Good day,

I can't seem to access the NVR in my office from my home. I have setup NAT rules but still it does not allow me to access the NVR. It probably is a small setting that I missed.

Thanks in advance

Yes, there's probably some mistake. Maybe in that config of yours, which we don't see, so it's hard to comment on it.

Check my automatic signature for a hint how to do what @Sob suggests.

Good day,

We have a DDNS server with settings as follows,

Port - 8245
Domain name - zktecosa.ddns.net
Public IP - 165.165.x.x

I have setup a firewall rule as follows,

Chain - input
Src address - public IP
In interface - WAN
Action - accept

Then I have setup a NAT rule as follows,

Chain - dstnat
Protocol - tcp
Dst Port - 8245
In interface - The port setup for fibre connection
Action - dst-nat
To address - local IP of NVR
To ports - 8245

I have setup a firewall rule as follows,

Chain - input
Src address - public IP
In interface - WAN
Action - accept

This setting is extremely dangerous (you're allowing just any connection from WAN to router itself) and not needed. On the contrary: default action in chain=forward should be either drop or deny (but most admins will use drop ... why bother informing potential plaintiff that there's something ready to communicate on this end).

The correct setting would be:

Note that port-forwarded connections are dealt with in chain=forward regardless of the fact that client uses router's WAN IP address as target address for connection. From router's point of view this traffic is forwarded to other hosts, just that some details in IP headers (such as DST address and port number) might get changed.

Thank you for the information @mkx. I still can't access the NVR from outside local subnet. Please see attached.

I think I am just brain dead and can't seem to get the correct setting

Showing a single firewall rule as five screenshots is a bad idea. All the people who can provide a useful advice on this forum can read, and strongly prefer, the text form of configuration export where a firewall rule takes five lines of text in worst case and from which the position of the rule in the firewall and the overall configration, which is also important, can be seen.

So regardless whether you use Winbox or WebFig, click the [Terminal] button, and in the window which opens, type /export hide-sensitive file=my-config and press the Enter key. Then click the [File] button, download the file my-config.rsc (it is actually a plain text file so you can open it using Notepad on Windows), and post its contents here after maybe doing the changes suggested in my automatic signature.

Good day,

Thank you everyone that tried to help. Once again it was my own stupidity. It was a port number digit that was incorrect.