I *think* I understand the difference between dst-nat vs redirect: dst-nat forwards incoming requests to an external location while redirect is a special case for the localhost. Assuming that's the case, I again believe that if I want to expose a local service from the router on an alternate port the correct method is via redirect.
Please correct me if the above is false. However, from there - what is the method I should use for specifically exposing the router's ssh service via a non-standard port? The intent is to allow connection via public internet to the non-standard port. My concerns/questions - some of which are probably self-answering:
1. I assume the first step is a NAT rule, "/ip firewall nat add chain=dstnat action=redirect to-ports=22 protocol=tcp dst-port=2220"
2. Now what do I need to open in the filter? Port 2220, port 22, or both?
3. Does this mean the ssh service cannot be IP limited? Sounds stupid as I type it but if nothing else spells out the obvious for the archives...
3a. Is it possible to define a second listener for an internal service - so port 22 has limited IP's while 2220 is open in the service definition?