I have a lab that requires external access via ports 1494,2598,2512,44,80 - the internal members that leverage these ports are on xxx.xxx.xxx.11-19

i followed the tutorials for forwarding a single port (IE 3389) to a single internal port and it works (yay!) but im not sure how to generally "accept" a port to all members on the internal lan.

Can anyone give me an example syntax on the CLI or Winbox tutorial link ?

If what you mean is to forward a single port, e.g. 3389 to several internal servers port 3389, the answer is you can't, not by forwarding (dst-nat).

You'll have to use a different port to dst-nat to each internal ip, for example:

11389 --> xxx.xxx.xxx.11:3389
12389 --> xxx.xxx.xxx.12:3389
13389 --> xxx.xxx.xxx.13:3389
14389 --> xxx.xxx.xxx.14:3389
15389 --> xxx.xxx.xxx.15:3389
16389 --> xxx.xxx.xxx.16:3389
17389 --> xxx.xxx.xxx.17:3389
18389 --> xxx.xxx.xxx.18:3389
19389 --> xxx.xxx.xxx.19:3389


Not sure if that's what you were asking for? Do you want to forward (Public IP exposed to Internet port, to local private IP port?) or to allow traffic from other private IP addresses to those servers by the means of Firewall filter rules?

im not sure how that will work - here is an example - the web interface uses 80 for authentication and 443 when i stick a cert on it...BUT I also have other members internally that use 80 and need to be hit from the wan on that port. For example -

port 80 is XXX.XXX.XXX.139 and 14

Port 1494 and 2598 and 2512 is xxx.xxx.xxx.11 and 12

the wan side requests for ports 2512, 2598, 1494 are hard coded in clients and protocols so I cant change their ports.

would it be better to just expose the gateway in a DMZ approach?

dstnat can map an external address:port to an internal address:port in (generally) a 1:1 fashion. You can specify multiple internals, but it's just going to cycle between them because there's no way to know WHICH internal host you wanted....

dstnat can change the port number in the process, so like pukkita said:
wan:8001 -> 1:80
wan:8002 -> 2:80
wan:8003 -> 3:80
etc

this is possible but not:
wan:80 -> 1:80,2:80,3:80,4:80

If you need the exact same port number on the wan side to map to multiple LAN hosts, then your only option is to have multiple public IP addresses - at least as many as the number of internal hosts.

or get the hardened gateway up and let it communicate to the back end servers...then forward everything to that IP...done ??

or get the hardened gateway up and let it communicate to the back end servers...then forward everything to that IP...done ??

That's always an option.... connect to an internal box and then connect to the LAN hosts via the internal box....