Hi

I need a creative idea. I need to build some mechanism that will temporarily enable a dst-nat to a https server behind a Mikrotik router.
I can't figure out how to control a NAT rule when all I have is address lists. Not enough experience.

This is the rule I'm looking to enable:
I need this rule to be enabled for a minute. It is a secured https server that I access from all of my devices via Wireguard, but I can't use WireGuard on one PC that needs access for a minute per month.

Any ideas?

Do you relay need forwarding? Why don't use a roadwarrior-VPN-solution (You can specify what is reachable over the VPN in the firewall).

If you need to use port forwarding, keep in mind that it consists of the NAT and rules in the forward chain, so you can allow/block access there as well.

If the public port being DST-NATed won't be used otherwise, then you could have the DST-NAT rule configured and enabled the whole time and would use friwall filter rule to allow/block access to it only to remote addresses which perform the port-knock properly. A pair of rules like these (placed abouve the general "action=allow chain=forward connection-nat-state=dstnat ...":
(the address list mentioned should be populated by usual port-knocking rules)... Feel free to add a few selection criteria (such as protocol type) to make size of hole in your firewall smaller.

If, OTOH, you want to change target of DST-NAT temporarily, then I don't know if it's possible to do it by simple port-knocking. You'll have to use something else, such as VPN mentioned by @afuchs .

Create some scheduler than activate at same day of the month, for 10 minutes the NAT rule, then disable the rule.
If that's okay, then continue with the details.

Quote: "I need a creative idea. I need to build some mechanism that will temporarily enable a dst-nat to a https server behind a Mikrotik router.
I can't figure out how to control a NAT rule when all I have is address lists. Not enough experience."

Yeah, no! What you need is to state the requirement from a use case perspective, you have only provided your proposed config solution.

What is it that you, OR a user need to do. Forget about the config!

(if you need an example, poster states I need to know how to open this fancy jacknife to pick my teeth.
Posters real use case is: There is a piece of spinach stuck between my teeth and I need to get it out.)

Just so you know, the posters initial request seems pretty silly eh........ Well thats what yours sounds like too

Just so you know, the posters initial request seems pretty silly eh........ Well thats what yours sounds like too

When reading OP''s first post, I stopped reading after first full stop. So I posted a creative idea (whether it's good for OP or not is up to him to decide ... I don't accept returns ). Not sure what you were responding to?

I am doing essentially exactly what the OP wants to do. DST-NAT set up normally, and firewall rule that requires the source address be on the "Safe" list in order to reach the target device. Source address is added to the "Safe" list by way of a multi-step port knock procedure. Code samples available if desired...

What is it that you, OR a user need to do. Forget about the config!
...
Just so you know, the posters initial request seems pretty silly eh........ Well thats what yours sounds like too

You've stopped reading on the config line, probably. I've stated the use case in the initial post: I need to temporarily open a port of an HTTPS server in my LAN behind Mikrotik on a specific port to a client I have no admin control over, so I can't install or use Wireguard.

@mkx proposed a working solution.

I don't get what is silly neither about my question, nor about @mkx solution.