BTH and Cloud backup [Solved]

I've been trying to get cloud backup to connect. It just never connects. I can ping cloud2.mikrotik.com all day long but the cloud never connects. BTH never connects, either. This RB5009 has a public IP address by my cable provider. DNS is provided inside my network by a pihole.

/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m

A forced updated does reveal a mynetnetname.net.

My firewall rules are rather basic, mostly defconf:

/ip firewall filter
add action=accept chain=input comment="Accept wireguard" dst-port=51280 protocol=udp
add action=accept chain=input comment="Accept wireguard traffic" connection-limit=100,32 src-address=10.9.9.0/24 src-address-list=""
add action=add-src-to-address-list address-list=bruteforce_blacklist address-list-timeout=1d chain=input comment=Blacklist connection-state=new dst-port=22 protocol=tcp src-address-list=\
    connection3
add action=add-src-to-address-list address-list=connection3 address-list-timeout=1h chain=input comment="Third attempt" connection-state=new dst-port=22 protocol=tcp src-address-list=\
    connection2
add action=add-src-to-address-list address-list=connection2 address-list-timeout=15m chain=input comment="Second attempt" connection-state=new dst-port=22 protocol=tcp src-address-list=\
    connection1
add action=add-src-to-address-list address-list=connection1 address-list-timeout=5m chain=input comment="First attempt" connection-state=new dst-port=22 protocol=tcp
add action=accept chain=input comment="Input for SSH" connection-state=established,related,new dst-port=22 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Drop Blacklisted" connection-state="" in-interface-list=WAN protocol=tcp src-address-list=bruteforce_blacklist
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow incoming connections to OpenVPN" dst-port=1194 protocol=tcp
add action=accept chain=input comment="Allow OpenVPN client to access router" src-address-list=192.168.99.0/24
add action=accept chain=input comment="Accept ssh not on Blacklist" dst-port=22 protocol=tcp src-address-list=!bruteforce_blacklist
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="SSH from inside (snat)" dst-address=192.168.44.253 dst-port=22 protocol=tcp src-address=192.168.11.0/24

And when I try to configure BTH from my phone within the LAN, I see my phone connect and start a winbox process in the logs but nothing happens after the initial connection. BTH app just spins and no configuration added edited.

With BTH I created a second user and pass with all privs, I see BTH connect but nothing more. I don't think a special rule for permitting BTH or cloud to call home is necessary.

I feel these are related, newbie issues. However all services seem to be working well inside my network. What should I check?

I'm trying BTH just out of curiosity, mostly. The cloud backup should work, yes?

I also have an AX3 in my LAN subnet which exhibits the same issues: no connection to cloud or BTH.

It appears this rule is the issue, where it's dropping outgoing traffic originating from the router to the outside world.

So I need to either suspend it or improve on it. BTH and cloud backup work. More learning to do.

Yes, agreed. There is something fundamentally wrong and I've opened the docs on the basic defconf rules. I've numbered them. Something happened with my router rules early on where they were duplicated.

Should I have an chain=output action=accept rule for the router to permit cloud backups?

You've butchered the default "accept established, related" rule on the input chain by turning it into this:

By doing adding all those restrictions to the rule, and having the

rule, you've blocked most return traffic to your router (with a few exception). When the router sends something to cloud2.mikrotik.com, tell me which of your rules will allow the response packets to arrive to the router? There is none.

Please restore this rule at the top of your input chain:

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

Unrelated, but check the two rules that have src-address-list="" and connection-state="". Having the empty string ("") as value is a mistake and will void your rules, making them ineffective. Please clear the fields properly.

Super many thanks! Restoring the early rule as you stated made everything better. And the other requests fulfilled.

The root cause is from early configuration hours of this router where it somehow got two sets of default rules.

The BTH and backup work flawlessly now.