MikroTik

Hello,
I have an RB422 running 6.45.3. I have a port forwarding rule as follows

;;;Remote Access ports for ABC Company
chain=dstnat action=dst-nat to-addresses=192.168.100.20 to-ports=38880-38884 protocol=tcp dst-address=<IP ADDRESS OF ETH1> dst-port=38880-38884 log=no log-prefix=""

This rule is working but, this company has a couple of credit card swipers behind this firewall in the same range as the rest of the LAN segment of 192.168.100.0/24. The CC Swipers are directly connected to a switch and the switch is directly connected to the RB433. Unfortunately they have to meet PCI Compliance and the credit card processor they use performs random scans of their systems and discovered the open ports in the rule above thus failing their PCI Compliance.
Is there anyway to place those ports in a "stealth" mode but, still allow the traffic to pass thru. Any suggestions would be greatly appreciated.

If you don't need to have those ports open to whole world, you can add src-address(-list) parameter and have them open only for selected client(s). If that's not possible, you could try port knocking, so they would be closed, but you'd be able to open them from anywhere you need.

If the port doesn't change between WAN and LAN... you don't need As for the compliance scans...
SOB was asking if those ports need to be open to the whole world or only the POS servers?
For example... at one of my bars, they used an online ordering company. This was before door dash and ubereats like services. At first the Ordering company asked me to "just open these ports". As expected... got a PCI notice from the first test. I contacted the POS company and found a higher level tech who knew the IP addresses of their servers. I added that to the NAT rule in src-address. Next PCI scan came back clean. As the NAT rule would only work if the packet came from the SRC-ADDRESS of their servers.
Make 1.1.1.1 YOUR WAN IP
Make 3.3.3.3 THEIR SERVERS IP

The src-addresses are dynamic addresses. The clients home computers are using them to access an application behind the firewall and they are in another city with DHCP public ip addresses so, I can't add them as the src-address. As for port knocking, since they randomly access this application using these ports, it would be very tedious to open and close ports when needed. As I'm writing this post I was thinking of setting up a VPN, this would provide the security they need without exposing the application server. Thanks for all the replies, i'll keep this up to date as to what happens next.

They are not going to set up a VPN.

If they have dynamic servers... Find out if they have a domain.

You could resolve the domain and have a script punch it into the src-address when a change happens.

Or with the addition of address lists... You can put the domain in there and it will resolve it as often as the TTL from their service.