LAN FTP Clients Unable to Access External FTP Servers

RouterOS Beginner Basics
1

jan/19/2020 17:18:50 by RouterOS 6.46

software id = I40J-J4H3

model = RB750Gr3

No clients on the local network can establish ftp connections. HTTP connections work fine, but attempting ftp via a browser url or command line times out.

ftp speedtest.tele2.net
ftp: connect to address 90.130.70.73: Connection timed out
Trying 2a00:800:1010::1...
ftp: connect: Network is unreachable

If I establish a VPN connection (PIA), I am able to make the ftp connection. As well, if a connect via a mobile hotspot on my cellphone, thus removing the Mikrotik router from the connection, the ftp connections work. I assume it is firewall-related, but so far unable to resolve.

Current config (/ export hide-sensitive)

 /interface bridge
add admin-mac=B8:69:F4:59:4C:D0 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1d name=defconf
/queue type
add kind=sfq name=sfq-default sfq-perturb=10
/queue simple
add max-limit=900k/10M name=sfq-default queue=sfq-default/sfq-default target=\
    192.168.2.0/24
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set rp-filter=strict
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.2.1/24 comment=defconf interface=ether2 network=\
    192.168.2.0
/ip arp
add address=192.168.2.121 interface=bridge mac-address=00:08:54:A8:77:5F
add address=192.168.2.120 interface=bridge mac-address=6C:F0:49:0D:9D:63
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.2.90 client-id=OPDeb mac-address=54:AB:3A:B2:9F:8F \
    server=defconf
add address=192.168.2.140 client-id=Lexmark120N mac-address=00:04:00:ED:69:7F \
    server=defconf
add address=192.168.2.109 client-id=RokuLR mac-address=C8:3A:6B:1B:20:7B \
    server=defconf
add address=192.168.2.132 client-id=Squeezebox mac-address=00:04:20:17:BA:B3 \
    server=defconf
add address=192.168.2.107 client-id=OPUbiquiti mac-address=80:2A:A8:D3:A4:5B \
    server=defconf
add address=192.168.2.102 client-id=Roku-Bedroom mac-address=\
    C8:3A:6B:2C:87:97 server=defconf
add address=192.168.2.100 client-id=Roku-CampCarr mac-address=\
    D0:4D:2C:F1:86:06 server=defconf
add address=192.168.2.122 allow-dual-stack-queue=no client-id=OP-Mac \
    mac-address=00:1B:63:B1:D8:3B server=defconf
add address=192.168.2.83 client-id=1:f0:18:98:91:32:9 mac-address=\
    F0:18:98:91:32:09 server=defconf
add address=192.168.2.82 client-id=1:ac:5f:3e:b6:95:ee mac-address=\
    AC:5F:3E:B6:95:EE server=defconf
add address=192.168.2.84 client-id=1:40:9c:28:58:47:17 mac-address=\
    40:9C:28:58:47:17 server=defconf
add address=192.168.2.120 client-id=1:6c:f0:49:d:9d:63 mac-address=\
    6C:F0:49:0D:9D:63 server=defconf
add address=192.168.2.121 client-id=1:0:8:54:a8:77:5f mac-address=\
    00:08:54:A8:77:5F server=defconf
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=192.168.2.122 domain=\
    our.place gateway=192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.2.122
/ip dns static
add address=192.168.2.1 name=Mikrotik
/ip firewall address-list
add address=192.168.2.2-192.168.2.254 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input src-address-list=allowed_to_router
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=!192.168.2.0/24 dst-address-type=\
    local dst-port=80,443 protocol=tcp to-addresses=192.168.2.121
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=bridge src-address=\
    192.168.2.0/24
add action=dst-nat chain=dstnat dst-address=!192.168.2.0/24 dst-address-type=\
    local dst-port=xxxx protocol=tcp to-addresses=192.168.2.120
add action=dst-nat chain=dstnat dst-address=!192.168.2.122 dst-port=53 \
    protocol=udp src-address=!192.168.2.122 to-addresses=192.168.2.122
add action=dst-nat chain=dstnat dst-address=!192.168.2.122 dst-port=53 \
    protocol=tcp src-address=!192.168.2.122 to-addresses=192.168.2.122
/ip firewall service-port
set ftp ports=21,22
/ip route
add disabled=yes distance=1 gateway=35.24.212.114
/ip service
set telnet disabled=yes
set ftp address=192.168.2.0/24 disabled=yes
set www disabled=yes
set ssh address=192.168.2.0/24 port=2200
set www-ssl certificate=https-cert disabled=no
set api disabled=yes
set winbox address=192.168.2.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/system clock
set time-zone-name=America/Detroit
/system ntp client
set enabled=yes server-dns-names=\
    0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/system scheduler
add disabled=yes interval=3m name=dyndns_updater on-event=\
    "/system script run dyndns_updater\
    \n" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/09/2018 start-time=11:28:56
add disabled=yes interval=1d name="Reboot Router Daily" on-event=\
    "/system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/01/1970 start-time=03:00:00
/tool bandwidth-server
set enabled=no
/tool e-mail
set address=108.177.111.109 from="xxx(Mikrotik)" port=587 start-tls=yes \
    user=xxx@xxx
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
2

I discovered the firewall rule blocking ftp access was part of the AT&T Pace modem. Since installation, the modem was in DMZPlus mode - a setting I presumed would open all ports to the Mikrotik Hex. Other than setting the modem to DMZPlus, I had never made any changes to the modem firewall. Yesterday, going through the interface at 192.168.1.254, I discovered a button to reset all firewall rules on the modem. Doing that immediately made ftp access by LAN clients to external ftp sites possible.