RB5009 in the hands of a newbie, Gateway problem

Hi to all in the community!

I recently bought an RB5009UG+S+IN for my office network. There’s nothing very special to manage—8 PCs, 1 virtualization server, some IP phones, and a bunch of IoT devices.

Actually, I’ve never configured a RouterOS device before, but after reading some documentation and watching a few tutorials, I think I can handle the basics (or maybe not!).

After configuring a LAN bridge for all the ports (except eth1 for WAN), I created a DHCP server using the wizard (with a pool, and so on…), set up a DHCP client for my eth1 (WAN), and set up NAT masquerading for it. I assumed this would allow internet access.

Right now, I’m in a test setup where I have my ISP router connected to the WAN and one PC connected to eth2.

The PC correctly receives an IP from the DHCP server.
The WAN receives an IP from the ISP router.
The RB5009 can reach the internet (I tested with a ping and a system upgrade, both worked fine).
However, there is no internet connection on the PC.

Looking at the Ethernet card status on the PC, I think something is wrong with the DNS or gateway settings.

Can someone help me figure out the issue?
How can I show you the full configuration of my RB5009?

Thanks a lot for the newbie help request!

Regards,
Joe

Follow this:
http://forum.mikrotik.com/t/forum-rules/173010/1

Can you ping 8.8.8.8 ? If yes, can you ping google.com or anything else from the PC, if not then it’s probably DNS.

But RB5009 should work out of the box. Or do you want to use it as a learning device ?

This is my curret configuration, very basics.

additional info:

My PC on eth2
my isp modem gateway 192.168.1.1 with dhcp enabled on eth1 WAN
WAN dhcp client obtain address 192.168.1.6

My pc recieve dhcp address 192.168.1.99, dns 1.1.1.1, but i see no gateway!

If i ping 1.1.1.1 fro router terminal it’s work fine, but no ping and connectivity on the PC
No ping from My PC to 192.18.1.254 and 1.1.1.1

The router is just erased and with no standard configuration.
i think it’s updated to last verison of RouterOS

# 2024-12-19 16:15:42 by RouterOS 7.16.2
# software id = 
#
# model = RB5009UG+S+
# serial number = HFE0********
/interface bridge
add comment="LAN Bridge" name="bridge- LAN" port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name="ether1 -WAN"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.60-192.168.1.99
add name=dhcp_pool1 ranges=192.168.1.60-192.168.1.99
add name=dhcp_pool2 ranges=192.168.1.60-192.168.1.99
/ip dhcp-server
add address-pool=dhcp_pool2 interface="bridge- LAN" name=dhcp1
/interface bridge port
add bridge="bridge- LAN" interface=ether2 internal-path-cost=10 path-cost=10
add bridge="bridge- LAN" interface=ether3 internal-path-cost=10 path-cost=10
add bridge="bridge- LAN" interface=ether4 internal-path-cost=10 path-cost=10
add bridge="bridge- LAN" interface=ether5 internal-path-cost=10 path-cost=10
add bridge="bridge- LAN" interface=ether6 internal-path-cost=10 path-cost=10
add bridge="bridge- LAN" interface=ether7 internal-path-cost=10 path-cost=10
add bridge="bridge- LAN" interface=ether8 internal-path-cost=10 path-cost=10
add bridge="bridge- LAN" interface=sfp-sfpplus1 internal-path-cost=10 \
    path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip address
add address=192.168.1.254/24 interface="bridge- LAN" network=192.168.1.0
/ip dhcp-client
add comment="WAN Clinet " interface="ether1 -WAN"
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.1.254
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 -WAN"
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/system note
set show-at-login=no

There is your problem, same subnet on WAN and LAN side. Change your subnet on either WAN or LAN side.

RB5009 is your gateway and in your PC you probably get 192.168.1.254 as gateway. What are you trying to achieve ? There is no a single firewall rules.

Yes! This is my issue!

While waiting for replies, I tried resetting all the configurations and using the default one. It works like a charm.

It’s similar to my bare minimum configuration, with some differences, of course!

In the configuration I posted earlier, I deleted all the firewall rules just for testing purposes—you know, to check if the lack of connectivity was related to incorrect rules, but obviously, it wasn’t.

Now, thanks for your help! I’ll continue configuring by adding my PPPoE connection to my ONT and hope it works fine. Of course, I now have all the default firewall rules active!

Next, I’ll need to add some port forwarding and hope I can manage it!

Again, sorry for the newbie questions, but this is my first attempt at exploring this new world!

Joe

Never say you are sorry for newbie question. You can’t learn anything if you don’t ask

You can watch videos from TheNetworkBerg for eg. Great videos and everything is explained in detail. You also have a video about PPPoE.

If I may, it is not a good idea to connect a router to internet without a proper set of firewall rules.
You should first thing add these (they are the default ones from Mikrotik for other devices, adapted for your case):
When fiddling with a Mikrotik with only an interface as WAN all the rest in a LAN bridge it is extremely easy to get locked out by the firewall filter rules or from some other limitations, so the usual advice is to take a port (let’s say ether8 in your case out of the bridge and categorize it as MGMT, besides LAN.
This snippet “categorizes” interfaces and explicitly allows Winbox on the LAN bridge and ether8 ( later ether8 will become only MGMT interface).

