I said
public IPs, a config where you cover all the private internal IPs makes no sense from a security point and also really makes the config less useful for problem solving LOL, but will have a look.
(1) Typical error:
/ip address
add address=xxx.xxx.x.1/24 comment=defconf interface=
ether2 network=\
xxx.xxx.x.0
Should be
/ip address
add address=xxx.xxx.x.1/24 comment=defconf interface=
bridge network=\
xxx.xxx.x.0
(2) Highly recommend you keep your input chain rules together and your forward chain firewall rules together, makes it very easy to spot mistakes and is simply an efficient organized approach. IN addition the order of some of your rules is non standard.
From this
add action=accept chain=forward comment=\
"viewtopic.php\?t=121397" \
connection-nat-state=dstnat connection-state=new in-interface=ether1
TO THIS
add action=accept chain=forward connection-nat-state=dstnat \
comment="allow port forwarding"
(3) Specifically the forward chain rule above should be AFTER these ones!
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
---> { put the destination nat rule here in the order }
(4) This rule is now redundant as you have already allowed port forwarding from both LAN and WAN......... so we will get rid of it, but replace the parts still necessary.
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
What this rule also did was block all WAN to LAN traffic which is a good thing!
However we will do one better, as the LAST rule in the forward chain.
add chain=forward action=drop comment="drop all else"
This drops all wan to lan traffic and drops all LAN to LAN traffic and drops all LAN to WAN traffic at layer 3.
In other words, unless you specifically allow it, (proper control) traffic is not permitted, - best approach.
What does this mean, well it means that probably the only additional change you will need is to allow LAN to WAN traffic for internet
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN comment="allow internet traffic"
(4) I want you to disable raw rules when testing the port forwarding in case there is something funky going on there, using raw in the hands of the beginner can be dangerous!
(5) Why is upnp enabled? Normally recommended to keep this disabled.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++