You are correct, there is nothing seen by Mangle in postrouting when connecting by ssh from the phone. Looking for TCP:22.
Regarding the DHCP/Network list on R2, this now contains only the ..55. range on the bridge. I removed (in the 20240601 config for R2) the reference to 10.10.10.0 because R1 provides the DHCP server, taking 10.10.10.1 for itself and making the WAN port on R2 = 10.10.10.10. Which raises a related question about which end of a link is the “gateway”, the near end or the far end? For R2, is the gateway .01 or .10? Which can answer the same question for R1.
The gateway is the default route provided to the DHCP clients. In your case, on the 10.10.10.0/24 network, that’s R1 itself, so the gateway should be R1’s address on the 10.10.10.0/24 network, which is 10.10.10.1.
Can you do that change and try again?
Worked with the DHCP on the 10. subnet, both ends. Did not go well.
I deleted both the server and client, then installed them again. The client on R2 is not editable, shows the g/w to R1 is 10.10.10.1 (the far end of the link from R2). The R2 IP/RouteList says both ..10. and ..88. are reachable via eth3. Can’t ping from R2 to R1 and winbox from R1 host lost connection to R2. In the manually entered route on the R1 RouteList, when I put as the g/w either 10.10.10.11 or .01 the ..55. subnet is unreachable; with eth3 as g/w says ..55. is reachable.
The DHCP server on R1 takes 10.10.10.1 for itself on eth3 and assigns 10.10.10.11 (formerly …10) to the WAN interface on R2. Removed former lease for …10 from R1 leases list. Checked the R1 IP/RouteList --seems OK with g/w of eth3.
For IP/DHCPserver/Networks tried both …10 and …01 for the g/w for R1 to subnet 10. In both cases a new WinBox on a host from R1 reports no route to host 192.168.55.1, as does a new winbox on R2 host failing to connect to R1. Traceroute from host on R1 to ..55.1 receives reply from ..88.1 no route to host (!H), as does ping from same host on R1. Hope the attached config file has a gross error, easy to spot 
gwConfig20240603redact.txt (9 KB)
You didn’t have to remove the dhcp client or server, just to update the network definition on the server.
As r2 is a router and you have routes to it, consider setting its ip as fixed, create a static lease or use a routing protocol.
The problem you’re facing is not one single, big issue on a device, but several smaller issues on both, which mask each other. I will send a list later.
On r2, if you issue the following command, what do you get?
/ip/route/print
I am away from keyboard today, will look at your config tomorrow.
As r2 is a router and you have routes to it, consider setting its ip as fixed,
Do you mean ‘give R2 an address on the R1 subnet’? I could make new lists for IP addresses to split them between the bridge and eth3, with separate DHCP servers.
The route list from R2:
@MikroTik-demo] /ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADC 10.10.10.1/32 10.10.10.11 ether1 0
1 A S 192.168.2.0/24 bridge 1
2 ADC 192.168.55.0/24 192.168.55.1 bridge 0
3 A S 192.168.88.0/24 ether1 1a
I notice that in the DST-ADDRESS column that the first dynamic entry for 10… is the only one that doesn’t end in .0 and is /32 raher than /24. On R2 there seems to be no way to edit this entry in winbox. Because there is only the one address on that subnet to receive traffic, perhaps the /32 is OK.
Notice that there is no default route on r2.
On the 10.10.10.0/24, do you plan on having other machines/devices?
So, reading the configuration you sent yesterday for R1
Issue #1 - you have address=10.10.10.1, which sets the netmask to /32. Fix:
/ip address/set [find interface=ether3] address=10.10.10.1/24
Issue #2 - you have add address=10.10.10.0/32 gateway=10.10.10.1 netmask=24. Fix:
/ip dhcp-server network/set [find address in 10.10.10.0/32] address=10.10.10.0/24
Note: you should create a static lease for R2 to guarantee that it will always keep the same IP.
Issue #3 - 192.168.2.0/24 and 192.168.55.0/24 have an non-p2p interface for gateway. Fix
/ip route/set [find dst-address in 192.168.2.0/24] gateway=10.10.10.11
/ip route/set [find dst-address in 192.168.55.0/24] gateway=10.10.10.11
And please send me a fresh config from R2.
Thanks again for the help.
No other device is planned for the 10. subnet, it’s just the link between the routers.
On R1 added /24 to network addresses and new routes to the ..2. and ..55 subnets. The current config for R2 is attached. Will test for connectivity and report results.
LabConfig20240605redact.txt (6.8 KB)
So …
Issue #1 - The DHCP network for 192.168.55.0/24 provides a DNS server on the other network 192.168.88.0/24, when you have set R2 to accept DNS requests. Fix:
/ip dhcp-server network/set [ find address in 192.168.55.0/24] dns-server=192.168.55.1
The rest looks correct. Have you created a static lease in R1 for your R2 with IP 10.10.10.11?
