Port Forwarding RB2011UiAS

Hello, again.

Sorry for creating new topic, but still having trouble with port forwarding. The ISP opened required ports on the modem, but I still cannot open the ports to the internal IP. To run a server I need to open couple of ports, but what ever I do by all the guides, it still is shown as closed when pinging with nmap or trying to launch the server. When I ping the externel IP (WAN) with nmap, it is shown as “filtered”, when pinging the router 192.168.2.209 it is shown as “filtered”, but when I try to ping the server pc at 192.168.7.30 it is shown as “closed”.

# jan/05/1970 17:04:47 by RouterOS 6.26
# software id = IX46-RCDF
#
/interface bridge
add admin-mac=4C:5E:0C:C7:E7:AE auto-mac=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=ether10-slave-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=lithuania disabled=no distance=indoors frequency=auto l2mtu=1600 \
    mode=ap-bridge ssid=SKPB wireless-protocol=802.11
/ip neighbor discovery
set ether1-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa-pre-shared-key=zalgiris wpa2-pre-shared-key=zalgiris
/ip pool
add name=dhcp ranges=192.168.7.10-192.168.7.240
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=sfp1
add bridge=bridge-local interface=wlan1
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
/ip address
add address=192.168.7.1/24 comment="default configuration" interface=ether2 network=192.168.7.0
add address=192.168.2.209/24 interface=ether1-gateway network=192.168.2.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=ether1-gateway
/ip dhcp-server network
add address=192.168.7.0/24 comment="default configuration" gateway=192.168.7.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=xxx.xx.xxx.xx,xxx.xx.xxx.xx
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input in-interface=bridge-local
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="HAIRPIN NAT" out-interface=bridge-local src-address=192.168.2.209
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-address=!192.168.2.209 dst-port=8766 protocol=tcp to-addresses=192.168.7.30 to-ports=8766
add action=dst-nat chain=dstnat dst-address=192.168.2.209 dst-port=8766 protocol=tcp to-addresses=192.168.7.30 to-ports=8766
/ip route
add distance=1 gateway=192.168.2.254
/lcd
set time-interval=weekly
/lcd interface pages
set 0 interfaces=\
    sfp1,ether1-gateway,ether2,ether3,ether4,ether5,ether6-master-local,ether7-slave-local,ether8-slave-local,ether9-slave-local,ether10-slave-local
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=wlan1
add interface=bridge-local

First of all, upgrade ROS version to some recent, e.g. long-term (6.43.16 as of now). IIRC I’ve given you this advice already.

I don’t think you need these set to yes, firewall between L3 interfaces works regardless:

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes

Any good reason for having both DHCP client enabled and static IP address set in ether1-gateway? This could mess your setup. Is your ISP really NAT-ing to 192.168.2.209 whichever ports you want to use?

What do commands /ip address print and /ip route print show? I hope you’re aware that 192.168.209 is not publicly routed address meaning that if that’s indeed your “WAN” address, ISP is doing some NAT elsewhere (hopefully right).

The DST-NAT rule

add action=dst-nat chain=dstnat dst-address=!192.168.2.209 dst-port=8766 protocol=tcp to-addresses=192.168.7.30 to-ports=8766

will steal any connection flowing through the router and targeting port 8766 … even outgoing ones. Any particular reason to have it defined?

Hi,
Yes, I do understand that 192.168.###.### is internal IP, and I already asked them to open ports (forward to 192.168.2.209). I hope they did everything right.

using /ip address and /ip route gives me this:

[admin@MikroTik] >> /ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                        
 0   ;;; default configuration
     192.168.7.1/24     192.168.7.0     ether2                                                                                                           
 1   192.168.2.209/24   192.168.2.0     ether1-gateway     
 
 [admin@MikroTik] >> /ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                        
 0   ;;; default configuration
     192.168.7.1/24     192.168.7.0     ether2                                                                                                           
 1   192.168.2.209/24   192.168.2.0     ether1-gateway

The router is kinda out of the box setup, so I’m not entirely sure for why the DHCP client enabled and static IP address set in ether1-gateway. Maybe printers/scanners that are set over the same network need them?

add action=dst-nat chain=dstnat dst-address=!192.168.2.209 dst-port=8766 protocol=tcp to-addresses=192.168.7.30 to-ports=8766

will steal any connection flowing through the router and targeting port 8766 … even outgoing ones. Any particular reason to have it defined?

funny part about this rule. I was using simple rule without (!) but nmap was giving me 2.209:8766 as closed. Then read up about the bridged port forwarding on this forum (older topic) and it had this rule (with !) and looked like it helped to get the 2.209:8766 opened.

I’m pretty green to the extents of all this networking, usually good enough to understand simpler routers and port forwarding, this feels like rocket science

p.s. my first and only other topic has 0 answers. For now I would like to try and open the port and understand how it works. After that, I will look into upgrading the router OS if I don’t need to do it for port forwarding

I am not interested in providing any assistance if OS is not updated.

First of all I will suggest to reset router without default configuration!
Then configure it step-by-step with your requirements!

