Which command forwards TCP port 22 from WAN to internal host 192.168.1.5:22 using DST NAT?

• A. /ip firewall nat add chain=srcnat dst-address=<WAN_IP> protocol=tcp dst-port=22 action=dst-nat to-addresses=192.168.1.5 to-ports=22
• B. /ip firewall nat add chain=dstnat dst-address=<WAN_IP> protocol=tcp dst-port=22 action=dst-nat to-addresses=192.168.1.5 to-ports=22
• C. /ip firewall nat add chain=dstnat dst-address=<WAN_IP> protocol=tcp dst-port=22 action=drop to-addresses=192.168.1.5 to-ports=22
• D. /ip firewall nat add chain=dstnat dst-address=192.168.1.5 protocol=tcp dst-port=22 action=dst-nat to-addresses=<WAN_IP> to-ports=22

Answer: (B)

Port forwarding uses destination NAT to take traffic that arrives on the router’s external interface and send it to an internal host. For forwarding SSH (port 22) from the WAN to 192.168.1.5, you need a rule in the destination NAT (dstnat) chain that matches traffic coming to your WAN IP on TCP port 22. The rule then rewrites the destination to the internal host, optionally preserving the port.

So the correct setup is: match destination address equal to your WAN IP, protocol TCP, destination port 22, and perform dst-nat to the internal host 192.168.1.5 with the port maintained at 22. This causes inbound connections to the router’s WAN IP on port 22 to be redirected to 192.168.1.5:22.

The other approaches don’t fit: using the source NAT (srcnat) chain is for outbound traffic, not inbound port forwarding; dropping the traffic would block it instead of forwarding; pointing the rule at the internal host as the destination would apply to traffic addressed to the internal device, not to traffic arriving on the WAN.