I have Vbox VM Debian at 192.168.1.3 . It works and 80(web) and 22(ssh) accesible form my pc 192.168.1.2.
VM network in bridge mode.
My pc connected to router by WIFI.
I am trying to access to my pc 3389 RDP port and VM 80(browser) and 5555(ssh) port from inernet. But allways connection refused.
22 i remaped to 5555. because of 22 used by router.
/etc/config/network

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fdcb:9e09:1ae7::/48'

config interface 'lan'
    option ifname 'lan1 lan2 lan3 lan4'
    option type 'bridge'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'

config interface 'wan'
    option ifname 'wan'
    option proto 'dhcp'
    option macaddr '00:23:54:45:fc:50'
    option hostname 'xxx'
    option reqopts 'staticroutes msstaticroutes'

config interface 'wan2'
    option ifname 'wan2'
    option proto 'none'
    option macaddr '00:23:54:45:fc:50'
    option ifname 'ppp0'
    option username 'xxx'
    option password 'xxx'

/etc/config/firewall

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    option network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'wan'
    option network 'wan wan2'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'

config forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fe80::/10'
    option src_port '547'
    option dest_ip 'fe80::/10'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config rule
    option target 'ACCEPT'
    option src 'wan'
    option proto 'igmp'
    option name 'IGMP'

config rule
    option target 'ACCEPT'
    option src 'wan'
    option name 'UDP Multicast'
    option proto 'udp'
    option dest_ip '239.0.0.0/8'

config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp udp'
    option src_dport '8888'
    option dest_ip '192.168.1.1'
    option dest_port '8888'
    option name 'udpxy'

config rule
    option src 'wan'
    option target 'ACCEPT'
    option proto 'tcp'
    option dest_port '22'

config redirect
    option name 'wol'
    option proto 'udp'
    option src_dport '23001'
    option dest_port '9'
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option dest_ip '192.168.1.2'

config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp udp'
    option src_dport '5555'
    option dest_ip '192.168.1.3'
    option dest_port '22'
    option name 'sshvm1'
    
config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp udp'
    option src_dport '80'
    option dest_ip '192.168.1.3'
    option dest_port '80'
    option name 'webvm1'    
    
config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp udp'
    option src_dport '3389'
    option dest_ip '192.168.1.2'
    option dest_port '3389'
    option name 'rdp1'

/etc/config/wireless

config wifi-device 'radio0'
    option type 'mac80211'
    option path 'platform/ath9k'
    option disabled '0'
    option noscan '1'
    option channel '1'
    option hwmode '11ng'
    option txpower '30'
    option country 'TW'
    option htmode 'HT40+,SHORT-GI-20,SHORT-GI-40,40-INTOLERANT'

config wifi-iface
    option device 'radio0'
    option network 'lan'
    option mode 'ap'
    option ssid 'xxx'
    option encryption 'psk2+aes'
    option key 'xxx'

I think it because WIFI. Anybody know why connection refused?