Mikrotik

How to properly configure the mikrotik firewall filter for port forwarding?

Input data:
Mikrotik with a white address. Behind him is FreePBX, listening on port 5060 UDP.
made NAT with dst-nat packets from the WAN interface to ports 5060, 10000-20000 udp to the internal IP PBX.
also made Filter - DROP packets from the WAN interface, coming NOT from the address pool of the telephony provider to the above ports (so that all sorts of swindlers do not try to guess passwords).
The task is to open a port, say, 9595, with forwarding it to port 5060 of the PBX. For a limited SIP client that can connect from any outside IP.
What I do - I do dst-nat with the port specified.
But! this scheme does not work until I turn off the DROP Filter.
That is, as I understand it, a packet arrives at port 9595, DST-NAT is included in a packet with Dst Port 5060, goes to Filter Rules, and then to the PBX.
But how to make sure that you can not turn off the DROP Filter?
If the packet passed NAT, how to filter it? they say, if it went to port 5060, we skip it from trusted addresses. If I went to port 5060 from other addresses, we drop it. If it went to port 9595, we skip it with the port changed to 5060 ...
I can’t figure out what characteristics of the packet are preserved when passing through NAT ...