Hope that someone will be able to help as I cannot find a logical explanation for the problem that I am facing. As this is the first time for me setting up mikrotik router I do apologise if my issue seems basic. I had a setup as follows: ISP Modem/Router --- Tp-Link Router --- Local Network. In the Local Network I have 2 DVRs with CCTV cameras connected. I use my smart phone to connect to the DVRs. I had port forwarding from ISP Router to the TP-Link Router and port forwarding from the Tp-Link Router to the DVRs. No issue at all. Everything worked. Then I decided to replace the Tp-link router with a Mikrotik Router. I set up in NAT the 2 port forwards as follows:
add action=dst-nat chain=dstnat comment=DVR1 dst-port=67-68 in-interface=\
ether2 protocol=tcp src-port="" to-addresses=192.168.1.71 to-ports=67-68
add action=dst-nat chain=dstnat comment=DVR2 dst-port=70-72 in-interface=\
ether2 protocol=tcp to-addresses=192.168.1.72 to-ports=70-72
The first one, to .71 works. The second one to .72 doesn't. I can see the packets as the counter increments in NAT but also using TORCH on the in interface. And then nothing. Probably connection is never established. I noticed in the Firewall, Connections TAB, that the connection to the in interface ip:port is established and then nothing. As I thought that there may be a firewall rule dropping I have disabled all firewall rules. Now, I suppose that everything must be accepted but still no luck. Any ideas???

