This probably should go in the beginners section since I would think I'd figured this out by now -- but apparently not -- it's been some time since I've had to do this....

The following *should* be a very basic firewall that blocks all unsolicited inbound traffic, masquerades outbound traffic and has two DNATs
WAN IP:32401 -> 10.0.0.32:32400 and WAN IP:32400 -> 10.0.2.4:32400. But these are being blocked by the last forward drop catch all rule.
OK - I get that, but if I add a forward rule at the top that allows it, I can make it work *only if* I don't include a destination port... ?????? I'm sure I've got something ouit of order or something like that, but I can't find it -- but then again, it's 1AM here....
------------------------------------------------------------
## Router OS 7.7
/ip firewall filter
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward connection-mark="" connection-type="" \
in-interface=ether1-COMCAST packet-mark="" <--- This works unless I add tcp dstpport=32400/32401. Then the catchall rule gets it
add action=accept chain=input connection-state=established,related
add action=drop chain=forward connection-state=invalid in-interface=\
ether1-COMCAST
add action=drop chain=input connection-state=invalid in-interface=\
ether1-COMCAST
add action=accept chain=input in-interface=ether1-COMCAST packet-size=0-128 \
protocol=icmp
add action=drop chain=forward in-interface=ether1-COMCAST log=yes log-prefix=\
"forward drop"
add action=drop chain=input in-interface=ether1-COMCAST
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=50.247.114.17 dst-port=32401 \
in-interface=ether1-COMCAST log=yes log-prefix=NATing protocol=tcp \
to-addresses=10.0.0.32 to-ports=32400
add action=dst-nat chain=dstnat dst-port=32400 in-interface=ether1-COMCAST \
protocol=tcp to-addresses=10.0.2.4 to-ports=32400
add action=masquerade chain=srcnat src-address=10.0.0.0/16
/ip route
add disabled=no dst-address=8.8.8.8/32 gateway=50.247.114.30 routing-table=\
main scope=10 suppress-hw-offload=no
add disabled=no dst-address=1.1.1.1/32 gateway=192.168.12.1 routing-table=\
main scope=10 suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
8.8.8.8 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=11
add check-gateway=ping disabled=no distance=5 dst-address=0.0.0.0/0 gateway=\
1.1.1.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=11

Generally setting property to nothing is not the same as not setting property at all. You have several such constructs, e.g.

add action=accept chain=forward connection-mark="" connection-type="" \
in-interface=ether1-COMCAST packet-mark=""

Try to actually unset those properties to see if that helps.


BTW, it's not clear which device model you're using. All devices, except top line (top line are CCR, CRS and a few RB1xxx devices), come with pretty decent default firewall setup. That firewall contains a line, moved quite high on the rule list, like this:

It accepts all connections that are DST-NATed (so it's not necessary to make accept filter rule for each DST-NAT rule). It doesn't fit in your firewall concept directly, but it should give you an idea.