Cannot access Mikrotik DNS from PPPoE clients over VLAN

Using a hEX v6.46 (factory resetted and configured as router gettings its address via DHCP) I created a PPPoE server which provides its services over VLAN7.

The purpose is to be able to use any port (ether2-5) to access the hEX and also to be able to use the same ports for PPPoE if required.
I might have done the pppoe_bridge wrong because of lack of knowledge.

Here is the setup:

/interface bridge
add arp=proxy-arp name=bridge_pppoe protocol-mode=none

/interface vlan
add interface=ether2 name=vlan7_ether2 vlan-id=7
add interface=ether3 name=vlan7_ether3 vlan-id=7
add interface=ether4 name=vlan7_ether4 vlan-id=7
add interface=ether5 name=vlan7_ether5 vlan-id=7

/ip pool
add name=pppoe-pool ranges=192.168.200.2-192.168.200.254

/ppp profile
add local-address=192.168.200.1 name=pppoe-profile remote-address=pppoe-pool

/interface bridge port
add bridge=bridge_pppoe interface=vlan7_ether2
add bridge=bridge_pppoe interface=vlan7_ether3
add bridge=bridge_pppoe interface=vlan7_ether4
add bridge=bridge_pppoe interface=vlan7_ether5

/interface pppoe-server server
add authentication=pap default-profile=pppoe-profile disabled=no interface=\
    bridge_pppoe one-session-per-host=yes service-name=TestPPPoE

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
    192.168.200.0/24

/ppp secret
add name=testuser password=test profile=pppoe-profile service=pppoe

PPPoE over VLAN7 and accessing the hEX without VLAN7 works quite well. However when being on any of the PPPoE clients DNS lookup doesn’t work.

dig @192.168.200.1 google.com
or
dig @192.168.88.1 google.com

fails due to connection timeout.

Using an external DNS server is not a problem and works instantly. However I would prefer not to have to specify an external server (the hEX already does know how to do DNS lookups).

How can I fix this?

What about your firewall filters in chain=input, isn’t it blocked there?

Havent changed anything on the firewall since I really don’t know much about firewalls

Here is the (still untouched) firewall filter configuration:

[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp

 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1

 5    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN

 6    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec

 7    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec

 8    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related

 9    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked

10    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid

11    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

It’s probably rule #5 which blocks all accesses via PPPoE connections to router itself.

My suggestion: add exceptions such as

add chain=input action=accept src-address=192.168.200.0/24 protocol=tcp dst-port=53 place-before=5
add chain=input action=accept src-address=192.168.200.0/24 protocol=udp dst-port=53 place-before=5

… just be sure you run print before entering the rule above and make sure the #5 rule is still #5.

Many kudos to you. You were abolutely right. The rules you provided solved my issue.