port=139
Filter rules[admin@MikroTik] /ip firewall nat> /ip firewall nat export
# mar/17/2019 11:07:42 by RouterOS 6.43.8
# software id = MKII-15HB
#
# model = RouterBOARD cAP Gi-5acD2nD
# serial number = xxx
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1-LTE
add action=masquerade chain=srcnat disabled=yes out-interface=ether2-PoeOut to-addresses=0.0.0.0
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.10.0/24
add action=masquerade chain=srcnat dst-address=192.168.3.0/24 src-address=192.168.10.0/24
add action=masquerade chain=srcnat dst-address=192.41.100.0/24 src-address=192.168.10.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.10.50 dst-port=4455 log=yes protocol=tcp src-address=192.168.10.0/24 src-port=445
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.10.50 dst-port=1139 log=yes protocol=tcp src-address=192.168.10.0/24 src-port=139
add action=dst-nat chain=dstnat dst-address-type=local dst-port=4455 in-interface=bridge log=yes protocol=tcp src-port=445 to-addresses=192.168.10.50 \
to-ports=4455
add action=masquerade chain=srcnat dst-address=192.168.10.50 dst-port=4455 log=yes protocol=tcp src-address=192.168.10.0/24 src-port=445
add action=dst-nat chain=dstnat dst-address-type=local dst-port=1139 in-interface=bridge log=yes protocol=tcp src-port=1139 to-addresses=192.168.10.50 \
to-ports=1139
add action=masquerade chain=srcnat dst-address=192.168.10.50 dst-port=1139 log=yes protocol=tcp src-address=192.168.10.0/24 src-port=139
[admin@MikroTik] /ip firewall nat>
[admin@MikroTik] /ip firewall nat> /ip firewall filter export
# mar/17/2019 11:12:24 by RouterOS 6.43.8
# software id = MKII-15HB
#
# model = RouterBOARD cAP Gi-5acD2nD
# serial number = 817E07FC6F48
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=forward dst-address=192.168.10.50 dst-port=4455 in-interface=bridge log=yes protocol=tcp src-port=445
add action=accept chain=forward dst-address=192.168.10.50 dst-port=1139 in-interface=bridge log=yes protocol=tcp src-port=139
add action=drop chain=input in-interface-list=!LAN
P.S. Why can't I past more than one "code /code" section?