This is strange problem. I use the below rules when routing as a standard setup for every MT router. When using bridging and ip-use-firewall=yes. I am unable to resolve DNS but IP addresses do work. Here is my setup:

I set up a new AP using the RB750 as the router/bridge.

Port 1 = Bridge (backbone)
Port 2 = Ubiquity Nano M5
Port 5 = Local User Nat

Ports 1 and 2 are bridged

Routeros version 3.29

Everything was fine and the customer was working without any issues. I needed to add bandwidth shaping to limit the local user. I added the required rules and it wasn't working correctly. So I searched the forum and added in the bridge setting to use-ip-firewall=yes. Since it was late I decided to work on it the following morning. I received a call that morning from the client that they could not surf the internet so I ssh'd into the remote Nanostation M5 and I could ping using ip addresses but I could not by name. I finally back traced all of the changes and once I disabled in the bridge interface use-ip-firewall=no, the client could ping using names. DNS would resolve. Here are my standard rules which I use for every MT router. Is there something I am missing?
Since the customer is running video I am unable to experiment unless it is late at night.

Thanks in advance for any assistance.

-Brian

The RB750 is not like the other RB products. Most come with only an ip assigned to ether1. The RB750 has ether1 set as a dhcp client, and ether2-5 are connected like a hub with a dhcp server. There is also a masquerade by default. Any of those settings interfering? You weren't very specific about the rest of your setup.

I am not a novice user of these routers. I have deployed these routers before. Typically I erase the default configuration and start from scratch. I have standard firewall rules which are used on all of my configurations. This particular rb750 was an emergency installation which worked okay until I enabled use-ip-firewall rule under the bridge interface. Also the AP on its LAN side has an IP address of xxxx.xxxx.60.103 and the AP is acting as a router with a IP address for the WLAN side of xxx.xxx.62.98.

Thanks for the reply.

There isn't anything in those rules that would block DNS. However, is that the entire firewall ruleset? As posted the last two forward rules don't do anything, for example, since the firewall is default allow and you're not dropping everything in a last catch all rule in the forward chain.

As posted the last two forward rules don't do anything.

Actually, they do. I found that it is a great way to lock yourself out of your router. You can change the firewall filter rules while you are connected and logged in to a point where you will not be able to log in again. Once you log out, you are no longer "established". But it does give you that "one more chance" before you log out.

EDIT: My bad fewi. Those are forward rules, not input rules. You are correct.

Yes that is the entire rule set. I am going to work on it when the business closes tonight. Hopefully i will see which rule is causing me problems when I enable use-ip-firewall=yes. Many thanks to those who replied. Also I will disable the rules and add them in one by one until I see which one is causing the problem.

-Brian

If there is one rule I would suspect as the cause, it is this one:

add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid disabled=no protocol=tcp