Port Forward Not Working...

Port forwarding rule changes do frequently fail to propagate to their gateways, if that's what you have, and phone app is a horrid insecure way to handle it.

That being said, pilot error can happen just as often too.  What should you see?  Let's try some nmap on a web server.

Firewall rule to internal machine with web server running.  (works)

#nmap [ip] -p 80

PORT   STATE SERVICE
80/tcp open  http

Firewall rule to internal machine with web server stopped. (got past firewall, service is dead/not allowing traffic)

#nmap [ip] -p 80

PORT   STATE SERVICE
80/tcp closed  http

Firewall rule turned off to internal machine with web server running. (firewall doing it's job)

#nmap [ip] -p 80

Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn

Firewall rule turned off to internal machine with web server running, assume host is up.  (Undetermined state, no response at all, firewall working)

#nmap -Pn [ip] -p 80

PORT   STATE SERVICE
80/tcp filtered  http

Two other things can happen now too.  Let's say the port forward and web server is working.  If you port scan a lot of these gateways, a little adaptive firewall rule feature kicks in if you hit too many ports from the same location, sometimes just adjacent ports (portscan block).  Depends on how they wrote it.  You might be able to disable it, maybe you can't.  The rule may time out eventually. How long?  Could be set to anything, maybe even forever or until the next reboot.  When you do a port scan, only scan one port at a time with a delay between attempts.

The other common one is the service may allow local traffic, but not remote traffic.  Windows Defender Firewall and anti-virus is notorious for this. Sometimes a missed pop-up to allow traffic during an install, or incorrect selection. You can try shutting it off for a test, if that's what you are doing.  Also make sure the service is running on something other than a loopback interface (127.0.0.1) and is bound to the machine IP address instead.

Whatever you do, you are going to need some way to mitigate hostile traffic.  Also good if you only allow traffic from a specific location.  An open port will get hammered, you will get pwnd, and then you'll be one of the hijacked comcast machines I see scanning my firewall constantly.  Better, is to run a VPN server yourself if you want access to your network from a remote site.  Then at least you need an encryption key to even talk to the port, otherwise, it just says 'open|filtered'.  Was it there?  Meh.  It didn't respond.  It's poor target.

Hard to debug on this end without knowing exactly what it is, and what service.  If you can open a port and can change a port scan result from 'filtered' to 'closed', the port probably is actually open.  I'd be looking at the device and the service running on it that case, and try to figure out what it's doing.  Reboot can be a good thing too sometimes with a firewall/gateway.  Make sure state tables are clean, and rules loaded right.

If the device has a command line, netstat or sockstat will show you services bound to which address (loopback or IP or both *:80 as an example) --  depending on the OS.  Harder with something like a smart device/outlet/lightbulb etc.  Nothing to work with on the device.

If you use wireshark on the same network, you might be able to sniff traffic and see if traffic can pass the firewall/gateway.

@user_9662eb I posted what worked for me on my own post (before I noticed your post). Give my advice a go and see if it works for you:

https://forums.xfinity.com/conversations/your-home-network/port-forwarding-not-actually-opening-ports/63b791c2ebc7551628370291