Hi again,

Well, I guess I had to upgrade, so, I did it:

# jul/09/2019 14:57:55 by RouterOS 6.45.1
# software id = IX46-RCDF
#
# model = 2011UiAS-2HnD
# serial number = 569504681A08
/interface bridge
add admin-mac=4C:5E:0C:C7:E7:AE auto-mac=no fast-forward=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether6-master-local
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether7-slave-local
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether8-slave-local
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether9-slave-local
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether10-slave-local
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=4 band=2ghz-b/g/n channel-width=20/40mhz-Ce country=lithuania disabled=no distance=indoors frequency=\
    auto frequency-mode=regulatory-domain mode=ap-bridge ssid=SKPB wireless-protocol=802.11
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=zalgiris \
    wpa2-pre-shared-key=zalgiris
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.7.10-192.168.7.240
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge-local name=default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge-local hw=no interface=ether2
add bridge=bridge-local hw=no interface=ether3
add bridge=bridge-local hw=no interface=ether4
add bridge=bridge-local hw=no interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local hw=no interface=sfp1
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether7-slave-local
add bridge=bridge-local interface=ether8-slave-local
add bridge=bridge-local interface=ether9-slave-local
add bridge=bridge-local interface=ether10-slave-local
/interface bridge settings
set use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=sfp1 list=discover
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6-master-local list=discover
add interface=ether7-slave-local list=discover
add interface=ether8-slave-local list=discover
add interface=ether9-slave-local list=discover
add interface=ether10-slave-local list=discover
add interface=wlan1 list=discover
add interface=bridge-local list=discover
add interface=ether2 list=mactel
add interface=ether3 list=mactel
add interface=ether2 list=mac-winbox
add interface=ether4 list=mactel
add interface=ether3 list=mac-winbox
add interface=ether5 list=mactel
add interface=ether4 list=mac-winbox
add interface=ether6-master-local list=mactel
add interface=ether5 list=mac-winbox
add interface=ether7-slave-local list=mactel
add interface=ether6-master-local list=mac-winbox
add interface=ether8-slave-local list=mactel
add interface=ether7-slave-local list=mac-winbox
add interface=ether9-slave-local list=mactel
add interface=ether8-slave-local list=mac-winbox
add interface=ether10-slave-local list=mactel
add interface=ether9-slave-local list=mac-winbox
add interface=sfp1 list=mactel
add interface=ether10-slave-local list=mac-winbox
add interface=wlan1 list=mactel
add interface=sfp1 list=mac-winbox
add interface=bridge-local list=mactel
add interface=wlan1 list=mac-winbox
add interface=bridge-local list=mac-winbox
/ip address
add address=192.168.7.1/24 comment="default configuration" interface=ether2 network=192.168.7.0
add address=192.168.2.209/24 interface=ether1-gateway network=192.168.2.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=ether1-gateway
/ip dhcp-server network
add address=192.168.7.0/24 comment="default configuration" gateway=192.168.7.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=xxx.xx.xxx.xx,xxx.xx.xxx.xx
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input in-interface=bridge-local
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add action=accept chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="HAIRPIN NAT" out-interface=bridge-local src-address=192.168.2.209
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-address=192.168.2.209 dst-port=8766 protocol=tcp to-addresses=192.168.7.30 to-ports=8766
/ip route
add distance=1 gateway=192.168.2.254
/lcd
set time-interval=weekly
/lcd interface pages
set 0 interfaces=\
    sfp1,ether1-gateway,ether2,ether3,ether4,ether5,ether6-master-local,ether7-slave-local,ether8-slave-local,ether9-slave-local,ether10-slave-local
/system clock
set time-zone-autodetect=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

*********************************************************************************************************
[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                      
 0   ;;; default configuration
     192.168.7.1/24     192.168.7.0     ether2                                                                                                         
 1   192.168.2.209/24   192.168.2.0     ether1-gateway
 
 *********************************************************************************************************
 [admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.2.254             1
 1 ADC  192.168.2.0/24     192.168.2.209   ether1-gateway            0
 2 ADC  192.168.7.0/24     192.168.7.1     bridge-local              0

That is bad advise, because then you are responsible for all the firewalling.
Best thing to do:

• update RouterOS
• reset to default config
• add dstnat rule(s).
  The default firewall in recent versions is already prepared for port forwarding.

Hi again to everyone,

I’m still stuck at trying to port forward..

Running trace route nmap external IP (WAN) using 8766 port it says it’s “filtered”:

PORT STATE SERVICE
8766/tcp filtered amcs
TRACEROUTE (using proto 1/icmp)
HOP RTT ADDRESS
1 0.00 ms 192.168.7.1
2 2.00 ms ip-XXX-XX-XXX-XX (XXX.XX.XXX.XX)
Nmap done: 1 IP address (1 host up) scanned in 0.63 seconds

Running trace route of 8766 port to internal, it shows as closed.

