Hi Everyone, I am including a design of what I am looking to do and boy oh boy have I had my head scratching on how to port forward 3456 from my VDSL modem to a PC connected to M.T.2 WIFI .

I have included the rule in the modem's settings page but the port remains closed! I have tried with dstnat rules in both MTs but still can't figure it out. Can you please help?

Thank you !

You must simply port forward the port 3456 from your VDSL router to Mikrotik 1 and then portforward from Mikrotik 1 to Mikrotik 2 and then port forward from Mikrotik 2 to your PC...

Thank you Zacharias, to be honest I don't remember after so many tries if I did that, so I went and I forwarded from my modem port 3456 to M.T1. @ 192.168.0.1 with dstnat to 192.168.0.38 (MT2-Eth1), then the same dst nat from 192.168.0.38 (MT2 - Eth1) to 192.168.10.15 (PC) and still the port is closed.

Even by opening the port from the modem to M.T.1 without continuing the sequence. shouldn't the port appear as open? I mean if you have forwarded a port to a pc and that PC is turned of because the port is open on the modem shouldn't it appear open even though the PC is off?

Should I be including the source address on the MT's as well? I do everything from WinBox...just wanted to make sure.

If modem and both MT routers are in same 192.168.0.0/24 (is MT1 just bridge?), then forward port from modem directly to MT2's address. You should probably share more details about how is everything configured, because it seems a little strange, it's not clear what's MT1 doing there.

And no, opening ports works in different way. Port is open when you connect to it and something responds. It's closed when (in simple words) something responds and tells you it's closed. If nothing responds, it's usually called that port is filtered. When you forward port somewhere, the device just changes destination and sends packets there, it doesn't otherwise interfere. So from outside, you can't really tell how far it went, if the problem is with modem, next router or target PC.

Hi Sob, so would you say that in order for a port to appear open something has to "κnock" and something has be awaiting to respond to that "knock" and open it? In other words when I try an open-port-check-tool from the Internet to 3456 because there is no device waiting to reply back, the port appears as not open? If that is the case I believe I am getting to it...

My modem is a regular ISP basic modem and I have turned off its wifi and its DHCP server and given it a static IP. One of its ports is connected on a switch and on that switch M.T1. is also connected together with M.T2 . On the rest of the modem's ports there are other devices that receive IP addresses through M.T.1 (the modem works as a switch)

M.T.1 runs the DHCP server and through a pool, hands in addresses to devices that connect to it, through physical ports and its WIFI AP. The ports and the Wifi AP are all bridged . The address of the network is 192.168.0.0/24 .

Where everything physically is, I need to have a separate subnet (thus the 192.168.10.0/24) and have given to MT2's WIFI AP bridge address: 192.168.10.10, this latter one also runs a DHCP server and gives out through a pool address 192.168.10.15 that I need to access from the Internet through port 3456 . The Ethernet of M.T2 runs a DHCP client and receives an address from M.T.1: 192.168.0.38

I tried to put it as simple as possible to avoid confusing you and the members,apologies if I didn't succeed, but please let me know if you need any more info and I will get right back.

Hi there, here's what I would try:

Modem:
* Name, can be anything
* Protocol, should be tcp, udp, or both depending on your needs
* WAN connection, leave as is
* WAN Host IP Range, I'm unsure if this is locking the forwarding to a source IP or something else, can leave as is for now
* MAC mapping, leave unset
* LAN Host IP, set to 192.168.0.1
* WAN Port Range, set to 3456-3456
* LAN Host Port Range, can sometimes leave these blank, as it's for port redirection, but you could also set to 3456-3456 too.

M.T.1
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.0.1 dst-port=3456 protocol=tcp to-addresses=192.168.0.38

M.T.2
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.0.38 dst-port=3456 protocol=tcp to-addresses=192.168.10.15

Device at 192.168.10.15:
Ensure firewall allows for inbound connections on the port you're forwarding and that the program/servce is configured to use that port.

That should do it, but if it still doesn't work it may be blocked at the ISP end of things.

edit: Also, as you suspected, yes, the device does need to be there and active for the port to show as open.

To me, "knock" sounds confusing. There's simply packet going to some address and port.

If it's tcp, you can get a packet back, saying that connection was accepted (open port). Or you get different packet saying that connections wasn't accepted (closed port). Or you don't get anything (your initial packet was dropped by firewall or target device is turned off).

If it's udp, closed port is the same, you'll get packet back. Filtered port is also the same, you get nothing. Open port is more difficult. If whatever is listening on that port responds to you, you get that. But if it's listening, accepts packet, but doesn't send anything back, you can't really tell the difference from filtered port.

If MT1 has everything bridged, you can ignore it. You can do either:

a) On modem, forward port to 192.168.0.38 and on MT2 forward the same port to 192.168.10.15.

b) On modem, if it has such option, add static route to 192.168.10.0/24 via 192.168.0.38. Then forward port from modem directly to 192.168.10.15. And you also won't need NAT on MT2 at all.

Thank you @mkennedy67 It makes total sense what you just pointed out. I followed the rules but still the port does not respond .

Edit: I forgot to mentioned that I checked with the ISP and they confirmed the don't block any ports or services.

Thank you @ Sob, things are more clear now ! I followed your advice as well and still port remains closed. I will attach the rule I entered in the modem.

I can definitely see packets (from the MTs counter) arriving @ /ip firewall nat add action=dst-nat chain=dstnat dst-address=192.168.0.38 dst-port=3456 protocol=tcp to-addresses=192.168.10.15

but like I said the port remains closed... So I figure somewhere a rule that exists or doesn't "corrupts" things.

Would it be of help if I were to export settings?

OMG just thinking that I have failed to mention something that is important. My most sincere apologies!
On M.T2 I have an OVPN server that listens to 3456
M.T.2 has Eth1 @ 192.168.0.38 and WIFI AP bridge at 192.168.10.10 (PC connected there has 192.168.10.15)
I am trying to connect an OVPN client from location X to that OVPN SERVER so that the PC can access the LAN on that other side...OMG OMG soooo sorry everyone ...

OK for some reason the modem to M.T2 port forward rule didn't work, but.......

A) on M.T.1 /ip firewall nat add action=dst-nat chain=dstnat dst-address=192.168.0.1 dst-port=3456 protocol=tcp to-addresses=192.168.0.38

B) /ip firewall nat add action=dst-nat chain=dstnat dst-address=192.168.0.38 dst-port=3456 protocol=tcp to-addresses=192.168.10.10 (to ports 3456) did the trick .

I thought that on M.T.2 I needed masquerade srcnat rules for both (especially for the AP 192.168.10.0/24) but it works even if I disable them...

I 'm clueless Again Thank you all as I wouldn't have done it without you!!!

What does MT2 have as default gateway? Is it 192.168.0.254 (modem) or MT1 (192.168.0.1)?

The whole thing looks a little strange. As it's now, the modem is still working as router. Ideally, you want the modem completely transparent, usually it's called bridge mode. In this mode, there's some IP config only for management, but access to internet is configured on your router with some PPPoE client as WAN interface. In case you get public IP address, it's directly on router instead of on modem, so you have better control over it.