To fix by yourself if these are issues
- The pool and DHCP server for 192.168.88.0/24 are still present.
- The route for 192.168.2.0/24 doesn’t have an IP address for the gateway
Yes, made the IP for r2 static in r1.
Not sure what to do with
[ find address in 192.168.55.0/24]
Is that part of the cli command in a terminal window? There seems to be a convention that I haven’t learned.
After following previous suggestions, tested connectivity:
R1 can ping to R2 and ssh host on r2, but host on r1 can’t.
Winbox from host on r1 times out when connecting to r2
ssh from cell phone:
– shows packet counts rise by 3 in Mangle on pre, post-routing and forward chains.
– counts show in dst-nat on NAT page.
– Sniffer on eth3 of r1 shows 1 packet from cell phone with dst IP of host on r2 and port 22, no returns
– termux ssh session on cell times out
– dst-nat in forward chain of f/w filter rules shows 3 packets passthrough to eth3 followed by accept 3 from eth1.
Sorry, but this sentence isn’t clear to me.
Issue #1 - The DHCP network for 192.168.55.0/24 provides a DNS server on the other network 192.168.88.0/24, when you have set R2 to accept DNS requests.
The route for 192.168.2.0/24 doesn’t have an IP address for the gateway
The g/w is the bridge interface–not OK? Is the IP of the bridge the IP of the router?
Good!
It is part of a command, and it says to affect the entry that matches the “find” condition.
The host on R1, does it have an IP in 192.168.88.0/24? What address are you using for R2, 10.10.10.11 or 192.168.55.1?
Can you send the IP addresses on that host with IP 192.168.55.248 as well as its routing table? If on Linux ip addr and ip route.
On R2, your DHCP configuration provides a DNS server to its clients, 192.168.88.1, which is the internal IP of R1. If you can, fix it so R2 provides to its DHCP client itself as a DNS server.
[/quote]
It should be the address of the next-hop the packet to 192.168.2.0/24 should take when leaving R2.
The address of the WAN interface on R2 has been 10.10.10.11. Since you mentioned it, I tried and succeeded to add 192.168.55.1 to the same interface. Not sure what difference it makes as the rout finding is based on IP addresses but forwarding on a link is done at the MAC layer. Is it better to have both IPs on the WAN port of R2?
The host doing the ping test from R1 is on the ..88. subnet.
The host with IP 192.168.55.248 has only that address. It is a computer/server.
On R2, the DHCP/Networks configuration was changed to make R2 itself (192.168.55.1) the DNS server as well as the gateway.
The route for 192.168.2.0/24 was changed to make the gateway 192.168.2.1. Within about 10 seconds Winbox disconnected from the PC on the R2 bridge. Hope I have safe mode on 
Of course the loss of connctivity could be from an earlier config change that needed time to take effect.
At this point Winbox is unable to connect to R2 from one of its bridge ethernet ports–times out. At the same time R1 can ping R2 but host on ..88. subnet cannot ping to ..55. the R2 subnet. Winbox attempt from R1 subnet times out.
After more than 10 minutes, Winbox on PC directly attached to R2 still fails to connect. Tried Winbox with the MAC address that I believe belongs to the interface in use–can 't connect. Winbox doesn’t see a neighbor when a new Winbox is refreshed. Any estimate of how badly screwed I am?
OK, I have no idea why you did these things and I start to suspect you don’t either.
The WAN interface on R2 should only have the IP 10.10.10.11/24, not the 192.168.55.1/24 IP, that one goes on the bridge.
192.168.2.0/24: neither R1 nor R2 has that IP defined on an interface. Where does it sit on your network? Do you have a third router? Why did you even think that adding a route to 192.168.2.0/24 via 192.168.2.1 would work?
For recovering R2, no idea. You can try:
Winbox to 10.10.10.11, MAC Telnet client connected to R2’s bridge, SSH from R1 or Masquerade on R1 for anything going to R2 (out interface ether3).
Spontaneous remission and the placebo effect are both good. Don’t know what you did, but when I went to connect to R2 at 10.10.10.11 Winbox popped up my previous session before I did anything. Thank you for that 
Removed the ..55. address from the R2 WAN interface; disabled the Route to the ..2.0 subnet (there is an IP PBX there, off the bridge of R2, but not active yet).
Testing next.
LabConfig20240608.rsc (6.88 KB)
Thanks again to vinjfg for so much help.
Found one problem on R2 when I noticed that R2 had no nexthop listed. The Route List showed only an interface (eth1) to R1 but not the IP address. Adding that address to the Gateway field on the left and Applying the change made “ether 1” appear in the other Gateway field (on the right). Winbox on R1 subnet reaches R2, pings go back and forth. Still working on dst-nat.
Using Packet Sniffer on both routers I isolated the blockage to R2. That router lacked a default route (to 0 0.0.0.0/0). When it was added, remote access via SSH worked immediately.
Thanks again for help.