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=defconf name=MGMT

/interface list member
add interface="ether1 -WAN" list=WAN
add interface="bridge- LAN"  list=LAN
add interface=ether8 list=LAN
add interface=ether8 list=MGMT

/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

though personally I would get rid of the space (and of the double quotes) in the names of interfaces, ether1_WAN and bridge_LAN remain perfectly readable.

Then the basic default firewall filter rules:

/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"

Then I would add an address like 192.168.88.1/24 to ether8, so that you can manually connect to it sertting your PC to 192.168.88.2, Winbox should be able to connect to it via MAC no matter the IP address.


Be careful when doing these changes, try first them in Safe mode and check that you still have connection to the RB5009.
If you have doubts, ask before making them.

THis is the bible on vlans - http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Two things, always use safemode when configuring the router. Basically invoke it, make changes, wait 5 seconds and if the router doesnt blow up, unselect safe mode, which captures the config (saves it) and then continue. If you do something while in safe mode it will go back to the last step before selecting safe mode!!

Second thing, to do vlans its safest to do so from a port OFF the bridge.
So take like port 9 off the bridge, give it its own IP address and access the router from there for all configuring.

/interface ethernet
set [ find default-name=ether9] name=OffBridge9

/ip address
add address=192.168.65.1/30 interface=OffBridge9 network=192.168.65.0

/interface list member
add interface=Offbridge9 list=LAN { or trusted or base/management whatever is the interface list that is trusted )

Now plug in your laptop into ether9, change ipv4 settings to 192.168.65.2 and you should be in!!!

Don’t think so.
Not on RB5009 with 8 ether ports

Then they should have called it the RB5008 LOL
Then use port 8, use your imagination, drink some moose milk!!!

Well… There is SFP+ which is 9th network interface So 5009 is a valid name

5009 is indeed an odd number for a router … specially because it’s even

well, thanks for all suggestions!
now it’s all set, also eth8 as “Free entrace tiket”!

Next step for me is hook up my ONT and configure PPPoE connection.

My isp provider say:

PPPoE Client
VLAN 1036
User: vodafoneadsl
PSW: vodafoneadsl
NAT: YES

Very standard and basic.

i think i make all the steps right, and after that router terminal can ping 1.1.1.1 whitout problem, but…no connectivity in my PC on eth2, and i noticed the status “Sercing…” in the DHCP Client on eth1WAN

This my configuration now:

# 2024-12-19 18:33:04 by RouterOS 7.16.2
# software id = KW13-RUIJ
#
# model = RB5009UG+S+
# serial number = HFE0*******
/interface bridge
add admin-mac=78:9A:18:********** auto-mac=no name=bridge
/interface vlan
add interface=ether1 name=vlan1_Vodafone vlan-id=1036
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1_Vodafone name=\
    pppoe-out1 user=vodafoneadsl
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=defconf name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.60-192.168.88.99
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=ether8 list=LAN
add interface=ether8 list=MGMT
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.88.1 interface=ether8 network=192.168.88.1
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

You need to add the pppoe-out1 into the WAN interface list so that NAT works.

The DHCP client on ether1 is no longer needed.

This does not look good at all.
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=192.168.88.1 interface=ether8 network=192.168.88.1

If your plan was to use ether8 as a safe place to config,
a. it needs to be removed from the bridge ( which you have done, super!_
b. get a different non-overlapping ip address from the bridge. use something like 192.168.65.1/30
Did you not read the post I made on this subject???

Yes, yes, yes, I’m sorry!

Actually, my plan was to use it, after completing all the configuration, in my office network (192.168.1.0). So my brain automatically said, “It’s fine to use 192.168.88.0 for the safe eth8 interface.” However, to avoid any doubts, I’ve now changed it to your suggested 192.168.65.0.

This morning, I switched my ISP modem to the RB5009, connecting it directly to the ONT. It works like a charm—everything is running smoothly for all the PCs and other devices. Thank you so much for your help!

Now it’s time to set up some port forwarding for my server services.

Only as a note, maybe you haven’t noticed it, but it is important that you understand this for other future configurations.

I originally suggested to have ether8 as 192.168.88.1**/24**(assuming that you would have changed the same range set on the bridge to your local lan one).

BUT what you implemented (accidentally) was 192.168.88.1**/32** (i.e. network 192.168.88.1).
Anav correctly (to resolve the conflict on 192.168.88.1) suggested 192.168.65.1**/30**.

