Format for dstnat rules is normally dependent upon the type of WAN connection.
1. You need a generic firewall rule to allow port forwarding.
This is the crappy but safe default rule one gets in the forward chain.
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
This is the way to replace it with more clarity and overall better security:
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
2. For a Dynamic WAN situation typically the format is as follows ( lets say ISP blocks port YYYY )
add chain=dst-nat action=dst-nat dst-port=XXXXX protocol=abc in-interface=WAN1 to-address=deviceIP to-ports=YYYYY
Note1: To-Ports is only required if doing port translation (aka the incoming port hitting the WAN has to be different from when it hits the device).
3. For a Static WANIP, the format is as follows ( no blocking on this ISP):
add chain=dst-nat action=dst-nat dst-port=YYYYY protocol=abc dst-address=WANIP to-address=deviceIP
Note2: From a security perspective, limiting access to a source address or source address list should be done. Users of your servers should either have a static IP, OR if dynamic they can get a FREE dyndns type name that the MT will resolve to WANIP in a source address list. Adding a source part to the dstnat rule also makes the port invisible on scans. Without such a condition, the port will appear on scans as closed.
4. When you have users accessing servers locally it gets complicated if you insist on them using the WANIP vice the direct LANIP of the server. If you must, then reading here will guide you.
viewtopic.php?t=179343
