I have an hEX Mikrotik router, factory default settings, latest firmware.
By default it comes with eth2 to eth5 bridged, and eth1 as the "WAN" port, plus a few Firewall rules. By default the bridged network is 192.168.0.0/24.
I have a server (192.168.0.96) with an HTTP service listening on port 9090, connected to one of the bridged ethernet interfaces. Fixed IP with static DHCP lease.
If I follow any of the examples/tutorials about port forwarding, they mention doing:
/ip firewall nat
add chain=dstnat dst-address=10.42.0.2 protocol=tcp dst-port=9090 action=dst-nat to-address=192.168.0.96 to-port=9090
add chain=srcnat out-interface=WAN action=masquerade
Where dst-address=10.42.0.2 is the public address from the WAN, and 192.168.0.96 is the internal server's address we want to forward to. The port used in the example is 1:1 mapping, that is, coming from 9090 and forwarded to port 9090. I've also seen variations where instead of 'dst-address' they specify the 'in-interface'.
This isn't working at all. If I set up the NAT rule to log it logs this:
dstnat: in:ether1 out:(unknown 0), src-mac ab:cd:f1:ab:cd:f2, proto TCP (SYN), 10.42.0.1:58940->10.42.0.2:9090, len 60
It's as if it can't resolve the destination address. I can see the packet counter increasing in the rule, but nothing responds to it.
I just reset the Mikrotik hEX to factory settings, add the static lease, add the dst-nat rule, and nothing else. Every example I've read mention nothing about doing anything else to default settings (additional rules, removing existing ones, etc). They just all mention adding the forwarding rule and at most the masquerade rule.
I can query the HTTP service on the port 9090 just fine from a computer also connected to any of the bridged ethernet interfaces (they're all on the 192.168.0.0/24 network).
What else could be missing?
EDIT: Edited question details to match the configuration I have right now after trying more things and changing networks around.
The extra thing I did was removing ether5 from the bridge and setting it up separately under its own subnet to avoid messing up and being unable to reach the router admin panel.
I dont have an actual WAN to test out this right now so what I am doing is setting up a static address on ether1 (10.42.0.2), and connecting to it a Raspberry Pi, with the address 10.42.0.1, then issuing a
wget http://10.42.0.2:9090 Connecting to 10.42.0.2:9090...
It stays there forever. Doing this from inside the router's bridged network works just fine (say, requesting from 192.168.0.99 to 192.168.0.96:9090). Doing it from outside/ether1 via the NAT rule does nothing as I described. Counters go up but no forwarding seems to happen.
Here is the export:
/ip dhcp-server
add disabled=no interface=bridge name=dhcp-bridge
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add comment="admin pool" name=pool-admin ranges=192.168.3.2
/ip dhcp-server
add address-pool=pool-admin disabled=no interface=ether5 lease-time=5m name=dhcp-admin
/ip address
add address=192.168.0.1/24 comment=addr-bridge interface=bridge network=192.168.0.0
add address=10.42.0.2/24 interface=ether1 network=10.42.0.0
add address=192.168.3.1/24 comment=addr-admin interface=ether5 network=192.168.3.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.0.96 mac-address=A1:B1:D1:F1:AA:BB server=dhcp-bridge
add address=192.168.0.99 mac-address=A2:B2:D2:F2:AA:BB server=dhcp-bridge
add address=192.168.0.98 mac-address=A3:B3:D3:F3:AA:BB server=dhcp-bridge
/ip dhcp-server network
add address=10.42.0.0/24 gateway=10.42.0.1 netmask=24
add address=192.168.0.0/24 comment=network-bridge gateway=192.168.0.1 netmask=24
add address=192.168.3.0/24 comment=network-admin dns-none=yes gateway=192.168.3.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 name=router.lan
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip firewall filter
add action=accept chain=forward dst-port=9090 in-interface-list=WAN protocol=tcp src-port=""
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=9090 in-interface=ether1 log=yes protocol=tcp to-addresses=192.168.0.96 to-ports=9090
add action=masquerade chain=srcnat comment="defconf: masquerade" log=yes out-interface-list=WAN
