Hi Mikrotik people there..!
do you think that creating a DST NAT rule in MikroTik is considered to be a security vulnerability in the router?
I mean Today my 3CX installer set up the 3CX software on my server. Then, he opened 10 ports on my MikroTik router, arguing that this is necessary for the system to work. Does it make sense to leave 10 ports open in this way without any proplem in the future..?

https://www.3cx.com/docs/manual/firewal ... iguration/

Apparently for this SIP-provider there seems to be quite some stuff you need to open and they don't mention any of their public IP's / FQDN's of their SBC's....
I guess it depends on the SIP-provider.
I have seen installations that only required OUTBOUND connection to the cloud-provider, no toying around with any DNAT mappings you have to make etc. (and no upnp in scope, this is a corporate environment)

However, if you can make the DNAT combined with ACCESS-LIST to only whitelist the IP's from 3CX that enhanced the level of security already a lot?

Zero trust cloudflare tunnel removes the need to open port is you can run it.
Best bet is to create a source address list of allowed IPs, which renders ports invisible on scans, otherwise they are visible but closed on scans.
Any server you have open should be encrypted access in some way shape or form.

I have a sip modem, to connect to my VOIP provider and no ports and no port forwarding are required.