Since I hope that someone will eventually look into my problem I am posting the configuration of my router:
# mar/23/2021 02:01:41 by RouterOS 6.48.1
# software id = V2G1-I8S1
#
# model = 951Ui-2HnD
# serial number = 45880238E3C3
/interface ethernet
set [ find default-name=ether1 ] comment=ISP1
set [ find default-name=ether2 ] comment=ISP2
set [ find default-name=ether3 ] comment=LAN
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges=192.168.1.150-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=ether3 lease-time=3h name=\
dhcp1
/system logging action
add email-to=xxxxxxxxxxxx@gmail.com name=Email target=email
/ip settings
set tcp-syncookies=yes
/ip address
add address=192.168.1.1/24 interface=ether3 network=192.168.1.0
add address=192.168.2.5/24 interface=ether1 network=192.168.2.0
add address=192.168.3.5/24 interface=ether2 network=192.168.3.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1 \
ntp-server=216.239.35.0,216.239.35.4
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.1.2-192.168.1.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
/ip firewall filter
add action=accept chain=forward comment="Allow port forwarding on ISP2" \
connection-nat-state=dstnat connection-state=established,related,new \
connection-type="" log=yes protocol=tcp
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=ether3 log=\
yes log-prefix=LAN_!LAN src-address=!192.168.1.0/24
add action=accept chain=forward comment="Established & Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix="invalid DROPPED"
add action=drop chain=input comment=Invalid connection-state=invalid
add action=add-src-to-address-list address-list=Over-100-Conn \
address-list-timeout=1d chain=input comment="Connections over 100 for IP" \
connection-limit=100,32 protocol=tcp
add action=tarpit chain=input comment="Drop if over 100 Connections" \
connection-limit=3,32 protocol=tcp src-address-list=Over-100-Conn
add action=add-src-to-address-list address-list=Port-Scan \
address-list-timeout=1d chain=forward comment="Port Scan Hamad" log=yes \
log-prefix="Port Scan Fwd" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=Port-Scan \
address-list-timeout=1d chain=input comment="Port Scan Hamad" log=yes \
log-prefix="Port Scan Input" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop Port Scan Hamad" src-address-list=\
Port-Scan
add action=drop chain=forward comment="Drop Port Scan Hamad" \
src-address-list=Port-Scan
add action=jump chain=forward comment="SYN Flood protect FORWARD" \
connection-state=new jump-target=syn-attack protocol=tcp tcp-flags=syn
add action=jump chain=input comment="SYN Flood protect INPUT" \
connection-state=new jump-target=syn-attack protocol=tcp tcp-flags=syn
add action=accept chain=syn-attack connection-state=new limit=400,5:packet \
protocol=tcp tcp-flags=syn
add action=drop chain=syn-attack connection-state=new log=yes log-prefix=\
"Syn Flood Drop" protocol=tcp tcp-flags=syn
add action=accept chain=input comment=Ping protocol=icmp
add action=drop chain=forward comment=\
"ISP1 Drop incoming from internet which is not public IP" in-interface=\
ether1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
"ISP2 Drop incoming from internet which is not public IP" in-interface=\
ether2 log=yes log-prefix=!public src-address-list=not_in_internet
add action=accept chain=input comment="LAN Traffic" src-address-list=\
allowed_to_router
add action=accept chain=input comment=Gmail src-address=74.125.141.108 \
src-address-list=""
add action=drop chain=input comment="Drop All other ISP1" in-interface=ether1
add action=drop chain=input comment="Drop All other ISP2" in-interface=ether2
add action=drop chain=forward comment=\
"ISP1 Drop incoming packets that are not NATted" connection-nat-state=\
!dstnat connection-state=new disabled=yes in-interface=ether1 log=yes \
log-prefix=!NAT
add action=drop chain=forward comment=\
"ISP2 Drop incoming packets that are not NATted" connection-nat-state=\
!dstnat connection-state=new disabled=yes in-interface=ether2 log=yes \
log-prefix=!NAT
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" disabled=yes \
dst-address-list=not_in_internet in-interface=ether3 log=yes log-prefix=\
!public_from_LAN out-interface=!ether3
add action=drop chain=input comment="drop ftp brute forcers" disabled=yes \
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" disabled=yes \
dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
disabled=yes protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new disabled=yes \
dst-port=22 protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" disabled=\
yes dst-port=22 protocol=tcp src-address-list=ssh_blacklist
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.2.0/24
add action=accept chain=prerouting dst-address=192.168.3.0/24
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=ether3 new-connection-mark=WAN1 \
passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=ether3 new-connection-mark=WAN2 \
passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1 in-interface=\
ether3 new-routing-mark=ether1-mark passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2 in-interface=\
ether3 new-routing-mark=ether2-mark passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1 new-routing-mark=\
ether1-mark passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2 new-routing-mark=\
ether2-mark passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ether1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ether2 new-connection-mark=WAN2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat comment="DVR1 Local Access" dst-address=\
192.168.1.71 dst-port=67-68 out-interface=ether3 protocol=tcp \
src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="DVR2 Local Access" dst-address=\
192.168.1.72 dst-port=67-68 out-interface=ether3 protocol=tcp \
src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment=DVR1 dst-address-type="" dst-port=\
67-68 in-interface=ether2 log=yes protocol=tcp src-port="" to-addresses=\
192.168.1.71 to-ports=67-68
add action=dst-nat chain=dstnat comment=DVR2 dst-address-type="" dst-port=\
54-56 log=yes protocol=tcp src-address=192.168.3.5 src-port="" \
to-addresses=192.168.1.72 to-ports=67-68
add action=dst-nat chain=dstnat comment=PBX1 disabled=yes dst-port=35356 \
in-interface=ether2 protocol=tcp to-addresses=192.168.1.29 to-ports=5060
add action=dst-nat chain=dstnat comment="DSP2 DSP" disabled=yes dst-port=\
16000-16511 in-interface=ether2 protocol=tcp to-addresses=192.168.1.30 \
to-ports=16000-16511
add action=dst-nat chain=dstnat comment=DVR1-Local disabled=yes dst-port=\
73-74 in-interface=ether2 protocol=tcp to-addresses=192.168.1.71 \
to-ports=67-68
add action=dst-nat chain=dstnat comment=DVR2-Local disabled=yes dst-port=\
75-76 in-interface=ether2 protocol=tcp to-addresses=192.168.1.72 \
to-ports=70-71
/ip route
add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=\
ether1-mark
add check-gateway=ping distance=1 gateway=192.168.3.1 routing-mark=\
ether2-mark
add distance=1 gateway=192.168.3.1
add distance=1 gateway=192.168.2.1
add check-gateway=ping distance=1 dst-address=8.8.4.4/32 gateway=192.168.2.1
add check-gateway=ping distance=1 dst-address=8.8.8.8/32 gateway=192.168.3.1
/ip service
set telnet disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=VI
/system logging
add action=Email prefix="Mikrotik Router VI" topics=critical
/system ntp client
set enabled=yes primary-ntp=216.239.35.0 secondary-ntp=216.239.35.8
/tool bandwidth-server
set enabled=no
/tool e-mail
set address=74.125.141.108 from=xxxxxxxxxx@gmail.com password=\
xxxxxxxxxx* port=587 start-tls=yes user=xxxxxxxxxxx@gmail.com
/tool netwatch
add down-script="ip route disable [find dst-address=0.0.0.0/0 gateway=192.168.\
2.1]\r\
\n:log error \"ISP1 is down\"\r\
\n/ip firewall connection remove [find]" host=8.8.4.4 interval=10s \
timeout=800ms up-script="ip route enable [find dst-address=0.0.0.0/0 gatew\
ay=192.168.2.1]\r\
\n:log warning \"ISP1 is up\""
add down-script="ip route disable [find dst-address=0.0.0.0/0 gateway=192.168.\
3.1]\r\
\n:log error \"ISP2 is down\"\r\
\n/ip firewall connection remove [find]" host=8.8.8.8 interval=10s \
timeout=800ms up-script="ip route enable [find dst-address=0.0.0.0/0 gatew\
ay=192.168.3.1]\r\
\n:log warning \"ISP2 is up\""
Still hoping that someone willhelp me out.....

