SofroN

Ошибка локализована добавил правило, проброс заработал

;;; RDP
      chain=forward action=accept protocol=tcp dst-address=192.168.1.0/24 
      dst-port=3390,3966,3990,3991,4132,3389 log=no log-prefix=""

Но какое правило тогда неверно? Все правила. Я считал что правило №8 и №9 должны были решить проблему

Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;;             invalid            
      chain=input action=drop connection-state=invalid in-interface=ether1-wan 
      log=yes log-prefix="DROP-INVALID-INPUT" 

 1    ;;;             invalid            
      chain=forward action=drop connection-state=invalid 
      in-interface=ether1-wan log=yes log-prefix="DROP-INVALID-FORWARD" 

 2    ;;;                                   
      chain=input action=accept connection-state=established 
      in-interface=ether1-wan log=no log-prefix="" 

 3    ;;;                                
      chain=input action=accept connection-state=related 
      in-interface=ether1-wan log=no log-prefix="" 

 4    ;;;                                              
      chain=forward action=accept connection-state=established 
      in-interface=ether1-wan log=no log-prefix="" 

 5    ;;;                                          
      chain=forward action=accept connection-state=related 
      in-interface=ether1-wan log=no log-prefix="" 

 6    ;;;                                          
      chain=input action=accept src-address=192.168.1.0/24 
      in-interface=!ether1-wan log=no log-prefix="" 

 7    ;;;                                                        
      chain=forward action=drop src-address-list=block-Internet-to-local-client 
      out-interface=ether1-wan log=yes log-prefix="BLOCK-INTERNET" 

 8    ;;;                                     
      chain=forward action=accept src-address=192.168.1.0/24 
      in-interface=!ether1-wan log=no log-prefix="ACCEPT-LAN" 

 9    ;;;                                              
      chain=forward action=accept src-address=192.168.1.0/24 
      out-interface=ether1-wan log=no log-prefix="" 

10    ;;;                ICMP
      chain=input action=accept protocol=icmp in-interface=ether1-wan log=no 
      log-prefix="" 

11    ;;;     8
      chain=forward action=accept protocol=tcp in-interface=ether1-wan 
      dst-port=80,2349,3053,3055 log=no log-prefix="" 

12    ;;;     6
      chain=forward action=accept protocol=tcp in-interface=ether1-wan 
      dst-port=81,2350,3058,3059 log=no log-prefix="" 

13    ;;;              
      chain=forward action=accept protocol=tcp in-interface=ether1-wan 
      dst-port=3070 log=no log-prefix="" 

14    ;;;           
      chain=forward action=accept protocol=tcp in-interface=ether1-wan 
      dst-port=8919 log=no log-prefix="" 

15    ;;;       1         
      chain=forward action=accept protocol=tcp src-address-list=remote-office 
      in-interface=ether1-wan dst-port=1540,1541,1560-1591 log=no log-prefix="" 

16    ;;; RDP
      chain=forward action=accept protocol=tcp in-interface=ether1-wan 
      dst-port=3390,3966,3990,3991,4132 log=no log-prefix="" 

17    ;;; VoIP                           
      chain=forward action=accept protocol=udp src-address-list=remote-office 
      in-interface=ether1-wan dst-port=5060,13000-18000 log=no log-prefix="" 

18    ;;;                                                      
      chain=forward action=drop in-interface=ether1-wan log=yes 
      log-prefix="DROP-FORWARD" 

19    ;;;                                                    
      chain=input action=drop in-interface=ether1-wan log=yes 
      log-prefix="DROP-INPUT"

UPD: даже просто добавление порта 3389 в правило № 16 решает вопрос