Problem with port forwarding on ASUS DSL-AC52U router

[Adam Kumiszcza]

I'm trying to forward some ports after changing an old router to the new one. The old one was just an old Linux machine with following firewall rules:

# Generated by iptables-save v1.4.12 on Wed Oct 14 10:12:05 2015
*filter
: INPUT ACCEPT [53730:18124031]
: FORWARD ACCEPT [1072612:870721640]
: OUTPUT ACCEPT [91427:35453091]
-A FORWARD -d 192.168.0.113/32 -i eth1 -p tcp -m tcp --dport 8080 -j ACCEPT
-A FORWARD -d 192.168.0.113/32 -i eth1 -p tcp -m tcp --dport 37777 -j ACCEPT
-A FORWARD -d 192.168.0.113/32 -i eth1 -p udp -m udp --dport 37778 -j ACCEPT
(…)
COMMIT
# Completed on Wed Oct 14 10:12:05 2015
# Generated by iptables-save v1.4.12 on Wed Oct 14 10:12:05 2015
*nat
: PREROUTING ACCEPT [23334:1640424]
: INPUT ACCEPT [10245:693818]
: OUTPUT ACCEPT [61808:3877047]
: POSTROUTING ACCEPT [1904:122929]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.113:8080
-A PREROUTING -i eth1 -p tcp -m tcp --dport 37777 -j DNAT --to-destination 192.168.0.113:37777
-A PREROUTING -i eth1 -p udp -m udp --dport 37778 -j DNAT --to-destination 192.168.0.113:37778
(…)
-A POSTROUTING -o eth1 -j SNAT --to-source (WAN_IP)
COMMIT
# Completed on Wed Oct 14 10:12:05 2015

(…) here means there were additional rules, not relevant here. (WAN_IP) is my external IP.

I've set the new router (ASUS DSL-AC52U) as follows:
1. WAN -> Virtual Server / Port Forwarding:
Enable Port Forwarding: Yes
Service Name | Source IP | Port Range | Local IP | Local Port | Protocol
kam1 | | 8080 | 192.168.0.113 | | TCP
kam2 | | 37777 | 192.168.0.113 | | TCP
kam3 | | 37778 | 192.168.0.113 | | UDP

2. Firewall is turned off (I've tried turning it on, same problem).
3. WAN-DMZ is empty (I've tried putting 192.168.0.113 there, same problem).
4. System Log -> Port Forwarding shows the following:
Source Destination Proto. Port range Redirect to Local port
0.0.0.0 ALL TCP 8443 192.168.0.254 8443
0.0.0.0 ALL TCP 8080 192.168.0.113 8080
0.0.0.0 ALL TCP 37777 192.168.0.113 37777
0.0.0.0 ALL UDP 37778 192.168.0.113 37778

5. The first port above (8443) is temporarily turned on HTTPS port for the router on WAN and it works!
6. "Network map" on router shows proper WAN IP (same as in iptables rules above), so it's not some kind of double NAT issue.

Anyways, from outside:
λ nmap -Pn -sV -sS -T4 -p 8443,8080,37777 (WAN_IP)
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-26 07:58 ?rodkowoeuropejski czas letni
Nmap scan report for (WAN_IP)
Host is up (0.36s latency).

PORT STATE SERVICE VERSION
8080/tcp filtered http-proxy
8443/tcp open ssl/https-alt?
37777/tcp filtered unknown

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.74 seconds

Any ideas?