First Post:
I recently acquired the CCR1009-7G-1C-1S-PC. — WOW, a beast 4sure 
My current issue is that I am not able to access my ISP Cable Modem GUI located in address 192.168.100.1 from my Laptop.using my FireFox v56 browser.
Using Winbox and Terminal I can ping the GUI — this is good
But using my Laptop from vlan10 I cannot ping the Modem GUI … this is bad 
So I added the following:
/ip address
add address=192.168.100.3/24 interface=ether1 network=192.168.100.0
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.100.1 to-addresses=192.168.100.3
This enabled me to ping the Modem GUI BUT when accessing the modem GUI from my laptop using Firefox it times out
So I suspect that some rule in my firewall is preventing my browser from accessing the GUI and I was hoping that one of the MikroTik Gurus can help me to sort this out.
Following is my current redacted config
# oct/08/2017 08:08:56 by RouterOS 6.40.4
# software id = 1TLQ-xxxx
#
# model = CCR1009-7G-1C-1S+
# serial number = xxxxxxxxxxxx
/interface vlan
add interface=ether7 name=vlan10 vlan-id=10
add interface=ether7 name=vlan20 vlan-id=20
add interface=ether7 name=vlan30 vlan-id=30
add interface=ether7 name=vlan40 vlan-id=40
/ip pool
add name=dhcp_pool0 ranges=192.168.5.60-192.168.5.80
add name=dhcp_pool1 ranges=192.168.10.58-192.168.10.69
add name=dhcp_pool2 ranges=192.168.20.60-192.168.20.80
add name=dhcp_pool3 ranges=192.168.30.60-192.168.30.80
add name=dhcp_pool4 ranges=192.168.40.60-192.168.40.70
/ip dhcp-server
add address-pool=dhcp_pool0 authoritative=after-2sec-delay disabled=no \
interface=ether7 lease-time=5d name=LAN5
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no \
interface=vlan10 lease-time=5d name=vlan10
add address-pool=dhcp_pool2 authoritative=after-2sec-delay disabled=no \
interface=vlan20 lease-time=5d name=vlan20
add address-pool=dhcp_pool3 authoritative=after-2sec-delay disabled=no \
interface=vlan30 lease-time=5d name=vlan30
add address-pool=dhcp_pool4 authoritative=after-2sec-delay disabled=no \
interface=vlan40 lease-time=5d name=vlan40
/system logging action
set 3 remote=xxx.xxx.xxx.xxx
/interface bridge port
add
/ip address
add address=192.168.88.1/24 comment=defconf interface=combo1 network=\
192.168.88.0
add address=192.168.5.1/24 interface=ether7 network=192.168.5.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
add address=192.168.40.1/24 interface=vlan40 network=192.168.40.0
add address=192.168.100.3/24 interface=ether1 network=192.168.100.0
/ip cloud
set update-time=no
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=\
no use-peer-ntp=no
/ip dhcp-server config
set store-leases-disk=never
/ip dhcp-server lease
add address=192.168.5.248 client-id=1:xx:xx:xx:xx:xx:xx mac-address=\
xx:xx:xx:xx:xx:xx server=LAN5
add address=192.168.20.10 address-lists="" client-id=1:xx:xx:xx:xx:xx:xx \
mac-address=xx:xx:xx:xx:xx:xx server=vlan20
add address=192.168.20.20 client-id=1:xx:xx:xx:xx:xx:xx mac-address=\
xx:xx:xx:xx:xx:xx server=vlan20
add address=192.168.30.55 client-id=1:xx:xx:xx:xx:xx:xx mac-address=\
xx:xx:xx:xx:xx:xx server=vlan30
add address=192.168.40.50 client-id=1:xx:xx:xx:xx:xx:xx mac-address=\
xx:xx:xx:xx:xx:xx server=vlan40
add address=192.168.40.90 client-id=1:xx:xx:xx:xx:xx:xx mac-address=\
xx:xx:xx:xx:xx:xx server=vlan40
add address=192.168.10.44 client-id=1:xx:xx:xx:xx:xx:xx mac-address=\
xx:xx:xx:xx:xx:xx server=vlan10
add address=192.168.10.55 client-id=1:xx:xx:xx:xx:xx:xx mac-address=\
xx:xx:xx:xx:xx:xx server=vlan10
add address=192.168.10.50 client-id=1:xx:xx:xx:xx:xx:xx mac-address=\
xx:xx:xx:xx:xx:xx server=vlan10
add address=192.168.10.70 client-id=1:xx:xx:xx:xx:xx:xx mac-address=\
xx:xx:xx:xx:xx:xx server=vlan10
add address=192.168.10.253 client-id=1:xx:xx:xx:xx:xx:xx mac-address=\
xx:xx:xx:xx:xx:xx server=vlan10
add address=192.168.10.15 always-broadcast=yes client-id=1:xx:xx:xx:xx:xx:xx \
mac-address=xx:xx:xx:xx:xx:xx server=vlan10
add address=192.168.20.254 client-id=1:xx:xx:xx:xx:xx:xx mac-address=\
xx:xx:xx:xx:xx:xx server=vlan20
add address=192.168.10.36 client-id=1:88:87:17:f:ed:73 mac-address=\
xx:xx:xx:xx:xx:xx server=vlan10
add address=192.168.30.50 client-id=1:xx:xx:xx:xx:xx:xx mac-address=\
xx:xx:xx:xx:xx:xx server=vlan30
/ip dhcp-server network
add address=192.168.5.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.5.1
add address=192.168.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=208.67.222.123,208.67.220.123 gateway=\
192.168.20.1
add address=192.168.30.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.40.1
/ip dns
set servers=8.8.8.8
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
/ip firewall filter
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=ether1 \
log=yes log-prefix=!public src-address-list=not_in_internet
add action=accept chain=input comment="Local access" src-address=\
192.168.5.248
add action=drop chain=forward dst-address=192.168.0.0/16 src-address=\
192.168.0.0/16
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-address=192.168.100.1 to-addresses=\
192.168.100.3
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=xxxx
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=vlan20 type=internal
add interface=vlan40 type=internal
add interface=vlan10 type=internal
/lcd
set enabled=no touch-screen=disabled
/system clock
set time-zone-name=America/Toronto
/system identity
set name=Stargate
/system logging
set 0 action=remote
set 1 action=remote
/system ntp client
set enabled=yes primary-ntp=132.246.11.229 secondary-ntp=209.87.233.53 \
server-dns-names=time.nrc.ca,time.chu.nrc.ca
/system package update
set channel=release-candidate
/tool bandwidth-server
set enabled=no
/tool mac-server
set [ find default=yes ] disabled=yes