The best thing you could do is
a. reset to defaults to clean up all the bloatware you have added.
b. Figure out why your DHCP network is not for your LAN but setup for an ISP1
c. Understand that port forwarding is not going to work if your ISP gives you a private IP address.
(unless they have forwarded every port to your WANIP, their LANIP on their router) you are out of luck.

c. Understand that port forwarding is not going to work if your ISP gives you a private IP address.

It was working with the previous router, so this point is irrelevant.

The first one, to .71 works. The second one to .72 doesn't.

The description in the first post differs from the export in the second post.

When a dst-nat rule (or src-nat rule) doesn't need to change a port, the to-ports parameter need not be specified at all.

When it has to change a port, and you specify a range for dst-port and for to-ports, there is no predictable mapping from the old port to the new one. E.g. if you set dst-port=100-102 and to-ports=200-202, and the first connection arrives to port 102, the new port may be 200; if the next connection comes also to port 102 but from a different address, the new port may be the 200 one again as the remote address can be used to distinguish between the two connections.

So if the mapping of ports is meaningful for the cameras, you have to use a dedicated rule for each dst-port to be mapped to a particular new one.

The first one, to .71 works. The second one to .72 doesn't.

The description in the first post differs from the export in the second post.

When a dst-nat rule (or src-nat rule) doesn't need to change a port, the to-ports parameter need not be specified at all.

When it has to change a port, and you specify a range for dst-port and for to-ports, there is no predictable mapping from the old port to the new one. E.g. if you set dst-port=100-102 and to-ports=200-202, and the first connection arrives to port 102, the new port may be 200; if the next connection comes also to port 102 but from a different address, the new port may be the 200 one again as the remote address can be used to distinguish between the two connections.

So if the mapping of ports is meaningful for the cameras, you have to use a dedicated rule for each dst-port to be mapped to a particular new one.

Do you mean that it should be something like this?

add action=dst-nat chain=dstnat comment=DVR1 dst-port=67 in-interface=\
ether2 protocol=tcp src-port="" to-addresses=192.168.1.71 to-ports=
add action=dst-nat chain=dstnat comment=DVR1 dst-port=68 in-interface=\
ether2 protocol=tcp src-port="" to-addresses=192.168.1.71 to-ports=

add action=dst-nat chain=dstnat comment=DVR2 dst-port=70 in-interface=\
ether2 protocol=tcp to-addresses=192.168.1.72 to-ports=
add action=dst-nat chain=dstnat comment=DVR2 dst-port=71 in-interface=\
ether2 protocol=tcp to-addresses=192.168.1.72 to-ports=

Do you mean that it should be something like this?

Yes, but not exactly.

These four rules will forward ports 67 and 68 to .71, and ports 70 and 71 to .72, without changing them. So a single rule for each target device, with a range as dst-port, would be sufficient. This way is fine if you can configure the target devices to listen at distinct ports.

But if you want to change also the destination port, not only the destination address, e.g. because all the target devices listen at the same pair of ports, you need one rule per port to be changed.

add action=dst-nat chain=dstnat comment=DVR1 dst-port=67-68 in-interface=\
ether2 protocol=tcp src-port="" to-addresses=192.168.1.71 to-ports=67-68
add action=dst-nat chain=dstnat comment=DVR2 dst-port=70-72 in-interface=\
ether2 protocol=tcp to-addresses=192.168.1.72 to-ports=70-72

The first one, to .71 works. The second one to .72 doesn't.

It's odd that .71 works but .72 doesn't. I would expect both would or wouldn't work.

Add this to your firewall rule:
add action=accept chain=forward connection-nat-state=dstnat connection-state=new in-interface=ether2

Do you mean that it should be something like this?

Yes, but not exactly.

These four rules will forward ports 67 and 68 to .71, and ports 70 and 71 to .72, without changing them. So a single rule for each target device, with a range as dst-port, would be sufficient. This way is fine if you can configure the target devices to listen at distinct ports.

But if you want to change also the destination port, not only the destination address, e.g. because all the target devices listen at the same pair of ports, you need one rule per port to be changed.

Thank you for your time. Working like a charm!!!