Hi,

I need some help on doing my port forward to access my wAP, my RB951Ui-2HnD from my CCR1009-7G-1C-1S+. Also i like to know how to for others in the picture.
Router OS 6.37.1 on my CCR1009 and 6.37.3 at my wAP and RB951Ui-2HnD
This is the theory I'm trying to apply.

Port forwarding on RouterOS

Port forwarding consists of three parts - forwarding in both directions and accepting packets in forward chain. All of these three parts must be correct in order to have working port forwarding configuration.

Lets use as an example public IP address x.x.x.x and local address y.y.y.y. Gateway interface name in example is "wan_interface".

Example should be adjusted for specific ports, addresses, interfaces and so on. Example only should be used to understand idea of port forwarding (written on 6.35.4 RouterOS):

1) NAT to local address (redirect all requests for x.x.x.x address to y.y.y.y):
/ip firewall nat add chain=dstnat action=dst-nat in-interface=wan_interface dst-address=x.x.x.x to-addresses=y.y.y.y

2) NAT from local address back to public IP (change source address to public IP for replies):
/ip firewall nat add chain=srcnat action=masquerade out-interface=wan_interface
or
/ip firewall nat add chain=srcnat action=src-nat src-address=y.y.y.y to-addresses=x.x.x.x out-interface=wan_interface

3) In case firewall filters are used to drop some traffic you must be sure that forward packets which belong to natted connection are accepted:
/ip firewall filter add chain=forward action=accept in-interface=wan_interface connection-nat-state=dstnat connection-state=established,related


I apply this but i cant access my AP or Internal Router, even if i try with WinBox or Web.

If someone can help me,

Thanks

3) In case firewall filters are used to drop some traffic you must be sure that forward packets which belong to natted connection are accepted:
/ip firewall filter add chain=forward action=accept in-interface=wan_interface connection-nat-state=dstnat connection-state=established,related

In my case this rule does not work. Try to accept traffic in input chain.

Remove connection-state=established,related from your rule. If you have it there, it does not allow first packet of connection, which has connection-state=new. Just keep connection-nat-state=dstnat, it's enough.