PORT STATE SERVICE
8766/tcp closed amcs
Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds

[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                      
 0   ;;; default configuration
     192.168.7.1/24     192.168.7.0     ether2                                                                                                         
 1   192.168.2.209/24   192.168.2.0     ether1-gateway  
                                                                                                
[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.2.254             1
 1 ADC  192.168.2.0/24     192.168.2.209   ether1-gateway            0
 2 ADC  192.168.7.0/24     192.168.7.1     bridge-local              0

[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; default configuration
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 1    ;;; default configuration
      chain=input action=accept connection-state=established,related log=no log-prefix="" 

 2    ;;; default configuration
      chain=input action=drop in-interface=ether1-gateway log=no log-prefix="" 

 3    ;;; default configuration
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 

 4    ;;; default configuration
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

 5    ;;; default configuration
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1-gateway log=no log-prefix="" 
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; default configuration
      chain=srcnat action=masquerade out-interface=ether1-gateway log=no log-prefix="" 

 1    chain=dstnat action=dst-nat to-addresses=192.168.7.30 to-ports=8766 protocol=tcp dst-port=8766 log=no log-prefix="" 

 2    chain=dstnat action=dst-nat to-addresses=192.168.7.30 to-ports=8766 protocol=udp dst-port=8766 log=no log-prefix="" 

 3    chain=dstnat action=dst-nat to-addresses=192.168.7.30 to-ports=27015-27030 protocol=tcp dst-port=27015-27030 log=no log-prefix="" 

 4    chain=dstnat action=dst-nat to-addresses=192.168.7.30 to-ports=27015-27030 protocol=udp dst-port=27015-27030 log=no log-prefix="" 
[admin@MikroTik] >

when pinging ports to 192.168.2.209 or external (WAN) ip’s i can see packets going through at interface in WinBox, but when i try to ping 192.168.7.30 - nothing

Yes, but you have not followed the advise to reset the configuration after you did the upgrade.
When you do so, the firewall filters will be reconfigured in a new style which means the port forwards (that you enter in the NAT tab) just work.

Hello,

I have finally found some time to reset to default config, but still no dice. Maybe it’s because I try to launch a game server, not ftp or another type of server (kinda forgot to mention at first)? When I use NMAP i can ping all the required ports on external IP (195.17.###.###), on router’s “external” IP (192.168.2.209) and it gives me as filtered (TCP) or open|filtered (UDP). But, when I ping my PC internal IP (192.168.7.13) it gives as closed TCP/UDP.

When I’m pinging I can see packet count going up in the rOS Firewall NAT and Filter sections for pinging external IP (195.17.###.###) and routers external IP (192.168.2.209), but when I start the server app, the packet count doesn’t change. I have tried turning Windows Firewall Defender, adding rules by hand. Or could this be because of the “bridge” setup over the ether2-ether8 router port?

# jul/16/2019 14:03:44 by RouterOS 6.45.1
# software id = IX46-RCDF
#
# model = 2011UiAS-2HnD
# serial number = 569504681A08
/interface bridge
add admin-mac=4C:5E:0C:C7:E7:AE auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=4 band=2ghz-b/g/n channel-width=20/40mhz-XX country=lithuania disabled=no distance=indoors \
    frequency=auto frequency-mode=regulatory-domain installation=indoor mode=ap-bridge ssid=SKPB wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=zalgiris \
    wpa2-pre-shared-key=zalgiris
/ip pool
add name=dhcp ranges=192.168.7.10-192.168.7.240
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.7.1/24 comment=defconf interface=ether2 network=192.168.7.0
add address=192.168.2.209/24 interface=ether1 network=192.168.2.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.7.0/24 comment=defconf gateway=192.168.7.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=##########,##########
/ip dns static
add address=192.168.7.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward port=8766,27015-27030 protocol=tcp
add action=accept chain=forward port=8766,27015-27030 protocol=udp

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

add action=dst-nat chain=dstnat dst-address=192.168.2.209 port=8766 protocol=tcp to-addresses=192.168.7.13 to-ports=8766
add action=dst-nat chain=dstnat dst-address=192.168.2.209 port=8766 protocol=udp to-addresses=192.168.7.13 to-ports=8766
add action=dst-nat chain=dstnat dst-address=192.168.2.209 port=27015-27030 protocol=tcp to-addresses=192.168.7.13 to-ports=27015-27030
add action=dst-nat chain=dstnat dst-address=192.168.2.209 port=27015-27030 protocol=udp to-addresses=192.168.7.13 to-ports=27015-27030
/ip route
add distance=1 gateway=192.168.2.254
/system clock
set time-zone-name=Europe/Vilnius
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                              
 0   ;;; defconf
     192.168.7.1/24     192.168.7.0     ether2                                                                                                 
 1   192.168.2.209/24   192.168.2.0     ether1                                                                                                 
[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.2.254             1
 1 ADC  192.168.2.0/24     192.168.2.209   ether1                    0
 2 ADC  192.168.7.0/24     192.168.7.1     bridge                    0

p.s. I tried to “draw” our network setup:

network.PNG1031×542 23.4 KB

Your configuration looks OK to me, but of course for this to work you also need to have similar configuration in the other router and correct configuration of the firewall in the PC.
It is impossible to debug this via a forum, you need to debug it hands-on using the tools you have in the router (torch, sniffer) and the PC (firewall counters, wireshark).