An address like 192.168.65.1/30 is “smart” as it only allows 4 addresses, of which two usable:
192.168.65.0 <-network address
192.168.65.1<-usable:the RB5009 ether8
192.168.65.2<- usable; the IP you have to give to the PC connected to ether8
192.168.65.3<- broadcast address
see:
https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=30&cip=192.168.65.1&ctype=ipv4&x=Calculate

When you input an address in RoS, you should remember to specify the CIDR network mask, and Ros will automatically set the “network” parameter for you, i.e.
/ip address
add address=192.168.88.1 interface=ether8

will result in (as seen in your export):
/ip address
add address=192.168.88.1 interface=ether8 network=192.168.88.1

whilst the (suggested) command would have been:
/ip address
add address=192.168.88.1/24 interface=ether8

which would have come out in export as:
/ip address
add address=192.168.88.1/24 interface=ether8 network=192.168.88.0

same goes for the the /30, do check that you have now:
/ip address
add address=192.168.65.1/30 interface=ether8 network=192.168.65.0

Thanks a lot, jaclaz!

After that, I feel ready for my final step: port forwarding for my servers. Nothing special, just nginx, Home Assistant, and Docker.
However, I ran into an issue! I decided to follow the video guide from the official MikroTik YouTube channel and created the rules like this:

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=443 \
protocol=tcp to-addresses=192.168.1.201 to-ports=443

At first, it worked great, but after I was able to access my server, my LAN PCs lost the ability to browse the web!

After a bit of research on the forum, I found this solution:

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=MyFixedIP dst-port=443 \
protocol=tcp to-addresses=192.168.1.201 to-ports=443

I added my static public IP to the rule.
Web browsing was restored, but I was no longer able to access the server!

Then, based on another reply to the forum, I read that I should add this:

/ip firewall nat

add action=dst-nat chain=dstnat dst-address=MyFixedIP dst-port=443 \
protocol=tcp to-addresses=192.168.1.201 to-ports=443

add action=masquerade chain=srcnat dst-address=192.168.1.0/24 \
dst-address-type=!local src-address=192.168.1.0/24 src-address-type=\
!local

Now everything works perfectly! BUT

I’d like to kindly ask if this approach is safe and how it actually works because, honestly, I don’t fully understand it.

Below is the complete configuration.

Thanks a lot!
Regards,
Joe

# 2024-12-30 17:45:20 by RouterOS 7.16.2
# software id = KW******
#
# model = RB5009UG+S+
# serial number = HFE0*****
/interface bridge
add admin-mac=78:9A:18:****** auto-mac=no name=bridge
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard1
/interface vlan
add interface=ether1 name=vlan1_Vodafone vlan-id=1036
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1_Vodafone name=\
    pppoe-out1 user=vodafoneadsl
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=defconf name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.1.60-192.168.1.99
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=Main-DHCP-LAN
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge list=LAN
add interface=pppoe-out1 list=WAN
add interface=ether8 list=LAN
add interface=ether8 list=MGMT
/interface wireguard peers
add allowed-address=192.168.100.2/29 comment="Cellulare Joe" interface=\
    wireguard1 name=peer1 public-key=\
    "tzpQ734pFsIS75SX************************************"
/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
add address=192.168.88.1/30 interface=ether8 network=192.168.88.0
add address=192.168.100.1/29 comment="network vpn 6 adresses" interface=\
    wireguard1 network=192.168.100.0
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
    192.168.1.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=Wiregard dst-port=51820 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=winbox dst-port=8291 in-interface-list=\
    !WAN protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none \
    out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=MyFixedIP dst-port=444 \
    protocol=tcp to-addresses=192.168.1.32 to-ports=443
add action=dst-nat chain=dstnat dst-address=MyFixedIP dst-port=80 \
    protocol=tcp to-addresses=192.168.1.201 to-ports=80
add action=dst-nat chain=dstnat dst-address=MyFixedIP dst-port=443 \
    protocol=tcp to-addresses=192.168.1.201 to-ports=443
add action=dst-nat chain=dstnat dst-address=MyFixedIP dst-port=81 \
    protocol=tcp to-addresses=192.168.1.201 to-ports=81
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 \
    dst-address-type=!local src-address=192.168.1.0/24 src-address-type=\
    !local
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

That is correct, what you did was employ loopback NAT or hairpin NAT. This can be solved by simply moving users or server to a different subnet/vlan. Since these cost nothing, it something I would certainly do. LIke a shared printer, I put those on their own vlan for best security.
However, the rule you made is overcomplicated, please change to.
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.1.0/24 comment=“hairpin nat”

1. IF one attempts to use the WANIP of the router to reach the server and the user is in the same subnet as the server, that extra rule is required.
2. Correct, the format for DSTNAT rules is indeed( fixed static wanip)
   /ip firewall nat
   add action=dst-nat chain=dstnat dst-address=MyFixedIP dst-port=XXX protocol=YYY to-address=IPofServer
   Note: to-ports is only required if different from the external incoming dist-port ( aka for port translation ).

If you know the external WANIPs that are hitting your server you can create a source address list to limit access and to hide ports from scans.

add action=dst-nat chain=dstnat dst-address=MyFixedIP dst-port=XXX protocol=YYY to-address=IPofServer src-address-list=Authorized