This probably should go in the beginners section since I would think I'd figured this out by now -- but apparently not -- it's been some time since I've had to do this....
The following *should* be a very basic firewall that blocks all unsolicited inbound traffic, masquerades outbound traffic and has two DNATs
WAN IP:32401 -> 10.0.0.32:32400 and WAN IP:32400 -> 10.0.2.4:32400. But these are being blocked by the last forward drop catch all rule.
OK - I get that, but if I add a forward rule at the top that allows it, I can make it work *only if* I don't include a destination port... ?????? I'm sure I've got something ouit of order or something like that, but I can't find it -- but then again, it's 1AM here....
------------------------------------------------------------
## Router OS 7.7
/ip firewall filter
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward connection-mark="" connection-type="" \
in-interface=ether1-COMCAST packet-mark="" <--- This works unless I add tcp dstpport=32400/32401. Then the catchall rule gets it
add action=accept chain=input connection-state=established,related
add action=drop chain=forward connection-state=invalid in-interface=\
ether1-COMCAST
add action=drop chain=input connection-state=invalid in-interface=\
ether1-COMCAST
add action=accept chain=input in-interface=ether1-COMCAST packet-size=0-128 \
protocol=icmp
add action=drop chain=forward in-interface=ether1-COMCAST log=yes log-prefix=\
"forward drop"
add action=drop chain=input in-interface=ether1-COMCAST
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=50.247.114.17 dst-port=32401 \
in-interface=ether1-COMCAST log=yes log-prefix=NATing protocol=tcp \
to-addresses=10.0.0.32 to-ports=32400
add action=dst-nat chain=dstnat dst-port=32400 in-interface=ether1-COMCAST \
protocol=tcp to-addresses=10.0.2.4 to-ports=32400
add action=masquerade chain=srcnat src-address=10.0.0.0/16
/ip route
add disabled=no dst-address=8.8.8.8/32 gateway=50.247.114.30 routing-table=\
main scope=10 suppress-hw-offload=no
add disabled=no dst-address=1.1.1.1/32 gateway=192.168.12.1 routing-table=\
main scope=10 suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
8.8.8.8 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=11
add check-gateway=ping disabled=no distance=5 dst-address=0.0.0.0/0 gateway=\
1.1.1.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=11